Problems with PF and ftp-proxy with 2 links

Wed, 01 Mar 2006 11:59:03 -0800 

Hi folks,

        I'm having a bad time doing a setup that is a little complex. I do have
2 ADSL links, both working. And i have and DMZ and a LAN. The setup is this:
LAN net: 10.0.0.0/24
DMZ net: 10.1.1.0/24
LINK#1 NET: 192.168.200.0/24 LINK#1 IP: 192.168.200.1 LINK#1 GATEWAY:
192.168.200.254
LINK#2 NET: 192.168.201.0/24 LINK#1 IP: 192.168.201.1 LINK#1 GATEWAY:
192.168.201.254

I'm doing nat on both interfaces and have a ftp-proxy properly
configured, with a rdr rule redirecting the traffic to it. I did made a
rule with the round-robin, and made it work flawlessly. My problem
arises in the following form:

If i let only one link working (don't use round-robin), the ftp-proxy
works both for passive connections and for active connections made from
LAN and from DMZ. If i active the round-robin, and use the ftp-proxy
with the -n switch, the active mode works flawlessly, but in the passive
mode, if the client is going out trough the LINK#2, the remote server
says that my control and data connections are coming from different
places. I want to:

1) either make both the control connections and passive data connections
go out trough the same interface and gateway, as LINK#1
2) make ftp-proxy make the control connection trough the same link the
passive connection will go out (then i will use round-robin with sticky
address)

I have a strange problem using ftp-proxy without the -n switch. If i
interpreted the manual correctly, even the pasive connections will go
trough the proxy, with should eliminate my problem, because even if a
machine on LAN net is going out trough the LINK#2, the passive
connection will go out trough the same link that the firewall itself is
using as default gateway (LINK#1). But if i don't use the -n switch, the
 active connections still work, but passive connections have the
destination not to the remote server, but to the LINK#1 IP, or
192.168.200.1, that is very strange, and the connections time out. I
played with the -a and -S switches, but without any luck. If some one
have some light, i would be glad. This is the only thing that is holding
 me using load balancing in full time.

Thanks in advance,

--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Reply via email to