FTP - client IP instead of pfSense IP?

tthibodeau

Thank you for the post, GruensFroeschli. I completely understand how these forums work. I have been involved on both sides for over 12 years now.

What bothers me is that people would rather be rude than just ignore the "stupid newbies".

If you look at some of the other posts I've made to this forum, you'll see that I've "given back" wherever I've found a solution so that others would benefit.

The assumption that I didn't even try to search before blindly begging for help is the problem here. The fact is that I searched ad nauseum for a solution, but wasn't able to see anything that was a match. I inquired about the problem to the general user base to see if someone had a suggestion or helpful nudge in the right direction. Not once did I beg an administrator or developer of the app for help, nor did I once criticize the product!

Anyway….this topic has already gone way off and will never be resolved anyway because there will always be the l33t "hackers" who are socially inept and don't know how to interact with other human beings, and there will be the "user" who will never be as knowledgeable as the hackers from whom they are requesting help.

I'll continue searching for the answer that is apparently readily available and not bother asking for assistance in the future.

sullrich

The problem is that we employ a ftp helper to help during the process.

Guessing you are using a NAT port forward on port 21 and that invokes the ftp helper behind the scenes.  So incoming FTP from the internet connects to the ftp proxy listening on port 21 of the firewall on the WAN IP.  That then makes the connection back to the FTP server behind the firewall.  Since the connection is coming from the firewall itself that is why you see the firewalls IP address as opposed to the client.

The correct way to resolve this is to employ a 1:1 nat to the ftp server in question and if the ftp server software supports it you might need to turn on PASV nat rewriting.  I know vsftp supports this but I am not privy to the details at the moment.

And finally I take offense to the l33t hackers statement.  I already spend over 50+ hours a week on this project and hold a full time job.  I have a feeling most of the "l33t hackers" are in this same predicament.

If you need quality answers and are not satisfied with the status quo around here then you need to look into commercial support.

But do me a favor and stop targeting folks that spend all of their free time helping this project.  It's not productive and just makes folks want to stop helping that much more….

GruensFroeschli

I'll continue searching for the answer that is apparently readily available and not bother asking for assistance in the future.

Did my post above how i solve most of my ftp-problems not work?
I know for a fact that the

ftpserver built into the Synology-NAS's
G6 ftpserver
FileZilla ftpserver

work with this solution. So i assume it should work for most other servers as well.

tthibodeau

@sullrich:

And finally I take offense to the l33t hackers statement.   I already spend over 50+ hours a week on this project and hold a full time job.   I have a feeling most of the "l33t hackers" are in this same predicament.

If you need quality answers and are not satisfied with the status quo around here then you need to look into commercial support.

But do me a favor and stop targeting folks that spend all of their free time helping this project.  It's not productive and just makes folks want to stop helping that much more….

I apologize. It was a generalization that obviously doesn't apply to all. I was frustrated that the first response to a request was met with rudeness and I know that I shouldn't respond right away when upset. I really do appreciate all of the hard work that goes into this product. It is the best open source firewall I've ever found and I'm thoroughly impressed with the functionality.

I am actually quite experienced in networking and understand how FTP works and why it is such an issue to setup through NAT, etc. I DID search quite a bit for an answer, but perhaps I was not searching for the correct terms.

I have a perfectly working FTP server. Everything's setup just fine. What I was originally wondering was if there is any way, without locking my external IP to a single machine (ie. 1:1 NAT), to have the originating IP address flow through to the FTP server. I understand that this isn't something that is possible using pfSense and port forwarding and the ftphelper, but I thought there may be a feature that I wasn't aware of that would provide this functionality in conjunction with port forwarding.

As is stands, my FTP server works just fine, and I can live with the fact that I don't see the actual IP connecting to the FTP server.

Thank you all for your comments.

GruensFroeschli

Hmmm. I have a filezilla here and it works without 1:1 NAT.
After disabling the ftp-helper i used just normal portforwards.
I assumed every client uses a maximum of 4 connections at a time.
And i expect a maximum of 10 users so i set the passive portrange to 23456 to 23496 –> 40 ports.

tthibodeau

GruensFroeschli: I had ftphelper on the WAN inteface turned on so that I could connect from inside my network out to the WAN and back in to test the ftp port forwards. I did shut of the ftphelper on all interfaces and, although I can't connect by using my external ftp DNS, I can see the outside users' IP addresses when they connect to FTP.

I mistakenly assumed that because I couldn't access my FTP server using the external DNS name that no external users could either, which is why I kept the ftphelper on in the first place.

So, it IS working as I thought after all. My test methods were just flawed… :(

Is there a way to test external FTP access from within the network where the FTP server is hosted?

Thanks.

GruensFroeschli

You can enable NAT reflection
Under "advanced" uncheck the box: "Disable NAT Reflection"

Now all connections from within you LAN to a portforward to your LAN will be reflected.
But i would use this only for a test.

If you connect to the server via a name it would be better to set up split DNS.
This thread http://forum.pfsense.org/index.php/topic,9440.0.html might help how to achieve that with pfSense without having your own DNS server.

tthibodeau

Hmm….I do already use NAT reflection and it's still not working. Not a big deal. I'm just happy that I've got outside IPs showing up now that I've set the PASV ports manually and shut off the ftphelper.

Thanks for the help.

Guest

Use a remote shell?  Given your self-proclaimed extensive experience in all things networking, one would assume that you can come up with an appropriate set of test scenarios to troubleshoot this problem.

tthibodeau

@submicron:

Use a remote shell?  Given your self-proclaimed extensive experience in all things networking, one would assume that you can come up with an appropriate set of test scenarios to troubleshoot this problem.

Never said I couldn't… l33t