MS FTP on DMZ not working for WAN Access
-
Ok… anyone? Really need to get this working.
-
Tried re-installing the latest build from scratch and reconfiguring. Still doesn't work.
-
It works fine here, honestly… Make sure your not using a proxy arp type interface. Also refer to the faq entries in faq.pfsense.com pertaining to ftp.
-
It works fine here, honestly… Make sure your not using a proxy arp type interface. Also refer to the faq entries in faq.pfsense.com pertaining to ftp.
How do I … "Make sure your not using a proxy arp type interface"? I am not a big network guru, so I am not sure how to do this. Thanks.
-
Proxy arp type entry for Virtual IP's.
Also ensure that your helper is enabled on Interfaces -> WAN.
Delete all firewall rules and nat rules pertaining to this connection and readd the ftp rules. Leave the 2 rules intact.
Ensure that both rules have correct values set. I fixed a bug where it was not specifying the interface ip address correctly in one of the firewall rules that are automatically added.
-
Still can get working…
Proxy arp type entry for Virtual IP's.
Not using Virtual Ips.. only WAN Interface IpAlso ensure that your helper is enabled on Interfaces -> WAN.
helper is enabled on WAN interface onlyDelete all firewall rules and nat rules pertaining to this connection and readd the ftp rules. Leave the 2 rules intact.
Deleted the ftp Nat/FW Rules and added back both Nat/FW RulesEnsure that both rules have correct values set. I fixed a bug where it was not specifying the interface ip address correctly in one of the firewall rules that are automatically added.
Nat Rule shows:
WAN TCP 21 (FTP) 10.0.x.180 (ext.: xx.xx.xx.16) 21 (FTP) WAN –> FTP ServerFW Rules show:
TCP * * 10.0.x.180 21 (FTP) * NAT WAN --> FTP Server
TCP * * [blank] 21 (FTP) * NAT WAN –> FTP ServerAlso:
$ ps awux | grep pftpx
proxy 633 0.0 0.2 656 412 ?? Ss 8:38PM 0:00.00 /usr/local/sbin/pftpx -f 10.0.x.180 -b xx.xx.xx.16 -c 21 -g 21
proxy 775 0.0 0.2 656 444 ?? Ss 8:38PM 0:00.00 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.x.1$ pfctl -s rules | grep ftp
anchor "ftpsesame/" all
pass in quick on sis2 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
anchor "ftpproxy" all
anchor "pftpx/" all
pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis0 inet proto tcp from any port = ftp-data to (sis0) port > 49000 user = 62 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
pass in quick on sis0 inet proto tcp from any to 10.0.x.180 port = ftp keep state label "USER_RULE: NAT WAN --> FTP Server"
pass in quick on sis0 proto tcp from any to any port = ftp flags S/SA keep state label "USER_RULE: NAT WAN --> FTP Server"Does this look correct? Any ideas? Thanks.
-
TCP * * [blank] 21 (FTP) * NAT WAN –> FTP Server
That is wrong.
Please run:
cat /etc/inc/filter.inc | grep Id
From a shell and report back.
-
Actually, I forgot to include the files in the upgrade. ::)
Please upgrade. Start from the last version you installed.
fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2a.sh | sh -
fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2b.sh | sh -
fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2c.sh | sh -
fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2d.sh | sh -
fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2e.sh | sh -
fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2f.sh | sh -
fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2g.sh | sh - -
Ok ran updates… then applied nat/rules, still not working... see below:
cat /etc/inc/filter.inc | grep Id
/* $Id: filter.inc,v 1.575.2.234 2006/08/23 20:19:18 sullrich Exp $ */ps awux | grep pftpx
proxy 633 0.0 0.2 656 412 ?? Ss 8:38PM 0:00.00 /usr/local/sbin/pftpx -f 10.0.x.180 -b xx.xx.xx.16 -c 21 -g 21
proxy 775 0.0 0.2 656 444 ?? Ss 8:38PM 0:00.00 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.x.1$ pfctl -s rules | grep ftp
anchor "ftpsesame/" all
pass in quick on sis2 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
anchor "ftpproxy" all
anchor "pftpx/" all
pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis0 inet proto tcp from any port = ftp-data to (sis0) port > 49000 user = 62 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
pass in quick on sis0 inet proto tcp from any to 10.0.x.180 port = ftp keep state label "USER_RULE: NAT WAN --> FTP Server"
pass in quick on sis0 inet proto tcp from any to xx.xx.xx.16 port = ftp keep state label "USER_RULE: NAT WAN --> FTP Server"Debug info from SmartFTP client:
[22:33:03] SmartFTP v2.0.997.4
[22:33:03] Resolving host name "ftp.mydomain.com"
[22:33:03] Connecting to xx.xx.xx.16 Port: 21
[22:33:03] Connected to ftp.mydomain.com.
[22:33:03] 220-Microsoft FTP Service
[22:33:04] 220 WARNING: You must have authorization to access this system. All connections are logged and monitored.
[22:33:04] USER myuser
[22:33:04] 331 Password required for myuser.
[22:33:04] PASS (hidden)
[22:33:04] 230 User myuser logged in.
[22:33:04] SYST
[22:33:06] 215 Windows_NT
[22:33:06] Detected Server Type: Windows NT
[22:33:06] FEAT
[22:33:06] 211-FEAT
[22:33:06] SIZE
[22:33:06] MDTM
[22:33:06] 211 END
[22:33:06] TYPE I
[22:33:06] 200 Type set to I.
[22:33:06] REST 0
[22:33:06] 350 Restarting at 0.
[22:33:06] PWD
[22:33:06] 257 "/" is current directory.
[22:33:06] TYPE A
[22:33:06] 200 Type set to A.
[22:33:06] PORT 10,0,x,180,12,203[22:33:06] 500 Invalid PORT Command. <–- Errors out here trying active mode... then switches to passive
[22:33:06] Automatic failover of data connection mode from "Active Mode (PORT)" to "Passive Mode (PASV)".
[22:33:06] PASV
[22:33:06] 227 Entering Passive Mode (10,0,x,180,191,108).
[22:33:06] Opening data connection to 10,0,x,180 Port: 49004[22:33:06] LIST -aL <–- Errors out here ... forces server to close connection
[22:33:06] 0 bytes transferred. (N/A/s) (0 ms)
[22:33:06] 426 Connection closed; transfer aborted.
[22:33:26] An established connection was aborted by the software in your host machine.
[22:33:26] Server closed connectionDEBUG from MS FTP command line:
ftp> debug
Debugging On .
ftp> open ftp.mydomain.com
Connected to ftp.mydomain.com.
220-Microsoft FTP Service
220 WARNING: You must have authorization to access….
User (ftp.mydomaind.com:(none)): myuser
---> USER myuser
331 Password required for myuser.
Password:
---> PASS mypwd
230 User myuser logged in.
ftp> dir
---> PORT 10,0,x,180,13,3
500 Invalid PORT Command.
---> LIST
150 Opening ASCII mode data connection for /bin/ls. <--- command line freezes here...Both test scenarios the server shows logged in, but neither will let you run commands. Can't list directory, Can't push data to server... nor pull data from server. Which tells me there is something wrong with the passive ports across the firewall. I can't even do it across the LAN anymore while the nat/firewall rules in place.
-
Please show the firewall rules summary view that you showed before that contained the "blank" entry
-
Current Firewall rules after patches:
TCP * * 10.0.x.180 21 (FTP) * NAT WAN –> FTP Server
TCP * * WAN address 21 (FTP) * NAT WAN --> FTP ServerI just tried removing the NAT Port forward... thinking that it makes no sense since the proxy would be doing the forwarding. Is this a correct assumption?
Anywaym after that I could LIST the directory information from the LAN now.
Still need to test from outside... have to get someone to test this for me.
-
Ok tested externally and all is working after the NAT rule is deleted! Thanks.