next »

[pinoyboy]

It seems that there are two major issues with pfSense 1.2 RC3 that I have encountered and have read on here to be verifiable.

#1 - NAT reflection - whatever the feature is called or its function, having access to internal resources (out to the Internet and back in) - this should work period, all other firewalls do so not sure why not in pfSense.

#2 - FTP - FTP helper or not - why can't such a major piece of firewall like pfSense have to have difficult time in handling this?  Again, other firewalls have this, but not pfSense.

Now, the developers can say go to another firewall or whatever but to me, you have a very nice product to NOT take care of these things.  I prefer to use your product so I guess my question is, are these issues going to be addresses in the near term - as in when?

BTW, are these issues present in m0n0wall?

Also, this is just a friendly feedback!  Thanks and still great product...

[GruensFroeschli]

.... you dont say what your problem is only that you have issues.

Since these features work for almost everyone i assume you did something wrong.

[pinoyboy]

First, let me address FTP...look across these boards, FTP is an ISSUE.  You are a so called "hero" member but you deny this (maybe not deny, but its a user error mentality)?  Look at the FTP workarounds in the docs, it says if it still does not work, change the firewall...HELLO I think that summarizes the fact that it does NOT work 100%.  I've used SonicWall, IPCOP before, etc - they all worked.  The GUI maybe different, but the principles on how they work is still the same.  Maybe you can use the search above and look up FTP issues - and you will see.  again read the docs on FTP issues and workarounds by pfSense team.  Just for grins, I opened up all ports - source and destination, did a scan on all of my ports being verified as open - enable and disabled FTP helper on LAN and WAN and it STILL did not work - I plugged in a sonicwall 2040 and then an IPCOP - and THEY worked .  Also, I have 80/443 open on the same server and THOSE work just fine too - - and I was using pfSense in this instance!  So I obviously know how to NAT and create rules just fine there.  USed this too - http://wiki.pfsense.com/wikka.php?wakka=IncomingFTPHowTo&show_comments=1 and http://devwiki.pfsense.org/FTPTroubleShooting What else do you think I overlooked here? 

Second NAT reflection.  I am trying to access our own web site internally thats accessible from the outside.  On these boards, it was suggested to uncheck the NAT reflection feature so internally I can access them - that did not work.  Also, per the board, there is an "ugly" hack pertaining to how this feature works.  Another suggestion was to setup a split DNS to handle internal request - although of course that will work - why only this firewall that you have to do this in?  To use a product means simplicity and ease of use - not use of "workarounds" - this even works on low end devices Linksys/Dlink etc.  routers.

Look, I like the product, but what I've found are ON THESE boards to be verified by other users.  simply stating I do not know what I'm doing is not the answer.  I went the boards and read all docs - so I defintely am not the isolated issue.

My only real question was, does m0n0wall have the same issue (I guess I'll have to find out), and when are the issues going to be fixed?  Yes it is broken - if this was commercial software, the postings on these boards indicate a problem - do your own reading on NAT reflection and FTP helper - look at the issues on those terms alone. 

As far as the issues I have had, I posted them and the responses or suggestions did not work.  I am a user who actually reads these boards and try out the many other suggestions - not just my postings.  As you can see from my first paragraph how I concluded the FTP as an issue was from my own test using other firewalls and other services still works - obvious logical test procedures.

[GruensFroeschli]

(maybe not deny, but its a user error mentality)

Of course i have an user error mentality
90% of all error here on this board are because someone missconfigured or followed a guide but didnt understand it and did something wrong.


Now let's try to find out why your FTP isnt working.
What exactly do you mean you opend all ports? Did you forward all ports? Only firewall rules arent enough.
Also take into account that after creating the rules (depending on hardware) it can take up to a minute until the rules are in effect.

In what order did you create the NAT-rules/ enabled the FTP helper?

Please note that you have to add the NAT mapping *AFTER* having enabled the FTP-helper. Because an additional rule will be created for it to work.

Which FTP server are you using? Which portrange for data do you use?

Btw: do you have "static port" under Advanced outbound NAT active?



To NAT-reflection: You cannot reflect portranges >500.
So if you have a transfer portrange for FTP bigger than 500 the reflect rule will not be installed.
also i think i read somewhere that there are a maximum of 1000 reflects tht can be active.

I read through the posts you already have on the board and i think you want NAT-reflection to work with 1:1 NAT on VIP's.
I'm not sure if this is possible.

[cmb]

#1 - NAT reflection - whatever the feature is called or its function, having access to internal resources (out to the Internet and back in) - this should work period, all other firewalls do so not sure why not in pfSense.

Really?  You should tell that to Cisco and Microsoft, both sell $$$ firewall products that do not do NAT reflection. Ours works fine for < 500 ports. It may work for other circumstances in the future, but it's a nasty ugly hack no matter how it's implemented

#2 - FTP - FTP helper or not

FTP works fine. The only known limitation is not being able to use anything but the primary WAN if you have a multi-WAN setup. That'll be fixed in a future version.

