Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DMZ and FTP Out

    NAT
    6
    15
    11.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      josh
      last edited by

      Hey Guys,

      I'm trying to get ftp out working for my DMZ (OPT1). I do have pftpx turned on, and it works great for the LAN, but as for the DMZ, I can't get it running correctly. If I debug on pftpx (pftpx -d D7), any connections from the LAN go through fine, but anything from OPT1 never even gets an initial connection.

      My guess is something to do with the firewall rules for the pftpx/ftp proxy or a NAT/firewall rule I'm missing. Any ideas on howto get this working?

      Thanks,
      -Josh

      1 Reply Last reply Reply Quote 0
      • J
        Jesse7
        last edited by

        I am probably wrong,  but might have something to do with the ftp helper option.  I red it in another post on here.

        1 Reply Last reply Reply Quote 0
        • B
          billm
          last edited by

          @josh:

          Hey Guys,

          I'm trying to get ftp out working for my DMZ (OPT1). I do have pftpx turned on, and it works great for the LAN, but as for the DMZ, I can't get it running correctly. If I debug on pftpx (pftpx -d D7), any connections from the LAN go through fine, but anything from OPT1 never even gets an initial connection.

          My guess is something to do with the firewall rules for the pftpx/ftp proxy or a NAT/firewall rule I'm missing. Any ideas on howto get this working?

          Thanks,
          -Josh

          0.94 was just released, please try that, there are numerous fixes in it.  Thanks

          –Bill

          pfSense core developer
          blog - http://www.ucsecurity.com/
          twitter - billmarquette

          1 Reply Last reply Reply Quote 0
          • S
            simonchs
            last edited by

            Seems this problem still exist in 0.94.10… I can't FTP out even if I disable the ftp-helper for the DMZ (OPT1)...
            And I've got the following stats:
            self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT

            137.189.91.191 is a anonymous FTP that I connect to, xx.xx.30.100 is my server IP under bridged DMZ

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by

              @simonchs:

              Seems this problem still exist in 0.94.10… I can't FTP out even if I disable the ftp-helper for the DMZ (OPT1)...
              And I've got the following stats:
              self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT

              137.189.91.191 is a anonymous FTP that I connect to, xx.xx.30.100 is my server IP under bridged DMZ

              Fixed in 0.95+

              1 Reply Last reply Reply Quote 0
              • S
                simonchs
                last edited by

                @sullrich:

                @simonchs:

                Seems this problem still exist in 0.94.10… I can't FTP out even if I disable the ftp-helper for the DMZ (OPT1)...
                And I've got the following stats:
                self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT

                137.189.91.191 is a anonymous FTP that I connect to, xx.xx.30.100 is my server IP under bridged DMZ

                Fixed in 0.95+

                I've just tried to disable the ftp-helper for LAN and WAN interface too, but still cannot get this work… is there any other setting I need to do?
                Thanks.

                1 Reply Last reply Reply Quote 0
                • S
                  sullrich
                  last edited by

                  @simonchs:

                  @sullrich:

                  @simonchs:

                  Seems this problem still exist in 0.94.10… I can't FTP out even if I disable the ftp-helper for the DMZ (OPT1)...
                  And I've got the following stats:
                  self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT

                  137.189.91.191 is a anonymous FTP that I connect to, xx.xx.30.100 is my server IP under bridged DMZ

                  Fixed in 0.95+

                  Do you still entries like: self tcp 127.0.0.1:8022 ??

                  I've just tried to disable the ftp-helper for LAN and WAN interface too, but still cannot get this work… is there any other setting I need to do?
                  Thanks.

                  1 Reply Last reply Reply Quote 0
                  • S
                    simonchs
                    last edited by

                    yup, I still got the

                    self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT
                    

                    in "Diagnostics: Show States" when I FTP out in DMZ server.

                    1 Reply Last reply Reply Quote 0
                    • S
                      sullrich
                      last edited by

                      @simonchs:

                      yup, I still got the

                      self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT
                      

                      in "Diagnostics: Show States" when I FTP out in DMZ server.

                      Then the FTP helper isn't being deactivated.  Did you reboot after making the change?

                      1 Reply Last reply Reply Quote 0
                      • S
                        simonchs
                        last edited by

                        @sullrich:

                        Then the FTP helper isn't being deactivated.  Did you reboot after making the change?

                        yes, had to reboot both pfsense and the server after made the change.

                        1 Reply Last reply Reply Quote 0
                        • S
                          simonchs
                          last edited by

                          upgraded to BETA-1, and this problem still existing.

                          1 Reply Last reply Reply Quote 0
                          • H
                            hoba
                            last edited by

                            As you upgraded, can you try again with a fresh install and a from scratch recreated config without importing?

                            1 Reply Last reply Reply Quote 0
                            • S
                              simonchs
                              last edited by

                              problem fixed after upgrade to 1.0-PREBETA2-BUG-VALIDATION-EDITION3
                              thank you!  ;D

                              1 Reply Last reply Reply Quote 0
                              • S
                                simonchs
                                last edited by

                                oh no…
                                the problem haven't come out because the new option "Enable Filtering Bridge" was not checked, if I checked this option, the problem come back...

                                tcp 127.0.0.1:8022 <- ftp.server.ip:21 <- ip.under.opt1:56357 CLOSED:SYN_SENT
                                tcp 127.0.0.1:8022 <- ftp.server.ip:21 <- ip.under.opt1:56360 CLOSED:SYN_SENT

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sullrich
                                  last edited by

                                  Add the rules to allow ftp to talk to localhost.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.