FTP - client IP instead of pfSense IP?
-
bump. search!
Wow! Thank you for that incredibly helpful remark! I NEVER would have imagined of trying to SEARCH for a solution before posting about it…
And thank you for being so helpful as to post a link to a search term that actually brings up the solution for the 2 people in this thread who are searching for help (and probably countless others who don't want to ask for help because of arrogant admins like you boosting their egos by making others feel inferior)...oh, that's right...you didn't! -
The arrogant admins that develop the software you're using.
Dont you think they might have better things to do than explain to the userbase how networking works?
You have to understand that questions regarding ftp are asked countless times each week.
After a while you get tired of always giving the same answer.
Also it's a sticky at the top of the page of this subforum.@http://forum.pfsense.org/index.php/topic:
My "personal solution" to ftp-problems:
@http://forum.pfsense.org/index.php/topic:1: Disable the ftp-helper on all interfaces.
2: Define a port-range on your ftp-server for the data-transfer.
3: forward port 21 and your data-transfer-range to your server. You can do that for multiple WANs. -
The arrogant admins that develop the software you're using.
Dont you think they might have better things to do than explain to the userbase how networking works?Then they should have better things to do than insult the very userbase that supports the software
You have to understand that questions regarding ftp are asked countless times each week.
After a while you get tired of always giving the same answer.That's no excuse for being rude and condescending. If you don't have anything helpful to say, don't say anything. It's not like I was begging for an answer every day. I asked once, 8 months ago.
-
Then they should have better things to do than insult the very userbase that supports the software
When you pay their bills, then perhaps you can be critical of their efforts. If, however, all you want to do is gripe about some problem that has been covered ad nauseum in the support list and forums, then your whining can go to /dev/null.
That's no excuse for being rude and condescending. If you don't have anything helpful to say, don't say anything. It's not like I was begging for an answer every day. I asked once, 8 months ago.
Rudeness and condescention are the norm for people who don't do the basic research. As was pointed out several times already, this problem has been asked about, and answered. Do a little looking before posting and maybe you won't be so maltreated.
-
Someone on the mailing list once sent a great page which you might find interresting:
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.htmlI especially like the introduction since it pretty accurately describes what just happend in this thread:
In the world of hackers, the kind of answers you get to your technical questions depends as much on the way you ask the questions as on the difficulty of developing the answer. This guide will teach you how to ask questions in a way more likely to get you a satisfactory answer.
Now that use of open source has become widespread, you can often get as good answers from other, more experienced users as from hackers. This is a Good Thing; users tend to be just a little bit more tolerant of the kind of failures newbies often have. Still, treating experienced users like hackers in the ways we recommend here will generally be the most effective way to get useful answers out of them, too.
The first thing to understand is that hackers actually like hard problems and good, thought-provoking questions about them. If we didn't, we wouldn't be here. If you give us an interesting question to chew on we'll be grateful to you; good questions are a stimulus and a gift. Good questions help us develop our understanding, and often reveal problems we might not have noticed or thought about otherwise. Among hackers, “Good question!” is a strong and sincere compliment.
Despite this, hackers have a reputation for meeting simple questions with what looks like hostility or arrogance. It sometimes looks like we're reflexively rude to newbies and the ignorant. But this isn't really true.
What we are, unapologetically, is hostile to people who seem to be unwilling to think or to do their own homework before asking questions. People like that are time sinks — they take without giving back, and they waste time we could have spent on another question more interesting and another person more worthy of an answer. We call people like this “losers” (and for historical reasons we sometimes spell it “lusers”).
We realize that there are many people who just want to use the software we write, and who have no interest in learning technical details. For most people, a computer is merely a tool, a means to an end; they have more important things to do and lives to live. We acknowledge that, and don't expect everyone to take an interest in the technical matters that fascinate us. Nevertheless, our style of answering questions is tuned for people who do take such an interest and are willing to be active participants in problem-solving. That's not going to change. Nor should it; if it did, we would become less effective at the things we do best.
We're (largely) volunteers. We take time out of busy lives to answer questions, and at times we're overwhelmed with them. So we filter ruthlessly. In particular, we throw away questions from people who appear to be losers in order to spend our question-answering time more efficiently, on winners.
If you find this attitude obnoxious, condescending, or arrogant, check your assumptions. We're not asking you to genuflect to us — in fact, most of us would love nothing more than to deal with you as an equal and welcome you into our culture, if you put in the effort required to make that possible. But it's simply not efficient for us to try to help people who are not willing to help themselves. It's OK to be ignorant; it's not OK to play stupid.
So, while it isn't necessary to already be technically competent to get attention from us, it is necessary to demonstrate the kind of attitude that leads to competence — alert, thoughtful, observant, willing to be an active partner in developing a solution. If you can't live with this sort of discrimination, we suggest you pay somebody for a commercial support contract instead of asking hackers to personally donate help to you.
If you decide to come to us for help, you don't want to be one of the losers. You don't want to seem like one, either. The best way to get a rapid and responsive answer is to ask it like a person with smarts, confidence, and clues who just happens to need help on one particular problem.
-
Thank you for the post, GruensFroeschli. I completely understand how these forums work. I have been involved on both sides for over 12 years now.
What bothers me is that people would rather be rude than just ignore the "stupid newbies".
