FTP Server behind PFSense *Guide / Explination*
-
Hello all, let me say first and formost "thank you" to the entire PFsense Team for putting together such a great product. I have been a fan since we started using the PFsense product last year. We are a local ISP with approximately 2,000 users behind several PFsense boxes. I ran into a serious problem when I tried publishing a FTP server that physically is on our local LAN through the PFsense box and ended up spending a good 20 hours of research and lab experimentation to resolve it. So since so many here on these forums have helped me in the past I thought I would elaborate on my findings to assist others.
As of right now I have four different PFsense boxes forwarding four different FTP servers all without error. IT WORKS PERFECTLY. All i needed was some more understanding of how FTP actually works to figure this out so here it goes. I apologize if I am dumbing things down too much however I want to make sure this post is understandable even to the basic of IT admins. Plus even the most seasoned of us can use the down and dirty when we are pressed for time.
How FTP works from a NAT device (PFsense) perspective.
- Lets assume for a moment that the FTP server is attached directly to a public IP address just to make this explanation a bit easier. With that in mind the end user initiates the FTP session to the public IP. A capture of the public interface will show an incoming connection on port 21 to the FTP server. This is the straight forward authentication to the FTP server. Once the user is connected and authenticated a typical FTP server with passive mode enabled (it is on most) will then reply with a random port number chosen by the FTP server (the range of these ports can be configured through your FTP application, the range of passive ports will be an option within the FTP server itself and MOST ftp server applications will allow you to modify the range it uses) in addition to the random port number the server will also reply with its IP address for the subsequent passive connection to be initiated on the client end. (I will elaborate)… basically the server reply's from the port 21 connection with a NEW connection that is to be made on a random port chosen from the FTP servers configuration, in addition it also sends the IP address to make this NEW connection on from the client end. Think of it as the port 21 session being the "triage" or waiting in line to take a number, once you authenticate the server then gives you the number and line the FTP session will now stand in. This allows multiple sessions to one FTP server. Without this FTP would only be able to handle one command at a time. This process is what enables an FTP server to handle multiple connections on one IP address. . Now if this FTP sever is on a public IP address this is no problem since the IP given in the passive connection is local to that server. Now here is where it gets complicated. What if your FTP server is running behind a firewall? Well there are several things to consider. First the very large range of passive ports that will need to be allowed in along with how to get the server to reply with the passive connection information and include the public IP address! Lets say we do this and setup the standard port forward of 21 to the FTP server on the internal LAN. If we do this the server will come up with a log in externally since we are only using port 21 to authenticate. Once we do the folder list would display to the FTP client for example, when this listing of the folders on the FTP server occurs the client moves into passive mode and that command is sent and responded through that subsequent passive connection. If we dont have the passive port range published as well then all we will get at the client side is a login prompt then the client would pause completely and eventually time out since we don't have the passive ports published. Now lets say we publish the entire passive port range through to the internal IP of the FTP server. In this case you will STILL see exactly the same problem. Why is this? Well the FTP server is sending the internal IP address back to the client and naturally the internal IP address is unreachable! This is why you MUST change your FTP servers passive response IP address. Each FTP server may call it by a different name. In my case I use G6FTP server and the passive response IP field is listed under each IP binding on the server. I can literally specify the IP the FTP server will respond with. Now if we have this option all is well we simply forward the passive ports along with port 21 and specify the public IP in our passive response on the FTP server itself and we are in business. There are two problems with this, 1. what if our FTP server does not have the option to specify a passive IP response? and 2. From a security persepective opening such a port range can be degrading to the entire means of running a tight secure firewall in the first place. To answer both of these questions PFSense includes the FTP helper. This is a small FTP proxy that basically negotiates the subsequent ports to be opened within passive mode and NATs the IP address so the server does not need to include the public IP in passive mode. This is where most of the problems come in. IF you use the Proxy helper there needs to be firewall rules allowing communication to the FIREWALL WAN. Pfsense will automatically add these rules for you when you create the forwarding rules within PFsense, however PFsense will only add the additional rules when the proxy helper is enabled. One of the largest problems it seems is if you do not have the helper enabled then you create the forward rules. Then enable the helper after reading and researching as i did. This appears the same int eh GUI to some extent however the PFsense script that created the fort forward for port 21 did not include the rules necessary to allow the helper to function since it was not enabled at the time the forwarding rule was created. This is critical that you delete and re-create the rules after the helper is enabled on your WAN interface. There is also a few more glitches. Now since you are using a service ON THE PFSENSE BOX you must use a CARP IP adress and not a ARP address. Inherently the CARP address is treated as an address services can use on the pfsense box itself. ARP addresses cannot be used on the PFsense box itself. In addition I have also seen posts that indicate the proxy helper applicatoin is only working when the WAN address of the PFsense box is used, however I have not been able to confirm it. In my case I had to narrow down the passive ports and setup simple forwarding and disable the helper.
