Passive FTP to server behind NAT fails

nocer

hello,

same here on the latest. as far as tested with 3 dozens of public/private ftp hosts, every single attempt for the very first PASV conncetion will be blocked by the ftp "HELPER" built into the kernel in 2.0 which can't be disabled unfortunately. so whenever you stuck while getting directory list, disconnect and reconnect again then everything starts working flawlessly 'cos you now have a session out to the server. i must say ftp helper "helps" blocking first PASV attempt while creating outgoing session. also, even PORT(active) doesn't work quite sometimes. same work around, try disconnect/connect, port/pasv several times. very annoying. this happens once in a while since ftp-helper has been built into the kernel.

Frankk

@ermal:

Update to latest snapshot.

I dont have anymore FTP problems with this snapshot.
I'm replying because I see a lot of people having problems with FTP.
I had the same problems as others  (passive mode only working at the second attempt) with a snapshot of around 20 september.

Good work,
Thank you Ermal

mastermindpro

Huh???  I'm running the Sep. 28th snap, and I've NEVER gotten a passive FTP session to work when the FTP server is behind pfSense's NAT.  Are you talking about having the FTP client behind pfSense?

Frankk

@mastermindpro:

Huh???  I'm running the Sep. 28th snap, and I've NEVER gotten a passive FTP session to work when the FTP server is behind pfSense's NAT.  Are you talking about having the FTP client behind pfSense?

Yes, sorry for misunderstanding.
I was having problems with a client behind & natted by pfsense connecting to a passive ftp on the internet. Not tested with ftp server behind by pfsense.

mxx

Hi,

is the issue not being able to connect to an ftp server (pasv mode) from inside the local lan ->pfsense-> wan resolved now?

Thanks!

mastermindpro

That's never been the problem discussed here.  The problem has always been an FTP server behind a pfSense NAT, with a client on the pfSense WAN trying to connect to the FTP server passively.

soconfused

I also am trying to get a client working behind PfSense. Same problem as the rest of you here, dies on first passive connection. Using Thu Jan 13 build. Has anyone managed to get this to work?

rpsmith

no fix yet that I know of but you can follow any progress here:

http://redmine.pfsense.org/issues/1177

Roy…

soconfused

We all know that the FTP protocol sucks, that there are better alternatives and et cetera, but it is one of those features that simply has to work. No matter what you might think about FTP, forcing every user over to something else or applying a special configuration to every machine does not work toward simplifying one's life.

What kind of bounty would it take to make a solid fix for the ftp helper a priority? I am not loaded but am feeling the need to at least put some money in someone's pocket for all the team has already given us.

rpsmith

the answer for me was to switch all my FTP users over to FTPS (implicit only).  Both filezilla server and client support this and it's easy to setup and very secure.  no plans here to go back to standard FTP even after they work out the bugs.

Roy…

soconfused

I have no doubt that setting up a FTPS client is the better way. I intend to do this with all my own machines. However, I loathe the day when two of my "top clients", my mother-in-law and/or my wife, bombard me with half a dozen phone calls at work with, "That thing you did is keeping my computer from working." The former thinks gmail is actually installed on her machine while the latter, let's just say the normal user/administrator relationship does not even remotely apply. In terms of value this is something which I'll pay good money just to avoid.

stenio

@dragon2611:

@David24:

But i did have to disable FTP helper to get passive working flawless.

Can you tell me how you did that?

I can't seem to find the setting in 2.0 perhaps I'm looking in the wrong places  ???

Hi,

I have the same problem with 2.0-BETA5 (i386)
built on Fri Feb 18 08:01:30 EST 2011. It seems that the ftp helper is changing the ftp server address from the external IP to address of the WAN interface.

This is my situation:

85.x.y.z              192.168.1.254 192.168.1.2        192.168.0.254 192.168.0.1
–-------[Router ADSL]–-----------------------[PFSENSE]–-----------------------
                                        WAN if          LAN if

I'm using vsftpd and it is configured to provide 85.x.y.z when asked to switch to PASSIVE mode.
But the clients on the Internet are provided with 192.168.1.2.

If I put the FTP server on the 192.168.1.0 LAN the correct external ip address is seen by the clients without any change to the configuration of vsftpd.

Have you found a solution to disable the helper?

rpsmith

System | Advanced | System Tunables | debug.pfftpproxy | (set value to 1 to disable)

You will need to add this Tunable if it does not already exist.

Roy…

stenio

@rpsmith:

System | Advanced | System Tunables | debug.pfftpproxy | (set value to 1 to disable)

You will need to add this Tunable if it does not already exist.

Roy…

Many many thanks!!! Now it works perfectly!  :) :) :)

Best regards,
Stenio