Microsoft FTP.exe
-
What version of pfSense? Always include this information when reporting problems.
-
Beta-1 (upgrade)
-
Try a newer build from: http://www.pfsense.com/~sullrich/BETA2-BUGVALIDATION3/
-
Just installed new build. The problem is the same.
-
Couple of things to check:
1. Make sure XP firewall is off
2. Make sure FTP helper is turned on for the interface in question.Tested it with the same version:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.C:\Documents and Settings\GeekGod.SULLRICH>ftp ftp.sunet.se
Connected to ftp.sunet.se.
220 Welcome to ftp.sunet.se
User (ftp.sunet.se:(none)): anonymous
331 Any password will work
Password:
230 Any password will work
ftp> debug
Debugging On .
ftp> ls
–-> PORT 10,0,250,69,4,115
200 PORT command successful
---> NLST
150 Connecting to port 55382
bin
dev
etc
lib
ls-lR
ls-lR.gz
pub
usr
226 8 matches total
ftp: 47 bytes received in 0.00Seconds 47000.00Kbytes/sec.
ftp> -
FTP Helper:
On WAN or LAN ? or Both ? -
On my setup its enabled on LAN and WAN.
IE: the check boxes for it are not checked on each respective interface.
-
ok thanks
what about the RFC Workaround ? on or off ?
-
Just rebooted with FTP helper enabled on WAN OPT and LAN.
Now i can't access any FTP server with ftp.exe and iexplore.My setup:
PRE-BETA2
Advanced Outbound NAT
Outbound loadbalancing -
Try it without outbound load balancing.
-
wow it works.
How can I make this works with loadbalancing.
-
I know this is going to sound bad, but at the moment I really don't know.
I'll have to put some thought into how to work around this issue.
In the meantime, I wouldn't balance ftp, simply add a rule before your balancing rule and force it out your primary pipe.
-
ok it works with iexplore in passive mode. but with ftp.exe i have a different error now:
200 PORT command successful
425 Could not open data connection to port 61015: Connection timed out -
Proto Source Port Destination Port Gateway Description
TCP/UDP LAN net * * 20 - 21 * FTPIf i put this rules before my loadbalancing rules in LAN , it doesn't work.
I need to completly disable loadbalancing for it to work with IE in passive mode.If i disable outbound loadbalancing and permit any any on the wan interface it work with IE and ftp.exe!
What would be the rule to create in LAN to make it work with FTP.
State log:
tcp 127.0.0.1:8021 <- 142.217.134.xxx:21 <- 10.0.3.3:3677 CLOSED:SYN_SENT -
Just found a workaround for this. not very secure…
Add this firewall rule in LAN
Proto Source Port Destination Port Gateway
* LAN net * 127.0.0.1 * *Add this firewall rule in WAN
Proto Source Port Destination Port Gateway
* * * * * *It works.
Firewall state shows:
tcp 127.0.0.1:8021 <- 194.71.11.70:21 <- 10.0.3.3:3887 FIN_WAIT_2:FIN_WAIT_2
tcp 127.0.0.1:8021 <- 194.71.11.70:21 <- 10.0.3.3:3896 FIN_WAIT_2:FIN_WAIT_2
tcp 194.71.11.70:20 -> 194.71.11.70:65294 -> 10.0.3.3:3898 FIN_WAIT_2:FIN_WAIT_2
tcp 127.0.0.1:8021 <- 194.71.11.70:21 <- 10.0.3.3:3899 ESTABLISHED:ESTABLISHED
tcp 194.71.11.70:20 -> 194.71.11.70:62700 -> 10.0.3.3:3903 FIN_WAIT_2:FIN_WAIT_2Without permit any any on WAN I have this in my state
tcp 127.0.0.1:8021 <- 194.71.11.70:21 <- 10.0.3.3:3871 ESTABLISHED:ESTABLISHEDAnd I have this error with ftp.exe
200 PORT command successful
425 Could not open data connection to port 58974: Connection timed out -
The LAN->Localhost rule is fine.
I would remove that WAN rule ASAP. Because if you permit all traffic from the internet in, then what is the point of having a firewall at all?
-
If I remove the permit any any rule on WAN I can't connect using active ftp mode (ftp.exe)
-
If I remove the permit any any rule on WAN I can't connect using active ftp mode (ftp.exe)
Then you don't have a firewall! You're allowing all of the internet into you're device.
-
My question is What is the rule I should put to make active FTP working.
-
As I told you before I need to figure out how to make this work. It currently will not work w/ Outgoing LB.