2 Issues with pfSense 1.2 RC3
-
Appreciate the comment… But...
-
I don't see in the documentation where the FTP from LAN issue was addressed in 1.2 RC3, was it in an earlier release note that I missed?
-
Why would I want to go from a full release to a RC? Especially if the answer to #1 is not definite?
Thx
-
-
What is the world is "userland FTP-Proxy application"? In any case, I unchecked "Disable" (didn't work either way).
Here is a good treatment on what the ftp helper does and why it is needed:
http://home.nuug.no/~peter/pf/en/ftpproblem.html
AFAIK, pfSense is using pftpx, which is similar to the current OpenBSD ftp proxy.
Aside from a few weird configurations, I've always had success with simply enabling the helper on the LAN, diabling on the WAN, and in the case of multi-WAN, adding the 'allow tcp from LAN net to loopback' rule at the top of the LAN rules.
Oh, and it's been posted many times elsewhere that the newer 1.2 RC releases are more stable and bug-free than the 1.0.1 release. -
and also, if you enabled the ftp helper on the lan interface, take a look at the firewall logs, so you will see what happened
-
Because 1.2-RC3 has no known bugs. 1.0.1 has many known bugs.
-
Okay.. Thanks. I'll give this a try.
In a HA / CARP situation, can I run the upgrade on the BACKUP box and then test, switch to MASTER and repeat? Or will that mess something up because the two will be on different versions for a short while?
In other words, is down-time required for this upgrade?
Thx
-
Upgrade the secondary and verify that it looks okay and then upgrade the primary.
-
Upgrade the secondary and verify that it looks okay and then upgrade the primary.
This went very smooth. Upgraded the secondary.. Pushed it into service for a while, all was good. Upgraded the primary.
Here is a good treatment on what the ftp helper does and why it is needed:
http://home.nuug.no/~peter/pf/en/ftpproblem.html
AFAIK, pfSense is using pftpx, which is similar to the current OpenBSD ftp proxy.
Aside from a few weird configurations, I've always had success with simply enabling the helper on the LAN, diabling on the WAN, and in the case of multi-WAN, adding the 'allow tcp from LAN net to loopback' rule at the top of the LAN rules.
Oh, and it's been posted many times elsewhere that the newer 1.2 RC releases are more stable and bug-free than the 1.0.1 release.-
Tried this… FTP HELPER is ONLY enabled (by UN-checking DISABLE) on the LAN.. It is checked (disabled) on WAN, OPT1, OPT2... Still nothing.
-
"adding the 'allow tcp from LAN net to loopback' rule at the top of the LAN rules"
More detail please. I have a rule on the LAN that allows * * * * through... So, it's wide open from the LAN interface. Is something else meant here?
- Finally, I looked in the logs, don't see anything here about this.
My FTP behavior has not changed. It still allows me to log in successfully. But when I try a GET or a DIR, it hangs and then I get "disconnected by host" after a timeout... What am I missing here??? I'm just trying to FTP from LAN...
-
-
Using proxyarp ips by chance? Have you seen http://devwiki.pfsense.org/FTPTroubleShooting ??
-
Using proxyarp ips by chance? Have you seen http://devwiki.pfsense.org/FTPTroubleShooting ??
-
Nope. All Virtual IPs are CARP.
-
I thought I had seen that post, but it's a different one. I will check it out. Thanks.
-
-
Outgoing FTP (LAN -> Internet) UPDATED PORTS, please check!
1. Ensure that the FTP helper is not disabled on Interfaces, LAN
2. If you have a restrictive ruleset or are utilizing policy based routing for multiple-wans then ensure that you have permitted traffic to 127.0.0.1 / ports 8000-8030. IE: allow LAN subnet to 127.0.0.1 8000-8030. This rule should be on top of all other LAN rules that utilize policy based routing.
3. If you are running windows try turning off the windows firewallOkay - I've done all this… SAME FTP BEHAVIOR... Logs in, but then drops session. This is from two independent FTP servers that both work when tested from another network. Both worked before the PFSense install.
Can someone elaborate on the "LOOPBACK" in #2 above... I have a rule on LAN for * * * * PASS, that should cover it... Just for fun, I added 127.0.0.1 * 8000 - 8030 PASS also, no difference...
Oh no, the above doesn't help. What can I do?
1. Use SCP/SFTP which only needs 1 port to traverse the firewall since its wrapped in SSH (yes a safe AND simple way of traversing a firewall!)
2. Don't use FTP
3. Turn off the FTP helper option in Interfaces -> LAN and Interfaces ->WAN or any optional interfaces in use.
4. Switch to an alternative firewalling systemAre you serious with #2 and #4? I am trying really hard to make this problem "my fault." Believe me, I'd like for nothing more than to see how I've messed this up so I can flip a switch and have FTP working. But so far, nothing helps. Please see the chain above, I'm open to being wrong and would love suggestions.
