Passive FTP to server behind NAT fails
-
Are you absolutely sure that the PASV ports took effect? I have had never ending problems with IIS 6 using whatever PASV ports it feels like even though I have clearly stipulated what they should be. What I suggest you do is try to gain access from outside and monitor the firewall log in realtime to see if indeed you are connecting on the wrong port. I'm 99% confident this is a problem with IIS rather than PFsense.
-
I've already done both tests. I connected from a system on the LAN and ran a netstat while transferring data. The connection was on one of my pre-defined ports.
I also was watching the dynamic firewall log on the firewall while I tried to connect from a machine outside the LAN. No log entries were generated that applied to the source IP of the client system I was connecting from. In fact, no log entries were generated at all during the ~5 minutes I was testing.
I'm running the IIS 6 FTP service on a Win2k8 box, not the updated FTP 7.5. I used the supplied admin script to specify the port range that the FTP server should use when a passive client connects.
-
Bump.
-
Bump.
-
Update to latest snapshot.
-
I updated to the Sep. 28th snapshot just now and there is no change in behavior. One possibly relevant bit of information…when I do a netstat on the client that is connecting to the FTP server from outside the firewall, I show two connections heading to port 21 even in passive mode. That doesn't seem correct to me, as I would think the second session would be to one of the high ports that the FTP server is configured to (and correctly does) hand out to the connecting client.
-
Bump.
-
Repeatedly bumping your thread is unlikely to help.
-
Nothing else has worked. ::)
Just being the squeaky wheel hoping for some grease.
-
May i suggest you try another ftpd to verify it isen't the ftpd?
Or atleast bring some screenshots for us, of your port configuration. Maybe another point of view might help.
I've ran 3 different linux ftpds in the last 2 weeks, both passive and active mode worked. Tho none on windows.
But i did have to disable FTP helper to get passive working flawless. -
Hmm…I don't have any other OS than Windows to try at this particular site. I can certainly post my config, however.
I've looked around for a bit trying to find where I can disable the FTP helper, but have not found anything in the GUI. I think it used to be in the interface config in 1.2X, but I don't see it. Is it defined elsewhere in the GUI, or do I have to modify files?
 -
There are also other free FTP servers for Windows…
-
That use AD for auth as I require?
-
Does it need to have? It is about checking whether FTP in general works…
-
But i did have to disable FTP helper to get passive working flawless.
Can you tell me how you did that?
I can't seem to find the setting in 2.0 perhaps I'm looking in the wrong places ???
-
Yeah, I'm simply not seeing the option to disable it anywhere. I upgraded to the newer FTP 7.5 for IIS, and passive still doesn't work. It would appear that the FTP helper is "helping" by telling all external clients to connect to port 21 instead of the defined port range that is mapped in via NAT and configured on the server to use.
-
Yeah, I'm simply not seeing the option to disable it anywhere. I upgraded to the newer FTP 7.5 for IIS, and passive still doesn't work. It would appear that the FTP helper is "helping" by telling all external clients to connect to port 21 instead of the defined port range that is mapped in via NAT and configured on the server to use.
I'm having the same issue on 2 different boxes
One is the firewall infront of a server (of which one of the server functions is ftp supplied by pure-ftpd running on centos)
The other one is my firewall @ home,
I have issues with a lot of FTP servers and it seems to be caused by this, reconnect and all is well, it's always occurring when you need to open a Pasv connection to the ftp (Such as Doing a MSLD, LIST, PUT, GET.etc)
I seem to recall having issues on pfSense 1.3 but turned the ftp helper off and all was well, can't find that option on 2.0 anywhere though.
-
hello,
same here on the latest. as far as tested with 3 dozens of public/private ftp hosts, every single attempt for the very first PASV conncetion will be blocked by the ftp "HELPER" built into the kernel in 2.0 which can't be disabled unfortunately. so whenever you stuck while getting directory list, disconnect and reconnect again then everything starts working flawlessly 'cos you now have a session out to the server. i must say ftp helper "helps" blocking first PASV attempt while creating outgoing session. also, even PORT(active) doesn't work quite sometimes. same work around, try disconnect/connect, port/pasv several times. very annoying. this happens once in a while since ftp-helper has been built into the kernel.
-
@ermal:
Update to latest snapshot.
I dont have anymore FTP problems with this snapshot.
I'm replying because I see a lot of people having problems with FTP.
I had the same problems as others (passive mode only working at the second attempt) with a snapshot of around 20 september.Good work,
Thank you Ermal -
Huh??? I'm running the Sep. 28th snap, and I've NEVER gotten a passive FTP session to work when the FTP server is behind pfSense's NAT. Are you talking about having the FTP client behind pfSense?