This is somewhat an extension of the thread "No SSH on External Interfaces After pf.conf Rewrite for Load Balancing Outgoing Traffic" that Devin helped me out with, but I started a new thread with a new title so other searching might find it correctly.
I have one last issue since I moved to OpenBSD 4.7 and started doing outbound load balancing with two internet connections. This is with connection to my inbound proxy from the internet to an FTP server behind my OpenBSD firewall which fails to make a data connections. Devin helped me to remember when dealing with more than one gateway, it is necessary to use reply-to in my pass in rules to use the same gateway the request came in on. (at least for certain services) I used this same method on my inbound redirects to the ftp-proxy, and my control connection is made, but the data connection fails. (active or passive) Running ftp-proxy in debug mode 7 logging to standard output I see essentially the same output I get in my FTP client: using fixed server 10.52.91.10 listening on 127.0.0.1 port 21 #1 accepted connection from 75.21.149.231 #1 FTP session 1/100 started: client 75.21.149.231 to server 10.52.91.10 via proxy 10.52.91.1 #1 server: 220 mydomain.net FTP - You're In!\r\n #1 client: USER [email protected]\r\n #1 server: 331 Password required for ftp@ mydomain.net\r\n #1 client: PASS blah_my_pass_blah\r\n #1 server: 230 Logged on\r\n #1 client: SYST\r\n #1 server: 215 UNIX emulated by FileZilla\r\n #1 client: FEAT\r\n #1 server: 211-Features:\r\n #1 server: MDTM\r\n #1 server: REST STREAM\r\n #1 server: SIZE\r\n #1 server: MLST type*;size*;modify*;\r\n #1 server: MLSD\r\n #1 server: AUTH SSL\r\n #1 server: AUTH TLS\r\n #1 server: UTF8\r\n #1 server: CLNT\r\n #1 server: MFMT\r\n #1 server: 211 End\r\n #1 client: PWD\r\n #1 server: 257 "/" is current directory.\r\n #1 client: TYPE I\r\n #1 server: 200 Type set to I\r\n #1 client: PASV\r\n #1 server: 227 Entering Passive Mode (10,52,91,10,16,146)\r\n #1 passive: client to server port 4242 via port 53549 #1 proxy: 227 Entering Passive Mode (192,168,0,1,209,45)\r\n #1 client: MLSD\r\n #1 server: 425 Can't open data connection.\r\n #1 server: 421 Connection timed out.\r\n #1 server close #1 ending session One thing I don't understand is, is this the proxy not being able to make the data connection over the internal network to the back-end FTP server? Or is this the client not being able to make the data connection through the proxy? Here are the applicable PF rules for the proxy. The rest of the pf.conf is almost exactly the same as the FAQ: Address Pools and Load Balancing example. anchor "ftp-proxy/*" pass in quick on $ext_if_1 inet proto tcp to $ext_if_1 port ftp rdr-to 127.0.0.1 port ftp reply-to ($ext_if_1 $ext_gate_1) pass in quick on $ext_if_2 inet proto tcp to $ext_if_2 port ftp rdr-to 127.0.0.1 port ftp reply-to ($ext_if_2 $ext_gate_2) pass in on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021 This was all working, (and still is if I switch .confs) before the modifications for multiple internet connections and outbound load balancing. The outbound proxy is working just fine. Any insights?