That being said, FTP is a used by MANY MANY major corporations in America. We use it for data communication (encrypted files, of course) with GE, Nissan, AT&T, Coca Cola, to name a few. If you want to be taken seriously, this needs attention (or at least documentation). You can't just tell these guys "sorry, we can't do FTP." This software seems TOTALLY AWESOME with the exception of the FTP feature. I'd hate to see something so small holding this back from making the big time…
-
- "adding the 'allow tcp from LAN net to loopback' rule at the top of the LAN rules"
More detail please. I have a rule on the LAN that allows * * * * through… So, it's wide open from the LAN interface. Is something else meant here?
With dual-WAN setups, I add a new rule as the first rule on the LAN:
TCP LAN-net * 127.0.0.1/31 * * -
With dual-WAN setups, I add a new rule as the first rule on the LAN:
TCP LAN-net * 127.0.0.1/31 * *Thanks. I have that.. No love.
Can you tell me if you need anything special in NAT: PORT FORWARD? I am assuming NO because my FTP session originates from LAN. But I'm out of ideas.
-
WOW, thanks Purdue for picking up where I started with this whole FTP issue! Anyhow, I will be able to test my side of things by weekend (being production). You obviously have found exact frustration I have with this - different systems work except pfSense - and other ports work too - like HTTP/HTTPS/RDP/etc. In the beginning though I have not tried to ENABLE/DISABLE FTP Helper on the LAN/WAN interface BEFORE creating my NAT rules, so I will try that for my next step. But hopefully you get it resolve as I feel we may be working with very similar problem - you are right in that #2 and #4 suggestions by pfSense group are quite absurd. I agree it is a great software/potential, but the lack of documentation and basic working feature (major corps use) is essential.
If it makes any difference - I use G6 FTP Server - very robust and well known FTP server - http://www.g6ftpserver.com/
Thanks.
-
No problem pinoyboy. I just hope one of us finds the secret answer to the riddle here.
I'm really glad you posted because it jogged a memory for me. When I did my original install I did notice that the ORDER of how you built things was really important. I'm in the same boat as you, fiddling with the FTP settings AFTER the nat / virtual IPs are set up. Perhaps this is a no-go?
Please let me know what you find and I'll continue to share as well… Other than this FTP issue, I'd give this software an A+ for high-volume production deployment.
-
dotdash or anyone, in the beginning you mentioned you have this FTP working - I assume the FTP inbound (from outside to your internal server - not port forwarding but 1:1). IF you don't mind, could you post a screenshot in order the steps you took to get this working? For example if you setup VIP,Proxy ARP, NAT policies, and Firewall rules, etc - to post the screenshots in those order of your successful setup. Of course changing IP's ::) - maybe this will ensure we are working identically to a known working configuration. IF you can't do screenshot, please clarify for us YOUR STEP by STEP to get this setup and discussing everything from whether it is PRoxy ARP or CARP, etc. Kindly appreciated! ;D
BTW, the NAT reflection I have is VIP/Proxy ARP and NOT CARP and the only ports I am trying to enable here is 80/443 and yes 20/21. Can I just access my own resources internally also please?!!! (Comment to self).
-
I need this as well for FTP… Thx
-
Ok, not the best example, but here are some screen shots. Usually just using outbound ftp here, but I recently setup a temp ftp site for someone to transfer some files. I have tested outbound and inbound using command line ftp from XP/server 2003 and the Windows version of FileZilla.
While i'm thinking about it, try this from a shell:
ps -xa |grep pftpx
You should see an instance for every interface you are running the helper on.
-
Thanks for this… Can I assume that FTP outbound from LAN was working before you put in the temporary FTP server?
-
Yeah, outbound was working before adding the NAT for the temporary ftp.
-
thank you sir! couple of questions/comments…
(1) based on the FTP Helper screenshots you have, it is the default settings from pfSense - "out of the box"
(2) virtual ip's (aka VIP) for this is CARP not Proxy Arp; I suppose this is the only way to get it to work? based on my previous posting I had to set up by VIP with Proxp ARP to get my 1:1 to go across for various services (HTTP, HTTPS, RDP, PPTP, SMTP, etc) with various servers - I have maybe 8 servers that require the same exact ports open and translated using 1:1 Proxy ARP per previous suggestion. I guess my question here is since I have static mappings going 1:1 in a range, should I remove my Proxy ARP and change to a RANGE as you have there using CARP, then manually taking care of the actual mappings of each port at the firewall rules level?
NOTE: with pfSense, I was told in previous post that if I wanted 1:1 to work and all my servers had same services, I had to use Proxy Arp with VIP - looks like you are saying I can use a range of say 216.x.x.x/28 with CARP instead, then follow up with individual firewall rules for each server and service?
(3) the magic I see here is perhaps having the port forwarding you have for port 21 (not a 1:1) ;how would this work if I had two or more FTP servers? Would I just port forward 21 using different source IP (part of VIP range) natted to proper internal ip?
(4) lastly, could you briefly expand on that ftp hack piece?
thank you again!