Ftpsesame not starting on WAN interface.

roosterdude

Hi All,

I'm not sure if this needs to be in Carp, NAT or General forum, sorry.

We're having problems with the ftp-helper on the WAN port of a HA Carp Failover pair of firewalls.

I've attached a diagram of the setup we're using.

Both Firewalls are: 1.2-RELEASE

Basically the problem is that we can enable the ftp-helper on all interfaces apart from the WAN interface.

What we need to see running is ftpsesame on the WAN interface but regardless of the ftp-helper setting
we just can't get it to run.

We see the following only…
$ ps -ax | grep ftp
15803 ?? Ss 0:38.45 /usr/local/sbin/pftpx -c 8023 -g 8021 193.x.x.2
90643 ?? S 0:00.00 sh -c ps -ax | grep ftp
90645 ?? R 0:00.00 grep ftp
...This is with ftp helper enabled on WAN and SECURE/193.x.x.2 (which is a renamed OPT port)

We have however been able to get ftp sesame running manually by running the command....

/usr/local/sbin/ftpsesame -i em1

...and this indeed resolves the issue and enables ftp users outside of the network to connect to
ftp servers inside on the "SECURE" LAN.

We're using CARP as a failover VIP solution and we've got advanced outbound Manual NAT rule setup as follows...

Interface:WAN
Source:193.x.x.0/23
Source Port:*
Destination:*
Destination Port:*
NAT Address:82.x.x.20
NAT Port:*
Static Port:NO
Description:Use WAN-CARP For SECURE

I'd love to know why ftpsesame won't start automatically on the WAN port regardless of the setting of
ftp-helper on the WAN interface config page. Could it be the way we've got the above NAT configured?

I'm wondering if a more permanent solution could be to start ftpsesame more permantly on the WAN port by using...

<afterfilterchangeshellcmd>/usr/local/sbin/ftpsesame -i em0</afterfilterchangeshellcmd>

...in the config file. I've tried this on another HA fw pair and it seemed to do the trick
(as in ftpsesame was showing up in a ps -ax | grep ftp command).

To Clarify... we're using Carp and not proxy-arp IPs.

Also.. we're using publicly routable IP's in the WAN and SECURE interfaces.

Everything else works as expected on the firewalls :-)

Thankyou in advance.

HA-Firewall-Pair.gif_thumb

cmb

Sounds like this might be a bug, though I don't have time to look into it immediately. Opened a "needstest" ticket to check into when time permits.

sullrich

ftpsesame is normally not used for this in pfSense. pftpx normally is.

Can you please follow these hints and see if any of these resolve your issue: http://devwiki.pfsense.org/FTPTroubleShooting

cmb

OP has a routed public IP subnet, pftpx is only used in the case of NAT, no?

roosterdude

To add to this… yes it is definitely a public IP subnet (PI space issued by RIPE).