FTP in pfSense 2.0
-
Hi All,
Wanted to participate in the game so I installed 2.0 and recreated the configuration, from scratch, that I used in 1.23.
I am having problems using FTP to upload files to the servers that are behind the 2.0 firewall.
I see the option to select interfaces to enable TFTP on but not getting what to do. No check box.
I have forwarded ports 20 and 21 to my FTP server which is vsftp running on a freebsd 8.1 and confirmed that there was an exception added to the rules for it.
FTP worked under 1.23 using the helper.
What am I missing?
-
jethro,
It sounds as though you are saying this is from a public ip address that you can not upload files to your ftp server? Can you even see the ftp server's files in the remote pc's web browser? Can you telnet port 21 from the remote pc to the ftp server?
I have not actually tried pfSense 2.0 myself,but trying to telnet is at least a starting point to see if you are getting at least one way communication to the ftp server from a remote pc.
I had lots of troubles getting one ftp server to work correctly behind pfSense-1.2.3. Sometimes this server will display ftp contents,sometimes it does not. Never have got it to work reliably? All other ftp servers (4) of them worked perfectly?
By the way I am using vsftp on Centos 5 for what it's worth.Barry
-
Thanks for reply.
Yes, I am trying to upload files to a server behind the firewall.
I use filezilla Client. It appears to connect but tanks after about 5 seconds and tells me it cant LIST.
Nothing has changed except now on 2.0.
-
From your comment about forwarding 20, I take it your a bit lacking in how ftp works.
I would really suggest you take a look at this article
http://slacksite.com/other/ftp.htmlYou will notice than you would never need to forward 20, in active that is the source port that server would make the connection from - so no forward, and in passive its not even used.
I just tested to a vsftpd 2.2.2 running on ubuntu box, and forward 21 "active" connections worked just fine.. Now passive would just not work at all.
Which seems to be the case from this thread
http://forum.pfsense.org/index.php/topic,28502.15.htmlSeems the ftp helper is built into 2 kernel, which clearly is doing something since I looked in the log and vsftpd was sending the private IP 192.168.1.6, but my client outside was seeing the public IP 24.x.x.x
Seems there is no way to disable it in 2? If you could then you could set your ftp server to use a smaller range of ports, and then forward those – which I tried btw, still no luck.. just could not get passive connection to work.. But active was not a problem at all -- I would suggest you have your clients just use active.
-
2.0 nanobsd - net5501 - this evening's build:
passive implicit SSL (FTPS) with port 990 and the passive ports fwd to my ftp server works great. however, I have not been able to get the standard ftp (port 21 and passive ports fwd to ftp server) to work. had no problems getting both types working with m0n0wall.
Roy…
-
Thanks for help folks.
Yes I know very little about FTP and am hop9ng to keep it that way!
I have always used passive. Not sure why. I'll try the active set up. Not sure what the difference is but I'll ask my buddy Google.
-
As to the difference – I pointed you to a great article that goes over the difference!
-
Running 2.0-BETA5 (i386)
built on Tue Jan 11 06:28:44 EST 2011I'm also seeing issues w/ access to an FTP server behind pfSense NAT (opt1).
Using PASV FTP, I can connect on port 21 and communicate, but the connection fails when the server sends "227 Entering Passive Mode (192,168,10,9,250,185)" back to the client. The client tries to connect on the given port, but it doesn't seem to make it.
Using Active mode, the connection works, but active mode FTP isn't an option for a lot of clients.
For testing purposes, I've allowed ALL traffic on my WAN interface and used 1:1 NAT to the internal server. There are no firewalls enabled on either the internal server or the FTP client.
[EDIT]
If I connect using FTP over SSL then the PASV connection works correctly. From here, it appears that the FTP helper is interfering, but when the connection is encrypted via SSL, the helper can't interfere and the connection works correctly. -
"(192,168,10,9,250,185)" back to the client."
The help can not be involved with that
Your telling the client connect to a private IP 192.168.10.9 on port 250*256+185 or port 64185
Thats a private IP, you would need to configure your ftp server to send the public IP not a private, this is what the ftp helper does, it will convert that IP for you so client on internet would see your public IP.
-
I should have posted the FTP server's response to the WAN client rather than the server's response to the LAN client.
It may be that I have miss-understood the role of the FTP helper. However, looking at packet captures on Opt1, WAN, and Client, I see that the firewall does translate the private IP address to the correct public IP address.
Attempting to connect to the FTP server located on OPT1 has the same result weather I am using a client on the LAN or a client on the WAN.
Telling the FTP server itself to return the public IP also makes no difference.
-
Hi
I have a same problem.
My ftp server is filezilla: (firewall,pfsense) wan->lan (SBS2000,Filezilla)
Port use 21 and passive mod. In connection progress stop Directory list
pfsense NAT port 20 and passiv port( 20000-20010)
If use port 30, work fine.
Or use SSL on pp0 port works good.–-----------
sorry my english :) -
There are still some known issues with the FTP proxy on 2.0 but it's being actively worked on over the last few days.
-
Try a snapshot later than this post or better of tomorrow it should be fixed.
-
nanobsd - Jan 17 21:39:59 - net5501
still no love :) same problem with passive ftp. did not test active. passive FTPS still works.
Roy…
-
nanobsd - Tue Jan 18 04:33:29 - net5501:
passive FTP seems to be working with this snapshot.
Thanks!
Roy…
-
Please be more specific which side of ftp works.
IE passive ftp as client behind nat works
active ftp client rdr to an internal server worksand such to make this easy for everybody.
-
nanobsd - Tue Jan 18 04:33:29 - net5501:
passive FTP client –-- {NAT - m0n0wall} --- (internet) --- {pfSense - NAT} --- {FTP Server} => Works!
passive FTPS client --- {NAT - m0n0wall} --- (internet) --- {pfSense - NAT} --- {FTP Server} => Works! (only tested implicit mode)
Did not test active FTP.
only tested with FileZilla Client.
Roy...
-
running 2.0-BETA5 (i386)
built on Tue Jan 18 03:34:33 EST 2011I've tested the following setup
FTP Server behind pfSense, natted on Opt1
FTP client external connecting to WAN, PASV
FTP client on LAN connecting to WAN, PASV
FTP client on LAN connecting to Opt1, PASVListing of directories doesn't seem to work the first time, but once it fails, all listings / transfers after that work as long as the connection is maintained. When the connection drops and needs to be re-established, the first PASV listing / transfer fails again and then it is good after that. Anybody else seeing this?
-
As a matter of clarification, do we need to set a rule to allow TCP traffic on the PASV port range, or is the FTP proxy supposed to dynamically create those rules at the same time that it's re-writing the ip address?
-
@PJ2:
Listing of directories doesn't seem to work the first time, but once it fails, all listings / transfers after that work as long as the connection is maintained. When the connection drops and needs to be re-established, the first PASV listing / transfer fails again and then it is good after that. Anybody else seeing this?
I did notice some initial problems after I connected that went away so I discounted them. However, I just re-tested and can confirm I'm seeing the same initial failure.
Roy…
