Okay so it sounds like the rdr rule for the interface is not being hit. Can you try editing /tmp/rules.debug and find the pftpx rule and modify it for the optional interface in question?
Then issue pfctl -f /tmp/rules.debug and test again. If this is the problem it should be an easy fix. On 9/13/05, Matthew Lenz <[EMAIL PROTECTED]> wrote: > i logged in and killed the pftpx server.. and restarted it with full > debugging. when i hit an ftp site from LAN net machine .. i see it > proxying everything. however, when I attempt it from the OPT net > machine i see nothing. Its being blocked by the firewalls default rule > for some reason. Here is the masked (removed my private ips) log output: > > ------ > > pf: 23. 996387 rule 254/0(match): block in on em2: WWW.WWW.WWW.WWW.44635 > > 127.0.0.1.8021: S 3451987609:3451987609(0) win 5840 <mss > 1460,sackOK,timestamp[|tcp]> > > WWW.WWW.WWW.WWW is the machine's private 'OPT2 net' ip from which I'm > trying to ftp to a public internet site. > > ------ > > pf: 28. 305486 rule 7.512.2.0/0(match): pass in on em0: > XXX.XXX.XXX.XXX.34073 > 204.152.191.7.45538: S 3266523314:3266523314(0) > win 5840 <mss 1460,sackOK,timestamp[|tcp]> > > pf: 000022 rule 7.512.2.1/0(match): pass out on bge0: > YYY.YYY.YYY.YYY.57236 > 204.152.191.7.45538: S 3266523314:3266523314(0) > win 5840 <mss 1460,sackOK,timestamp[|tcp]> > > pf: 270761 rule 7.512.2.0/0(match): pass in on em0: > XXX.XXX.XXX.XXX.43600 > 204.152.191.7.27258: S 3270933157:3270933157(0) > win 5840 <mss 1460,sackOK,timestamp[|tcp]> > > pf: 000016 rule 7.512.2.1/0(match): pass out on bge0: > YYY.YYY.YYY.YYY.58700 > 204.152.191.7.27258: S 3270933157:3270933157(0) > win 5840 <mss 1460,sackOK,timestamp[|tcp]> > > XXX.XXX.XXX.XXX is my machine on 'LAN net' connecting via ftp to > mirrors.kernel.org (204.152.191.7) site with mozilla. > > YYY.YYY.YYY.YYY is my firewalls public WAN interface ip > > ------ > > According to status.php all non-WAN interfaces have an pf rdr for ftp to > 127.0.0.1 on port 8021 > > ... > > One observation that doesn't really have anything to do with this stuff > but shouldn't pftpx be using the same public CARP ip/interface I have > all my other outbound NAT being mapped to? I guess that would only be > important if pftpx supports pfsync but from an consistency standpoint it > might be better to run multiple pftpx servers one for each network that > has outbound NAT mapped to a different public IP. Its not technically > NAT but the reasons for wanting all your connections coming from the > same IP is understandable. > > -Matt > > On Tue, 2005-09-13 at 14:11 -0400, Scott Ullrich wrote: > > I think this has something to do with the way our multiple gateways > > work. Since pftpx traffic isn't being affected by route-to since its > > coming from the local machine. Maybe Bill can chime in here. > > > > Scott > > > > > > On 9/13/05, Matthew Lenz <[EMAIL PROTECTED]> wrote: > > > yeah.. thats what scott's instructions say. which I did before saying > > > that it didn't work :) > > > > > > -Matt > > > > > > On Tue, 2005-09-13 at 12:22 -0500, Erik Kristensen wrote: > > > > Log into command line and run pftpx. > > > > > > > > -Erik > > > > > > > > > > > > On Tue, 13 Sep 2005 12:13:37 -0500, Matthew Lenz wrote > > > > > Nope. I can still ftp just fine from a box on my LAN net .. But > > > > > can't ftp out from my OPT2 net. I can http and ntp out from my OPT2 > > > > > net just fine. > > > > > > > > > > -Matt > > > > > > > > > > On Tue, 2005-09-13 at 11:21 -0400, Scott Ullrich wrote: > > > > > > Does "killall pftpx && pftpx" from the shell fix it? > > > > > > > > > > > > Scott > > > > > > > > > > > > On 9/12/05, Matthew Lenz <[EMAIL PROTECTED]> wrote: > > > > > > > I've a: > > > > > > > > > > > > > > * LAN net * * * Default LAN -> any > > > > > > > > > > > > > > for my LAN.. but on OPT 2 I've got: > > > > > > > > > > > > > > TCP/UDP OPT2 net * hostaliashere 21 (FTP) > > > > > > > TCP/UDP OPT2 net * hostaliashere 20 > > > > > > > > > > > > > > I can ftp anywhere I want on from the LAN network but I cannot > > > > > > > for the > > > > > > > life of me get ftp to work on OPT 2. Any ideas on what to check? > > > > > > > I've > > > > > > > taken a look at the status.php page to make sure all the rules > > > > > > > are being > > > > > > > added and that the hostalias is translated into the correct > > > > > > > internet ip. > > > > > > > Everything looks perfect but its a no go (yeah I have outbound nat > > > > > > > enabled for all my LAN/OPT interfaces. I am accessing internet > > > > > > > ntp and > > > > > > > internet http sites just fine from these networks. > > > > > > > > > > > > > > -Matt > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
