From owner-freebsd-pf@FreeBSD.ORG Wed May 27 22:08:42 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C78D10656EA for ; Wed, 27 May 2009 22:08:42 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id 20F098FC26 for ; Wed, 27 May 2009 22:08:41 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by ewy8 with SMTP id 8so1316114ewy.43 for ; Wed, 27 May 2009 15:08:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=owP4dys5quOaENn+LrO22gyTpOyphmlpF6vIP7t0Gdk=; b=f+GBzhVQ8dWtBaXbBY+7lyTetoOwXlTpF5RvzlA9lA2lkCO0bwiUKF+fYyp5sCM//M 6Q7dF4JylZegNabUd4bOy5wqqqqvfFpHVeFXcio6qa6Dxf0QEF6w6OQVkjiDmL8yoUAC pIlXTeA3tklQ3Hn0Vj3U1mJ8F/3nqiW3h9Rkk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=S9ragRjE2EowW18qWPwvVvL7r4DJh/G2Mb4TbveIZBYcV4FiB5mLKNazev5Cidd+4q LkXy129QWjU/OZLlwSXdMCsEYTwkCnesYmzVn5vbKT7oshHbRy7+jk9G+HD9Bf5fSWn4 lNe/VfCwWp1dVZ7NR1sV4lhTUF8re0NgwQpV8= MIME-Version: 1.0 Received: by 10.216.70.82 with SMTP id o60mr194052wed.83.1243460530387; Wed, 27 May 2009 14:42:10 -0700 (PDT) Date: Wed, 27 May 2009 18:42:09 -0300 Message-ID: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> From: Alexandre Biancalana To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Multiple ftp servers behind pf with carp multi-ip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2009 22:08:42 -0000 Hi list, I have two firewall with 7.2-STABLE, PF and Carp for failover. The machine have one physical interface dedicated to two internet links (from different providers) and using two vlans on top of this physical interface. Each vlan have one real ip address and a carp interface with multiple real ip addresses for each vlan. I have three ftp servers with invalid ip addresses behind the firewall that need to be accessible from internet. Then I configured ftp-proxy in the following way: ftp-proxy -a -b -p21 -R When ftp_external_ip is an ip associated to the carp interface, the ftp connection is unstable, some times the connection is opened, some times the connection is broken in the middle of list command or before enter the password. If I start the ftp-proxy command using as ftp_external_ip the ip associated with the vlan interface everything works great. This machines are in production, so I'm building a lab with virtual machines to do some experiments and try to reproduce this. Did someone had seen something like this before ? I can provide any additional information needed for help troubleshooting. Best Regards, Alexandre