pfSense

I tried with the latest build:
2.1-BETA1 (amd64)
built on Wed Jan 30 04:52:20 EST 2013

The bug is still present with the same behavior.

You have to try a today snapshot or 31st one because that one does not have the patches applied.

Unfortunately there's no change with today's snapshot.

2.1-BETA1 (amd64)
built on Sat Feb 2 21:38:38 EST 2013
FreeBSD 8.3-RELEASE-p5

Can you show me what kind of rules you ahve configured on your OPT WAN?
Also the contents of /tmp/rules.debug and pfctl -vvsr would be useful.

I have sent you the requested information.

With the latest build there is no change:
2.1-BETA1 (amd64)
built on Mon May 6 16:54:02 EDT 2013

You see the same mismatched sequence number or you see traffic goign out of WAN rather than WAN2?

I know there are still some issues there due to some problem i am figuring to solve but in most situations it should work correctly.

I see the same mismatched sequence number going out of WAN2. I have not checked for any traffic going out of WAN1, but will check tonight.

There is no FTP traffic going out of WAN1.

Could it be that those recent fixes broke passive FTP in some setups? Mine does not work anymore, details are here:
http://forum.pfsense.org/index.php/topic,62237.msg336445.html#msg336445

I did a more in-depth analysis with tcpdumps (LAN/WAN) here:
http://forum.pfsense.org/index.php/topic,62237.msg342024.html#msg342024
It seems to me the source port for the DATA connection is changed on passive FTP connections but the state table does not know about the new source port.

Can you try with tomorrows snapshots.

Please, revert these patches ASAP. They hard crash the box with FTP! http://forum.pfsense.org/index.php/topic,64144.0.html

@
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0x70
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc04c96c1
stack pointer = 0x28:0xe31e6c20
frame pointer = 0x28:0xe31e6c2c
code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 7 (pfpurge)
trap number = 12
panic: page fault
cpuid = 0
Uptime: 1d1h13m36s
Cannot dump. Device not defined or unavailable.
Automatic reboot in 15 seconds - press a key on the console to abort

@

The problem is still there, but now I have noticed an additional behavior. I have taken the liberty to email you some packet captures.

Attempt #1 is the new behavior (TCP ACKed unseen segment).
Attempt #2 is the normal behavior up until now.

I've also run into this problem. I didn't want it to get so buried in the pile that it never got looked at again.