From owner-freebsd-pf@FreeBSD.ORG Wed May 27 22:12:56 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4EBA410656A4 for ; Wed, 27 May 2009 22:12:56 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from mail-fx0-f159.google.com (mail-fx0-f159.google.com [209.85.220.159]) by mx1.freebsd.org (Postfix) with ESMTP id CF8028FC1F for ; Wed, 27 May 2009 22:12:55 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by fxm3 with SMTP id 3so372544fxm.43 for ; Wed, 27 May 2009 15:12:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=Mr7a/b9Kgh7T9G+kZxPB5s9RszcchyqHujjdUKD2cwk=; b=G2EGQDxPrRjQEYCC+xH3vLSYlyxoKXJz4IHwmlD6O5xGIunqxdXFtqyJusGmvjScs9 v5BElxKrz4ITFZctXBaam5LBnOoiLXTQgsXxoX8BfmHCasZJpcILv8GjUmunN8X/UPZw 26jrYImh2lSjnmYqGk4aJ48zJZAtGACDyKAws= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=U9c1hbDK9lJpKUIAsWqXYGuXRBQaMVLlJuF+oYK6zryTllTuT1tJpQ/yFE8ia1CjWW GnQkRKitrkOyRyBjHl8ET1NyJHhorpLohHlB0KcaTC4eza6pEvIHkI2dzHANsWr+HwwH co01APLExTpvqlg5/l2W5hSSc3ccW4Hu6Xi30= MIME-Version: 1.0 Received: by 10.204.122.74 with SMTP id k10mr427187bkr.129.1243462374435; Wed, 27 May 2009 15:12:54 -0700 (PDT) In-Reply-To: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> From: Scott Ullrich Date: Wed, 27 May 2009 18:12:33 -0400 Message-ID: To: Alexandre Biancalana Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Multiple ftp servers behind pf with carp multi-ip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2009 22:12:56 -0000 On Wed, May 27, 2009 at 5:42 PM, Alexandre Biancalana wrote: > Hi list, > > I have two firewall with 7.2-STABLE, PF and Carp for failover. > > The machine have one physical interface dedicated to two internet > links (from different providers) and using two vlans on top of this > physical interface. Each vlan have one real ip address and a carp > interface with multiple real ip addresses for each vlan. I have three > ftp servers with invalid ip addresses behind the firewall that need to > be accessible from internet. > > Then I configured ftp-proxy in the following way: > > ftp-proxy -a -b -p21 -R > > When ftp_external_ip is an ip associated to the carp interface, the > ftp connection is unstable, some times the connection is opened, some > times the connection is broken in the middle of list command or before > enter the password. If I start the ftp-proxy command using as > ftp_external_ip the ip associated with the vlan interface everything > works great. > > This machines are in production, so I'm building a lab with virtual > machines to do some experiments and try to reproduce this. > > Did someone had seen something like this before ? Sure have with pfSense many times. You might want to give this custom pftpx-route port a try that we have. You can start an instance of pftpx for each wan and then it will do the required route-to work. http://www.pfsense.org/~sullrich/ported_software/pftpx_routeto/ Scott