Ftp only works port connection type not passive

Gertjan

If your talking 'incoming ftp connection' to a internal FTP server on your LAN, then drop by overhere: http://forum.pfsense.org/index.php?topic=2071.msg11954#msg11954

If all these posts describe your problem, than you will find a temp. solution over there.

It's (re) boot persistent.

And, just tested, Active and Passive FTP transfer works. (FTP Server = Serv-U (demo-latest) on LAN, FTP Client accessing from the Internet, using SmartFtp (demo-latest).

PS: I don't think msntp is FTP related. I also upgraded to 1.0-SNAPSHOT-09-12-06 - built on Tue Sep 12 21:37:35 UTC 2006 - but didn't saw any issues. msntp just grabs the time from the net.

rsw686

@Gertjan:

If your talking 'incoming ftp connection' to a internal FTP server on your LAN, then drop by overhere: http://forum.pfsense.org/index.php?topic=2071.msg11954#msg11954

If all these posts describe your problem, than you will find a temp. solution over there.

It's (re) boot persistent.

And, just tested, Active and Passive FTP transfer works. (FTP Server = Serv-U (demo-latest) on LAN, FTP Client accessing from the Internet, using SmartFtp (demo-latest).

PS: I don't think msntp is FTP related. I also upgraded to 1.0-SNAPSHOT-09-12-06 - built on Tue Sep 12 21:37:35 UTC 2006 - but didn't saw any issues. msntp just grabs the time from the net.

No I know the msntp issue is not related. Just that I was advised to goto the latest snapshot and when I did the upgrade msntp errors starting popping up every minute. Thus I ended up doing a clean install.

My ftp issue is not the same. My IP address hardly changes and I don't use PPoE. Yes this is an incoming ftp issue.

sullrich

Msntp has nothing to do with FTP.  Upgrade to the latest testing snapshot.

Tomba

@rsw686:

Is there something I am missing. FTP works only with the port connection type. Thus if I try and pull it up in firefox, etc that use passive connections it will not connect.

Heres the error using passive mode. Seems that pftpx is not giving out the lan ip address for the client to connect to.

COMMAND:> PASV
227 Entering Passive Mode (10,10,1,15,149,86)
COMMAND:> LIST
STATUS:>  Connecting ftp data socket 10.10.1.15:38230…

Did you make sure to define which ports the FTP server uses as PASV ports ? If you don't the FTP server will pick a free portnumber at random, which I'm sure your firewall will block.
If the answer is yes; do you also allow traffic to pass ? (Firewall –> Rules should have an entry for your PASV port range)
If the answer is no; define which ports the PASV data transport should use and add a rule to allow traffic to pass in pfSense.

BTW maybe you should consider using webdav; a client is default in almost any OS (including Windows) and when used with SSL it's safer than FTP as well (e.g. passwords don't get sent over the internet in clear text)

sullrich

There is no reason to forward anything but port 21.

The entire reason of the FTP helper is to prevent the user from needing to tear open the firewall.

The FTP Helper dynamically opens ports as they are needed.

Tomba

@sullrich:

There is no reason to forward anything but port 21.

The entire reason of the FTP helper is to prevent the user from needing to tear open the firewall.

The FTP Helper dynamically opens ports as they are needed.

I didn't know this was what the FTP helper was for :)

In that case I have the exact same problem because without the PASV port forwards enabled on my pfSense box (RC2) I get the exact same problem…. (with Serv-U FTP)

sullrich

Upgrade to http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/

rsw686

@sullrich:

Upgrade to http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/

I already updated to the latest version SNAPSHOT-09-12-06 and am still having the problem. The ftp helper will not open the ports for passive mode. Only works for port mode. I even tried defining my ip address in vsftp for passive mode and it still does not work.

The guy who recommended I use something else, thats not the point. I would like to get FTP working. I normally use SSH anyways.

sullrich

#1 Make sure you are using CARP type ips for virtual ips
#2 Make sure the port forward is for port "21" ONLY

If you are on the latest version and follow the above it really should work.

Gertjan

@sullrich:

#1 Make sure you are using CARP type ips for virtual ips
#2 Make sure the port forward is for port "21" ONLY

If you are on the latest version and follow the above it really should work.

Sure ?

I'm using a PPPoE connection on the WAN interface, and I can assure you that

1. These two ones are running after reboot (and IP 24H 'hup'):
   /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.1.1
   /usr/local/sbin/pftpx -c 8022 -g 8021 192.168.2.1
2. This one won't be there (except when making an initial FTP port 21 rule in the NAT table - Apply)
   /usr/local/sbin/pftpx -f 192.168.1.2 -b 82.125.93.41 -c 21 -g 21
   If a FTP port 21 rule was already present, I have do remove ot before (as the 2 auto created firewall WAN rules).

Am I saying wrong, or do I miss something?
When filter.inc installs pftpx [wanIP] [lanIP]…, pftpx will bail out (visible in the system log).

Anyway, checking check_reload_status.c right now to see wo is runnig what and when.... (rather simple piece of code at first - but your baby IS complicated when you dig into it...  )