FTP Helper Question
-
I recently upgraded a pfSense box to 1.2.1 and shortly afterward started setting up a FTP server. This is a Dual-WAN setup.
To get things working for now, I've resorted to turning off the FTP helper on the WAN interfaces and set up a port-range for passive FTP connections as well as hard code the external IP on the FTP server to one of the NATted external IPs. This works fine for now.
However, I would prefer to use the FTP helper, as this would save me from having to hard-code the external IP on the FTP server as well as let me load-balance FTP on both WAN interfaces.
So a couple questions:
1. Even after enabling the FTP helper on all three interfaces, I never saw the pftpx daemon run on the WAN interface, only the LAN and OPT1 interface as expected. Looking at the system_start_ftp_helpers function in /etc/inc/config.inc, it seems that it's broken as it never adds the wan interface to the iflist array. Is this by design?
2. I know that I can't use a Proxy-ARP IP, should a virtual ip of type "Other" work?
3. If I use a CARP virtual IP, what should I enter for the Virtual IP Password, VHID Group and Advertising Frequency? Should I just leave them at the default?
-
You cannot use the ftp-helper with multiWAN.
All services running on pfSense (like the ftp-helper) can only make use of the primary WAN.
-
I am talking about inbound FTP, not outbound FTP. I am already aware that outbound FTP will only go out on the primary WAN interface which is fine.
Or does this affect inbound FTP as well?
And either way, shouldn't I see a pftpx daemon running on the WAN interface if it is not disabled? Because I do not, and looking at the code, it is apparent that it can because of the way it is coded.
-
Got my questions answerd by cmb (thanks again!) on the support mailing list. Here they are for the archives and anyone else searching the forums:
For the FTP helper to be started on the WAN interface, you need have the FTP helper enabled for that interface, a NAT rule for server port 21 defined and if not NATing the WAN IP, be using a CARP Virtual IP address (not ProxyARP or Other).
Anything can be entered for the CARP VIP password, group and frequency.
The FTP helper is started by code in /etc/inc/filter.inc.