If you look at some of the other posts I've made to this forum, you'll see that I've "given back" wherever I've found a solution so that others would benefit.
The assumption that I didn't even try to search before blindly begging for help is the problem here. The fact is that I searched ad nauseum for a solution, but wasn't able to see anything that was a match. I inquired about the problem to the general user base to see if someone had a suggestion or helpful nudge in the right direction. Not once did I beg an administrator or developer of the app for help, nor did I once criticize the product!
Anyway….this topic has already gone way off and will never be resolved anyway because there will always be the l33t "hackers" who are socially inept and don't know how to interact with other human beings, and there will be the "user" who will never be as knowledgeable as the hackers from whom they are requesting help.
I'll continue searching for the answer that is apparently readily available and not bother asking for assistance in the future.
-
The problem is that we employ a ftp helper to help during the process.
Guessing you are using a NAT port forward on port 21 and that invokes the ftp helper behind the scenes. So incoming FTP from the internet connects to the ftp proxy listening on port 21 of the firewall on the WAN IP. That then makes the connection back to the FTP server behind the firewall. Since the connection is coming from the firewall itself that is why you see the firewalls IP address as opposed to the client.
The correct way to resolve this is to employ a 1:1 nat to the ftp server in question and if the ftp server software supports it you might need to turn on PASV nat rewriting. I know vsftp supports this but I am not privy to the details at the moment.
And finally I take offense to the l33t hackers statement. I already spend over 50+ hours a week on this project and hold a full time job. I have a feeling most of the "l33t hackers" are in this same predicament.
If you need quality answers and are not satisfied with the status quo around here then you need to look into commercial support.
But do me a favor and stop targeting folks that spend all of their free time helping this project. It's not productive and just makes folks want to stop helping that much more….
-
I'll continue searching for the answer that is apparently readily available and not bother asking for assistance in the future.
Did my post above how i solve most of my ftp-problems not work?
I know for a fact that theftpserver built into the Synology-NAS's
G6 ftpserver
FileZilla ftpserverwork with this solution. So i assume it should work for most other servers as well.
-
And finally I take offense to the l33t hackers statement. I already spend over 50+ hours a week on this project and hold a full time job. I have a feeling most of the "l33t hackers" are in this same predicament.
If you need quality answers and are not satisfied with the status quo around here then you need to look into commercial support.
But do me a favor and stop targeting folks that spend all of their free time helping this project. It's not productive and just makes folks want to stop helping that much more….
I apologize. It was a generalization that obviously doesn't apply to all. I was frustrated that the first response to a request was met with rudeness and I know that I shouldn't respond right away when upset. I really do appreciate all of the hard work that goes into this product. It is the best open source firewall I've ever found and I'm thoroughly impressed with the functionality.
I am actually quite experienced in networking and understand how FTP works and why it is such an issue to setup through NAT, etc. I DID search quite a bit for an answer, but perhaps I was not searching for the correct terms.
I have a perfectly working FTP server. Everything's setup just fine. What I was originally wondering was if there is any way, without locking my external IP to a single machine (ie. 1:1 NAT), to have the originating IP address flow through to the FTP server. I understand that this isn't something that is possible using pfSense and port forwarding and the ftphelper, but I thought there may be a feature that I wasn't aware of that would provide this functionality in conjunction with port forwarding.
As is stands, my FTP server works just fine, and I can live with the fact that I don't see the actual IP connecting to the FTP server.
Thank you all for your comments.
-
Hmmm. I have a filezilla here and it works without 1:1 NAT.
After disabling the ftp-helper i used just normal portforwards.
I assumed every client uses a maximum of 4 connections at a time.
And i expect a maximum of 10 users so i set the passive portrange to 23456 to 23496 –> 40 ports. -
GruensFroeschli: I had ftphelper on the WAN inteface turned on so that I could connect from inside my network out to the WAN and back in to test the ftp port forwards. I did shut of the ftphelper on all interfaces and, although I can't connect by using my external ftp DNS, I can see the outside users' IP addresses when they connect to FTP.
I mistakenly assumed that because I couldn't access my FTP server using the external DNS name that no external users could either, which is why I kept the ftphelper on in the first place.
So, it IS working as I thought after all. My test methods were just flawed… :(
Is there a way to test external FTP access from within the network where the FTP server is hosted?
Thanks.
-
You can enable NAT reflection
Under "advanced" uncheck the box: "Disable NAT Reflection"Now all connections from within you LAN to a portforward to your LAN will be reflected.
But i would use this only for a test.If you connect to the server via a name it would be better to set up split DNS.
This thread http://forum.pfsense.org/index.php/topic,9440.0.html might help how to achieve that with pfSense without having your own DNS server. -
Hmm….I do already use NAT reflection and it's still not working. Not a big deal. I'm just happy that I've got outside IPs showing up now that I've set the PASV ports manually and shut off the ftphelper.
Thanks for the help.
-
Use a remote shell? Given your self-proclaimed extensive experience in all things networking, one would assume that you can come up with an appropriate set of test scenarios to troubleshoot this problem.
-
@submicron:
Use a remote shell? Given your self-proclaimed extensive experience in all things networking, one would assume that you can come up with an appropriate set of test scenarios to troubleshoot this problem.
Never said I couldn't… l33t
