Bug #467
closed
Unable to use active FTP via second gateway
0%
Description
Hi,
I already spoke of this on the forum but I got no response then I found this way of reporting the problem.
I have a dual WAN setup, basically in load balance. I have created two extra group so that particular hosts use particular gateways as default:
A host which is using 'ZIGGOFailsToADSL' will use OPT_1 gateway when up. This works, the PORT command is received even the connect from ftp_host:20 => internal_host:xxxxx works, I see the packets arriving at my internal_host. The Sync/Ack from the internal_host however is send via the default gateway!
captured on vr2 194.109.21.26.20 > 83.85.124.128.36064: Flags [S], seq 2247605301, win 57344, options [mss 1460,nop,wscale 0,nop,nop,TS val 621287970 ecr 0], length 0 captured on vr1 83.85.124.128.36064 > 194.109.21.26.20: Flags [S.], seq 1207193984, ack 2247605302, win 5792, options [mss 1460,nop,nop,TS val 65828173 ecr 621287670,nop,wscale 6], length 0
Note that the packet is send to vr1 with SNAT to the public IP of vr2 (83.85.124.128)
vr2 is connected to a cable modem using DHCP, last upgrade: pfSense-2.0-BETA1-1g-20100329-2138-nanobsd-upgrade, ALIX board
Updated by Ermal Luçi over 14 years ago
- Status changed from New to Feedback
Can you please try latest snapshots and report back if the same situation persists?
There have been fixes merged which impact this too.
Updated by Chris Buechler over 14 years ago
- Status changed from Feedback to Resolved
Updated by Scott Ullrich over 14 years ago
- Status changed from Resolved to Feedback
Setting back to Feedback. Jonathan will hopefully be posting some captures explaining what his current issue is similar to this ticket.
Updated by Ermal Luçi over 14 years ago
Here is not enough information to do a proper analysis on what is happening.
Updated by Danny Bogaards over 14 years ago
Ermal Luçi wrote:
Can you please try latest snapshots and report back if the same situation persists?
There have been fixes merged which impact this too.
Sorry, I was due to go on a holiday and I could not risk upgrading my box pfsense box at short notice. Do you want me to test the latest snapshot or do you need more info for this problem?
Updated by Danny Bogaards over 14 years ago
Ermal Luçi wrote:
more information would be better.
Ok, I can try to describe it again.
vr1: adsl
vr2: cable
Internal host (orac, 192.168.56.52) is setup to use vr2 when gateway is up. This works perfectly. The connect to port 21 of the FTP-server is send through vr2 as it should be.
tcpdump -i vr2 -n 'host 217.170.25.130' 17:46:57.028893 IP 83.85.124.128.13996 > 217.170.25.130.21: Flags [S], seq 3784377040, win 5840, options [mss 1460,sackOK,TS val 624639051 ecr 0,nop,wscale 6], length 0 17:46:57.037279 IP 217.170.25.130.21 > 83.85.124.128.13996: Flags [S.], seq 3160253323, ack 3784377041, win 5792, options [mss 1460,sackOK,TS val 45713968 ecr 624639051,nop,wscale 6], length 0
Only login and logout is ok.
Now I do a LS command:
tcpdump -i vr2 -n 'host 217.170.25.130' The PORT command using the correct masqueraded external IP of vr2: PORT 83,85,124,128,235,96 (port 60256) 17:50:14.307743 IP 83.85.124.128.35247 > 217.170.25.130.21: Flags [P.], ack 1814698751, win 92, options [nop,nop,TS val 624688376 ecr 45761567], length 27 The '200 PORT command successful' reply from the FTP server 17:50:14.319144 IP 217.170.25.130.21 > 83.85.124.128.35247: Flags [P.], ack 27, win 91, options [nop,nop,TS val 45763296 ecr 624688376], length 51 The 'LIST' command to the server 17:50:14.319574 IP 83.85.124.128.35247 > 217.170.25.130.21: Flags [P.], ack 52, win 92, options [nop,nop,TS val 624688379 ecr 45763296], length 6 The server now opens the requested port, packet below is recorded incoming on vr2: 17:50:14.330155 IP 217.170.25.130.20 > 83.85.124.128.60256: Flags [S], seq 1960562086, win 5840, options [mss 1460,sackOK,TS val 45763299 ecr 0,nop,wscale 6], length 0 repeated.... 17:50:59.321200 IP 217.170.25.130.20 > 83.85.124.128.60256: Flags [S], seq 1960562086, win 5840, options [mss 1460,sackOK,TS val 45774549 ecr 0,nop,wscale 6], length 0 Until Timeout reply from server: 17:56:14.271457 IP 217.170.25.130.21 > 83.85.124.128.35247: Flags [P.], ack 33, win 91, options [nop,nop,TS val 45853299 ecr 624703391], length 14
When I listen to vr1 at the same time, I see the reply of the SYN from FTP-server:20 -> 83.85.124.128 leave pfsense via vr1 !!!
capture vr2: 18:03:40.241015 IP 217.170.25.130.20 > 83.85.124.128.46594: Flags [S], seq 1711451016, win 5840, options [mss 1460,sackOK,TS val 45964804 ecr 0,nop,wscale 6], length 0 capture vr1: 18:03:40.241328 IP 83.85.124.128.46594 > 217.170.25.130.20: Flags [S.], seq 2330896980, ack 1711451017, win 5792, options [mss 1460,sackOK,TS val 624889879 ecr 45964804,nop,wscale 6], length 0
So the answer of a packet coming in via vr2 is send out via vr1.
If you want I can give you access to whatever you want.
Updated by Danny Bogaards over 14 years ago
I am pleased to report I have upgraded my pfsense box to the latest snapshot "2.0-BETA4 built on Fri Aug 6 18:22:00 EDT 2010" and the issue has been resolved. Now all FTP actions work great via both gateways.
Thanks!