BTW, are these issues present in m0n0wall?

yes, in the case of NAT reflection m0n0wall doesn't have it at all. FTP works fine on both, but some people with both love to gripe about how it doesn't work when they've misconfigured something.

Of course i have an user error mentality
90% of all error here on this board are because someone missconfigured

Bingo!

But just 90%?  C'mon, GruensFroeschli you've been around long enough to know it's more like 99% of all posts.   

[purdue512]

I am currently having FTP failure as well. And I'd be happy to have it due to 'user-error' as that means there is an easy fix. I have found the documentation around this confusing...

FTP outbound was working under SmoothWall. FTP stopped working when we cut-over to pfsense. PFSense was a little touchy on set-up, but everything else is working great now that we figured it out. The multiple WAN and High-availability features are what brought us to the software. Both are working as promised! Very exciting!

SETUP: 2 x PFsense 1.0.1 Mutiple WAN setup (WAN / OPT1) on both with Virtual IPs / CARP failover for HA over dedicated OPT2. Outbound rule uses "Default" as gateway (which I understand to be WAN). Outbound WAN NATs to appropriate Virtual IP and port is *, Static Port = NO. Only open inbound ports are 80/443, which work great. We are not trying to host an FTP server, simply run our FTP scripts from inside LAN on clients. Would expect this to be simple enough.

BEHAVIOR: We get a successful log in from remote FTP servers over WAN, but directory browsing or file download hang and eventually timeout.

What is the world is "userland FTP-Proxy application"? In any case, I unchecked "Disable" (didn't work either way).

Any suggestions?

[sullrich]

Upgrade to 1.2-RC3, re-enable FTP helper.

[purdue512]

Appreciate the comment... But...

1) I don't see in the documentation where the FTP from LAN issue was addressed in 1.2 RC3, was it in an earlier release note that I missed?

2) Why would I want to go from a full release to a RC?  Especially if the answer to #1 is not definite?

Thx

[dotdash]

What is the world is "userland FTP-Proxy application"? In any case, I unchecked "Disable" (didn't work either way).

Here is a good treatment on what the ftp helper does and why it is needed:
http://home.nuug.no/~peter/pf/en/ftpproblem.html
AFAIK, pfSense is using pftpx, which is similar to the current OpenBSD ftp proxy.
Aside from a few weird configurations, I've always had success with simply enabling the helper on the LAN, diabling on the WAN, and in the case of multi-WAN, adding the 'allow tcp from LAN net to loopback' rule at the top of the LAN rules.
Oh, and it's been posted many times elsewhere that the newer 1.2 RC releases are more stable and bug-free than the 1.0.1 release.

[heiko]

and also, if you enabled the ftp helper on the lan interface, take a look at the firewall logs, so you will see what happened

[sullrich]

Because 1.2-RC3 has no known bugs.  1.0.1 has many known bugs.

[purdue512]

Okay.. Thanks. I'll give this a try.

In a HA / CARP situation, can I run the upgrade on the BACKUP box and then test, switch to MASTER and repeat? Or will that mess something up because the two will be on different versions for a short while?

In other words, is down-time required for this upgrade?

Thx

[sullrich]

Upgrade the secondary and verify that it looks okay and then upgrade the primary.

[purdue512]

Upgrade the secondary and verify that it looks okay and then upgrade the primary.

This went very smooth. Upgraded the secondary.. Pushed it into service for a while, all was good. Upgraded the primary.

Here is a good treatment on what the ftp helper does and why it is needed:
http://home.nuug.no/~peter/pf/en/ftpproblem.html
AFAIK, pfSense is using pftpx, which is similar to the current OpenBSD ftp proxy.
Aside from a few weird configurations, I've always had success with simply enabling the helper on the LAN, diabling on the WAN, and in the case of multi-WAN, adding the 'allow tcp from LAN net to loopback' rule at the top of the LAN rules.
Oh, and it's been posted many times elsewhere that the newer 1.2 RC releases are more stable and bug-free than the 1.0.1 release.

1) Tried this... FTP HELPER is ONLY enabled (by UN-checking DISABLE) on the LAN.. It is checked (disabled) on WAN, OPT1, OPT2...  Still nothing.

2) "adding the 'allow tcp from LAN net to loopback' rule at the top of the LAN rules"

More detail please. I have a rule on the LAN that allows * * * * through... So, it's wide open from the LAN interface. Is something else meant here?

3) Finally, I looked in the logs, don't see anything here about this.

My FTP behavior has not changed. It still allows me to log in successfully. But when I try a GET or a DIR, it hangs and then I get "disconnected by host" after a timeout...   What am I missing here??? I'm just trying to FTP from LAN...

[sullrich]

Using proxyarp ips by chance?  Have you seen http://devwiki.pfsense.org/FTPTroubleShooting ??