Bug #467: Unable to use active FTP via second gateway - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #467

closed

Unable to use active FTP via second gateway

Added by Danny Bogaards over 14 years ago. Updated over 14 years ago.

Status:

Resolved

Priority:

High

Assignee:

Category:

Multi-WAN

Target version:

2.0

Start date:

04/01/2010

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.0

Affected Architecture:

Description

Hi,

I already spoke of this on the forum but I got no response then I found this way of reporting the problem.

I have a dual WAN setup, basically in load balance. I have created two extra group so that particular hosts use particular gateways as default:

A host which is using 'ZIGGOFailsToADSL' will use OPT_1 gateway when up. This works, the PORT command is received even the connect from ftp_host:20 => internal_host:xxxxx works, I see the packets arriving at my internal_host. The Sync/Ack from the internal_host however is send via the default gateway!

captured on vr2
194.109.21.26.20 > 83.85.124.128.36064: Flags [S], seq 2247605301, win 57344, options [mss 1460,nop,wscale 0,nop,nop,TS val 621287970 ecr 0], length 0

captured on vr1
83.85.124.128.36064 > 194.109.21.26.20: Flags [S.], seq 1207193984, ack 2247605302, win 5792, options [mss 1460,nop,nop,TS val 65828173 ecr 621287670,nop,wscale 6], length 0

Note that the packet is send to vr1 with SNAT to the public IP of vr2 (83.85.124.128)

vr2 is connected to a cable modem using DHCP, last upgrade: pfSense-2.0-BETA1-1g-20100329-2138-nanobsd-upgrade, ALIX board

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Ermal Luçi over 14 years ago

Status changed from New to Feedback

Can you please try latest snapshots and report back if the same situation persists?

There have been fixes merged which impact this too.

Actions

Copy link

Updated by Chris Buechler over 14 years ago

Status changed from Feedback to Resolved

Actions

Copy link

Updated by Scott Ullrich over 14 years ago

Status changed from Resolved to Feedback

Setting back to Feedback. Jonathan will hopefully be posting some captures explaining what his current issue is similar to this ticket.

Actions

Copy link

Updated by Ermal Luçi over 14 years ago

Here is not enough information to do a proper analysis on what is happening.

Actions

Copy link

Updated by Danny Bogaards over 14 years ago

Ermal Luçi wrote:

Can you please try latest snapshots and report back if the same situation persists?

There have been fixes merged which impact this too.

Sorry, I was due to go on a holiday and I could not risk upgrading my box pfsense box at short notice. Do you want me to test the latest snapshot or do you need more info for this problem?

Actions

Copy link

Updated by Ermal Luçi over 14 years ago

more information would be better.

Actions

Copy link

Updated by Danny Bogaards over 14 years ago

Ermal Luçi wrote:

more information would be better.

Ok, I can try to describe it again.

vr1: adsl
vr2: cable

Internal host (orac, 192.168.56.52) is setup to use vr2 when gateway is up. This works perfectly. The connect to port 21 of the FTP-server is send through vr2 as it should be.

tcpdump -i vr2 -n 'host 217.170.25.130'
17:46:57.028893 IP 83.85.124.128.13996 > 217.170.25.130.21: Flags [S], seq 3784377040, win 5840, options [mss 1460,sackOK,TS val 624639051 ecr 0,nop,wscale 6], length 0
17:46:57.037279 IP 217.170.25.130.21 > 83.85.124.128.13996: Flags [S.], seq 3160253323, ack 3784377041, win 5792, options [mss 1460,sackOK,TS val 45713968 ecr 624639051,nop,wscale 6], length 0

Only login and logout is ok.

Now I do a LS command:

tcpdump -i vr2 -n 'host 217.170.25.130'
The PORT command using the correct masqueraded external IP of vr2: PORT 83,85,124,128,235,96 (port 60256)
17:50:14.307743 IP 83.85.124.128.35247 > 217.170.25.130.21: Flags [P.], ack 1814698751, win 92, options [nop,nop,TS val 624688376 ecr 45761567], length 27

The '200 PORT command successful' reply from the FTP server
17:50:14.319144 IP 217.170.25.130.21 > 83.85.124.128.35247: Flags [P.], ack 27, win 91, options [nop,nop,TS val 45763296 ecr 624688376], length 51

The 'LIST' command to the server
17:50:14.319574 IP 83.85.124.128.35247 > 217.170.25.130.21: Flags [P.], ack 52, win 92, options [nop,nop,TS val 624688379 ecr 45763296], length 6

The server now opens the requested port, packet below is recorded incoming on vr2:
17:50:14.330155 IP 217.170.25.130.20 > 83.85.124.128.60256: Flags [S], seq 1960562086, win 5840, options [mss 1460,sackOK,TS val 45763299 ecr 0,nop,wscale 6], length 0
repeated....
17:50:59.321200 IP 217.170.25.130.20 > 83.85.124.128.60256: Flags [S], seq 1960562086, win 5840, options [mss 1460,sackOK,TS val 45774549 ecr 0,nop,wscale 6], length 0

Until Timeout reply from server:
17:56:14.271457 IP 217.170.25.130.21 > 83.85.124.128.35247: Flags [P.], ack 33, win 91, options [nop,nop,TS val 45853299 ecr 624703391], length 14

When I listen to vr1 at the same time, I see the reply of the SYN from FTP-server:20 -> 83.85.124.128 leave pfsense via vr1 !!!

capture vr2:
18:03:40.241015 IP 217.170.25.130.20 > 83.85.124.128.46594: Flags [S], seq 1711451016, win 5840, options [mss 1460,sackOK,TS val 45964804 ecr 0,nop,wscale 6], length 0

capture vr1:
18:03:40.241328 IP 83.85.124.128.46594 > 217.170.25.130.20: Flags [S.], seq 2330896980, ack 1711451017, win 5792, options [mss 1460,sackOK,TS val 624889879 ecr 45964804,nop,wscale 6], length 0

So the answer of a packet coming in via vr2 is send out via vr1.

If you want I can give you access to whatever you want.

Actions

Copy link

Updated by Danny Bogaards over 14 years ago

I am pleased to report I have upgraded my pfsense box to the latest snapshot "2.0-BETA4 built on Fri Aug 6 18:22:00 EDT 2010" and the issue has been resolved. Now all FTP actions work great via both gateways.

Thanks!

Actions

Copy link

Updated by Chris Buechler over 14 years ago

Status changed from Feedback to Resolved

same here

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #467

Unable to use active FTP via second gateway

Updated by Ermal Luçi over 14 years ago

Updated by Chris Buechler over 14 years ago

Updated by Scott Ullrich over 14 years ago

Updated by Ermal Luçi over 14 years ago

Updated by Danny Bogaards over 14 years ago

Updated by Ermal Luçi over 14 years ago

Updated by Danny Bogaards over 14 years ago

Updated by Danny Bogaards over 14 years ago

Updated by Chris Buechler over 14 years ago