Port not open? Only filtered?

mogie

If anyone else want to help I got the XML-file here:

http://teamgule.net/config-pfsense.lan-20071029163349.xml

Thanks again for those helping! It is really appreciated!

cmb

just saw your pm today. I won't have time to look at it tonight, but maybe tomorrow, if not definitely this weekend.

mogie

is the PM really working? I haven't got any outbox mails after sending some…

mogie

Update: I've updated the link above if anyone want to look at it again:  :)

http://teamgule.net/config-pfsense.lan-20071029163349.xml

mogie

I'm getting a new ISP this weekend I hope.. with static IP (eventually!!). They do not use PPPoE, maybe it may solve some problems :)

mogie

I've tried a new network layout now:

Modem w/firewall & NAT          pfsense w/ or without NAT
LAN 192.168.1.1          –--------> 10.0.0.138  -----------> LAN
WAN 85.167.x.x

I have NATed all ports on the routermodem to the pfsense-box. Things is all the same. All NATs is working but not port FTP, Counter Striker, Passive FTP(2300-2400). It makes no difference in which services I'm running additionaly (DHCP, Traffic shaper etc) - in fact there's no logic in this not working in any way at all. Also tried to reset the pfsense box may times, restored the settings in different combinations, though the result is the same.
All of this SHOULD work, and I'm serious considering trying monowall instead, cause it has the same features that I'm looking for.

For the new ISP part, I'm still waiting - But like I said - the problem lies in the pfsense box software, not the connection to my ISP or WAN connection.

It makes no difference trying to disable the NAT on the pfsense router. Neither does a lot of other features like I've told.

Should I go back and try the pfSense 1.0 stable maybe? Thanks for all advices!

mogie

ok.. I've actually managed to get some connection on the FTP-port in active mode: but ONLY through a FTP-client program (LeechFTP). Not in passive mode of course..

WAN  - Disable the userland FTP-Proxy application  is [CHECKED]
LAN - Disable the userland FTP-Proxy application  [NOT CHECKED]

As I mentioned; I have the firewall and the first forward at the routermodem (192.168.1.1) . And therefor all connection rules on the pfsense-box is allowed (both to WAN and LAN).
I have NAT'ed these ports:

If  Proto  Ext. port range  NAT IP  Int. port range  Description

WAN  TCP    21 (FTP)             10.0.0.4(ext.: any) 21 (FTP)  
WAN  TCP    80 (HTTP)             10.0.0.4(ext.: any) 80 (HTTP)

Why is it not possible to browse through the FTP-server with a webbrowser like I used before (without the pfsensebox between), but only though the client?

I've compared carefully two outputs with LeechFTP - both servers running Pure-FTPD, one connection to my server, and one an outside server. I get the exact same outputs. So I need to know how the browsers get the FTP-connection.  Is it allways thorugh passive connection?

mogie

I now got the Passive FTP to work at first try though the LeechFTP… dammit!

Still, using browser is hopeless. If anyone can see anything useful here, please let me know:

proxy    331  0.0  0.2   704   452  ??  Ss    9:02PM   0:00.16 /usr/local/sbin/pftpx -c 8021 -g 8021 10.0.0.138

mogie

My prevoius reply about FTP only working through LeechFTP was wrong. It was because I testet it with NAT reflection to my IP-adresse, and thats why it worked in that case only. I've testet it from an other public IP, fininding the same result all over:

Through SSH from an outside IP-adresse i get:

500 This security scheme is not implemented

And with an online FTP-client i get the 500 error too:
http://www.g6ftpserver.com/en/ftptest

* About to connect() to mydomain.net port 21
* Trying 85.167.x.x... connected
* Connected to mydomain.net (85.167.x.x) port 21
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 
< 220-You are user number 2 of 10 allowed. 
< 220-Local time is now 02:09\. Server port: 21\. 
< 220 You will be disconnected after 15 minutes of inactivity. 

> USER anonymous 
< 230 Anonymous user logged in 

> PWD 
< 257 "/" is your current location 
* Entry path is '/'

> CLNT Testing from http://www.g6ftpserver.com/ftptest from IP 85.167.x.x 
< 500 Unknown command 
* QUOT command failed with 500
* Connection #0 to host mydomain.net left intact

* Closing connection #0

cmb

Finally getting a chance to look at this closer. What is the problem at this point? Sounds like things have changed since earlier?

mogie

I've been testing m0n0wall instead, with some luck, and some lack of features compared to pfsense.
The NAT reflection feature is not supported in m0n0wall, so I'll need to foreward manually thorugh DNS forwarding. Anyways, I'll be able to fix this if I can get to ports to finally work some time in my existing life ..

Using m0n0wall:
Compared to pfsense, finally, the CStrike Server is visible from the outside with m0n0wall.
Though the FTP-problems are still the same as on the pfSense-box.
I'm able to connect the server in some way and almost get a response (see previous post)

In short.. I've tried every single combination of settings that I could ever think of in order to get the NAT working properly. Believe me! I've tried booth setting up double NAT, and bridge the modem to the pfsense/m0n0wall-box and then connect using PPPoE. The only thing I see now, is that there's something terrible wrong with the software I must be using… or that there's some mysterious blocking at the modem when it is in brigdemodus.. (not logical at all!)

Anyways. The problem still lies in the XML-file that I've deployed for pfSense. (if it does have a problem at all) Look at my previous post to download it.

I've been testing from remote FTP-clients to my network for this.

mogie

UPDATE:

I've managed a double NAT in active ftp in some way..
I've set the "ForcePassiveIP" parameter in pure-ftpd to the external address outside the network the server is on (192.168.1.1) in order to get passive on m0n0wall working. I've now tried to set up the pfsense too, and it seems to have payed off! :) Passive FTP is working trough the pfSense box now, I'm going to troubleshoot the passive connection in the meantime..

I've testet trough SSH on an external server

server <–----------->  pfsense/m0n0wall <-------------------------> routermodem (PPPoE)
10.0.0.4                    10.0.0.138/192.168.1.1                                85.167.x.x

Like I said, this is with double NAT. I have no idea why the bridge on the modem, and the PPPoE on the pfSense didnt work. Neither how the ForcePassiveIP parameter affected the active FTP-connection with the server..

Though, it do not work through the simple external FTP-tester I've been using a lot, including the SSH ofcourse.
http://www.g6ftpserver.com/en/ftptest

To others experiencing the same issue:
Configure passive connection on your FTP-server and force the passive IP to the external IP from the network your in. (above)

Though again. This configuration may be trouble for my CStrike connection. I will need to test out that too..