I hope all this helps...
In Summary.
To setup a FTP server BEHIND PFsense.
Option 1. Use the proxy helper application.
1. Enable Proxy helper (by unchecking) on the WAN interface.
2. Setup port forward rule using the FTP option to your FTP servers internal LAN IP.
3. Watch the logs within your FTP server, if you have this setup correctly you will see sessions from the ip address of your PFsense box, NOT THE IP ADDRESS OF THE FTP CLIENT. If you are seeing sessions from the FTP clients public IP then the proxy helper is not working or not setup correctly.Advantages
1. Simple setup
2. Does not require passive IP response on the FTP server.
3. More secure since only subsequent ports are allowed instead of the entire passive range.Disadvantages
1. A bit glitchy in the scripts that setup the rules within PFsense. I have seen the setup become currupt if you tinker too much with these settings back and forth and require a full reinstall and resetup of PFsense. (start from scratch, DO NOT use a backup config)
2. Logs on your FTP server will show connections from the PFsense box, so any blacklisting, throttling etc features will not work since the FTP server will see all public connections as the PFsense box when based on IP, any user based FTP server settings will all function.Option 2. Simple Port Forward to FTP Server.
1. Delete any FTP rules and ensure that you have the FTP helper disabled on the wan interface (Checked) Again if you have been enabling and disabling FTP etc through the PFsense GUI you may have a corrupt config. If you are not working try a fresh config!
2. Setup your FTP server to have a narrow range for passive ports. Keep enough based on usage and FTP server requirements but as low as you can go for security reasons, this may take some experimenting and tweaking. Exactly how to do this will vary based on the FTP server software.
3. Set your FTP servers passive IP response to respond with the PUBLIC IP address you will forward in PFSENSE. Again how to do this will vary based on FTP server and some do not have the capability.
4. Set up a virtual CARP IP address for the public IP on the Pfsense Box. (ARP may work however I have not tested)
5. Set up a forward rules to forward BOTH port 21 and the passive range you specified on the FTP server to your local LAN IP of the FTP server.With either of the above walkthrus I have setup multiple FTP servers on several PFsense installs all work perfectly. Took me forever to figure it all out so I thought I would share.
Hope this all helps.
Thanks everyone!
-
Hi,
What passive ports did you open just for your FTP Server? I've setup VSFTP server behind pfSense and created a 1:1 NAT and created a rule to forward port 20 and 21 respectively but some users are experiencing problems. I made several connectivity test to connect to the FTP server namely:
1. Firefox browser from WAN
2. DOS Prompt
3. Linux CLI
4. FilezillaI've issues with numbers one and two, I can login using a username and password but I can't list the contents, I received a 425 error using a browser and failed to established a connection using DOS Prompt which IIRC is the same. I can login and list the contents of my home directory using Filezilla in passive mode while I have varying results using Linux CLI, in some Linux boxes I can login and can list the contents of the directory but in others I always get this particular error message:
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication typeI was able to log in but can't list the contents and instead of displaying the FTP's public ip address it displays the LAN IP, I'm already stumped for days and I can't figure it out, also the FTP Virtual IP is using CARP instead of ProxyARP and FTP proxy helper is disabled on the WAN interface.
Suggestions would be greatly appreciated.
-
Thank you. This should go in the Wiki for reference.
-
What passive ports did you open just for your FTP Server? I've setup VSFTP server behind pfSense and created a 1:1 NAT and created a rule to forward port 20 and 21 respectively but some users are experiencing problems. I made several connectivity test to connect to the FTP server namely:
These manual NAT-forwards are ignored and do absolutely nothing.
You cannot have normal forwards on top of 1:1 NATIn this post: http://forum.pfsense.org/index.php/topic,7789.msg71183.html#msg71183
I put some numbers for the ports.
Usually i estimate how many connections per client and how many clients i will have.
imo 4 connections per client are more than enough.For future reference:
http://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense -
I've deleted all previous FTP configurations including NAT, Virtual IP and firewall rules, did a number of combo configuration before finally got it going. The following configuration did it for me:
1. Created Virtual IP based on CARP
2. Enabled FTP proxy helper on WAN interface
3. Created a 1:1 NAT (tried port forwarding, it works too)
4. Reconfigure /etc/vsftp/vsftpd.conf and enabled passive mode, defined the min and max ports and enabled port range (50000 and 51000)
5. Created a firewall ruleGruensFroeschli, sorry for the typo, too much thinking I guess ;D , what I meant was I've created a rule to allow port 20 and 21 to be access from outside (not port forwarded).
Cheers!