Project

General

Profile

Bug #467

Unable to use active FTP via second gateway

Added by Danny Bogaards about 9 years ago. Updated almost 9 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Multi-WAN
Target version:
Start date:
04/01/2010
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

Hi,

I already spoke of this on the forum but I got no response then I found this way of reporting the problem.

I have a dual WAN setup, basically in load balance. I have created two extra group so that particular hosts use particular gateways as default:

A host which is using 'ZIGGOFailsToADSL' will use OPT_1 gateway when up. This works, the PORT command is received even the connect from ftp_host:20 => internal_host:xxxxx works, I see the packets arriving at my internal_host. The Sync/Ack from the internal_host however is send via the default gateway!

captured on vr2
194.109.21.26.20 > 83.85.124.128.36064: Flags [S], seq 2247605301, win 57344, options [mss 1460,nop,wscale 0,nop,nop,TS val 621287970 ecr 0], length 0

captured on vr1
83.85.124.128.36064 > 194.109.21.26.20: Flags [S.], seq 1207193984, ack 2247605302, win 5792, options [mss 1460,nop,nop,TS val 65828173 ecr 621287670,nop,wscale 6], length 0

Note that the packet is send to vr1 with SNAT to the public IP of vr2 (83.85.124.128)

vr2 is connected to a cable modem using DHCP, last upgrade: pfSense-2.0-BETA1-1g-20100329-2138-nanobsd-upgrade, ALIX board

History

#1 Updated by Ermal Luçi about 9 years ago

  • Status changed from New to Feedback

Can you please try latest snapshots and report back if the same situation persists?

There have been fixes merged which impact this too.

#2 Updated by Chris Buechler almost 9 years ago

  • Status changed from Feedback to Resolved

#3 Updated by Scott Ullrich almost 9 years ago

  • Status changed from Resolved to Feedback

Setting back to Feedback. Jonathan will hopefully be posting some captures explaining what his current issue is similar to this ticket.

#4 Updated by Ermal Luçi almost 9 years ago

Here is not enough information to do a proper analysis on what is happening.

#5 Updated by Danny Bogaards almost 9 years ago

Ermal Luçi wrote:

Can you please try latest snapshots and report back if the same situation persists?

There have been fixes merged which impact this too.

Sorry, I was due to go on a holiday and I could not risk upgrading my box pfsense box at short notice. Do you want me to test the latest snapshot or do you need more info for this problem?

#6 Updated by Ermal Luçi almost 9 years ago

more information would be better.

#7 Updated by Danny Bogaards almost 9 years ago

Ermal Luçi wrote:

more information would be better.

Ok, I can try to describe it again.

vr1: adsl
vr2: cable

Internal host (orac, 192.168.56.52) is setup to use vr2 when gateway is up. This works perfectly. The connect to port 21 of the FTP-server is send through vr2 as it should be.

tcpdump -i vr2 -n 'host 217.170.25.130'
17:46:57.028893 IP 83.85.124.128.13996 > 217.170.25.130.21: Flags [S], seq 3784377040, win 5840, options [mss 1460,sackOK,TS val 624639051 ecr 0,nop,wscale 6], length 0
17:46:57.037279 IP 217.170.25.130.21 > 83.85.124.128.13996: Flags [S.], seq 3160253323, ack 3784377041, win 5792, options [mss 1460,sackOK,TS val 45713968 ecr 624639051,nop,wscale 6], length 0

Only login and logout is ok.

Now I do a LS command:

tcpdump -i vr2 -n 'host 217.170.25.130'
The PORT command using the correct masqueraded external IP of vr2: PORT 83,85,124,128,235,96 (port 60256)
17:50:14.307743 IP 83.85.124.128.35247 > 217.170.25.130.21: Flags [P.], ack 1814698751, win 92, options [nop,nop,TS val 624688376 ecr 45761567], length 27

The '200 PORT command successful' reply from the FTP server
17:50:14.319144 IP 217.170.25.130.21 > 83.85.124.128.35247: Flags [P.], ack 27, win 91, options [nop,nop,TS val 45763296 ecr 624688376], length 51

The 'LIST' command to the server
17:50:14.319574 IP 83.85.124.128.35247 > 217.170.25.130.21: Flags [P.], ack 52, win 92, options [nop,nop,TS val 624688379 ecr 45763296], length 6

The server now opens the requested port, packet below is recorded incoming on vr2:
17:50:14.330155 IP 217.170.25.130.20 > 83.85.124.128.60256: Flags [S], seq 1960562086, win 5840, options [mss 1460,sackOK,TS val 45763299 ecr 0,nop,wscale 6], length 0
repeated....
17:50:59.321200 IP 217.170.25.130.20 > 83.85.124.128.60256: Flags [S], seq 1960562086, win 5840, options [mss 1460,sackOK,TS val 45774549 ecr 0,nop,wscale 6], length 0

Until Timeout reply from server:
17:56:14.271457 IP 217.170.25.130.21 > 83.85.124.128.35247: Flags [P.], ack 33, win 91, options [nop,nop,TS val 45853299 ecr 624703391], length 14

When I listen to vr1 at the same time, I see the reply of the SYN from FTP-server:20 -> 83.85.124.128 leave pfsense via vr1 !!!

capture vr2:
18:03:40.241015 IP 217.170.25.130.20 > 83.85.124.128.46594: Flags [S], seq 1711451016, win 5840, options [mss 1460,sackOK,TS val 45964804 ecr 0,nop,wscale 6], length 0

capture vr1:
18:03:40.241328 IP 83.85.124.128.46594 > 217.170.25.130.20: Flags [S.], seq 2330896980, ack 1711451017, win 5792, options [mss 1460,sackOK,TS val 624889879 ecr 45964804,nop,wscale 6], length 0

So the answer of a packet coming in via vr2 is send out via vr1.

If you want I can give you access to whatever you want.

#8 Updated by Danny Bogaards almost 9 years ago

I am pleased to report I have upgraded my pfsense box to the latest snapshot "2.0-BETA4 built on Fri Aug 6 18:22:00 EDT 2010" and the issue has been resolved. Now all FTP actions work great via both gateways.

Thanks!

#9 Updated by Chris Buechler almost 9 years ago

  • Status changed from Feedback to Resolved

same here

Also available in: Atom PDF