FTP in pfSense 2.0
-
2.0 nanobsd - net5501 - this evening's build:
passive implicit SSL (FTPS) with port 990 and the passive ports fwd to my ftp server works great. however, I have not been able to get the standard ftp (port 21 and passive ports fwd to ftp server) to work. had no problems getting both types working with m0n0wall.
Roy…
-
Thanks for help folks.
Yes I know very little about FTP and am hop9ng to keep it that way!
I have always used passive. Not sure why. I'll try the active set up. Not sure what the difference is but I'll ask my buddy Google.
-
As to the difference – I pointed you to a great article that goes over the difference!
-
Running 2.0-BETA5 (i386)
built on Tue Jan 11 06:28:44 EST 2011I'm also seeing issues w/ access to an FTP server behind pfSense NAT (opt1).
Using PASV FTP, I can connect on port 21 and communicate, but the connection fails when the server sends "227 Entering Passive Mode (192,168,10,9,250,185)" back to the client. The client tries to connect on the given port, but it doesn't seem to make it.
Using Active mode, the connection works, but active mode FTP isn't an option for a lot of clients.
For testing purposes, I've allowed ALL traffic on my WAN interface and used 1:1 NAT to the internal server. There are no firewalls enabled on either the internal server or the FTP client.
[EDIT]
If I connect using FTP over SSL then the PASV connection works correctly. From here, it appears that the FTP helper is interfering, but when the connection is encrypted via SSL, the helper can't interfere and the connection works correctly. -
"(192,168,10,9,250,185)" back to the client."
The help can not be involved with that
Your telling the client connect to a private IP 192.168.10.9 on port 250*256+185 or port 64185
Thats a private IP, you would need to configure your ftp server to send the public IP not a private, this is what the ftp helper does, it will convert that IP for you so client on internet would see your public IP.
-
I should have posted the FTP server's response to the WAN client rather than the server's response to the LAN client.
It may be that I have miss-understood the role of the FTP helper. However, looking at packet captures on Opt1, WAN, and Client, I see that the firewall does translate the private IP address to the correct public IP address.
Attempting to connect to the FTP server located on OPT1 has the same result weather I am using a client on the LAN or a client on the WAN.
Telling the FTP server itself to return the public IP also makes no difference.
-
Hi
I have a same problem.
My ftp server is filezilla: (firewall,pfsense) wan->lan (SBS2000,Filezilla)
Port use 21 and passive mod. In connection progress stop Directory list
pfsense NAT port 20 and passiv port( 20000-20010)
If use port 30, work fine.
Or use SSL on pp0 port works good.–-----------
sorry my english :) -
There are still some known issues with the FTP proxy on 2.0 but it's being actively worked on over the last few days.
-
Try a snapshot later than this post or better of tomorrow it should be fixed.
-
nanobsd - Jan 17 21:39:59 - net5501
still no love :) same problem with passive ftp. did not test active. passive FTPS still works.
Roy…
-
nanobsd - Tue Jan 18 04:33:29 - net5501:
passive FTP seems to be working with this snapshot.
Thanks!
Roy…
-
Please be more specific which side of ftp works.
IE passive ftp as client behind nat works
active ftp client rdr to an internal server worksand such to make this easy for everybody.
-
nanobsd - Tue Jan 18 04:33:29 - net5501:
passive FTP client –-- {NAT - m0n0wall} --- (internet) --- {pfSense - NAT} --- {FTP Server} => Works!
passive FTPS client --- {NAT - m0n0wall} --- (internet) --- {pfSense - NAT} --- {FTP Server} => Works! (only tested implicit mode)
Did not test active FTP.
only tested with FileZilla Client.
Roy...
-
running 2.0-BETA5 (i386)
built on Tue Jan 18 03:34:33 EST 2011I've tested the following setup
FTP Server behind pfSense, natted on Opt1
FTP client external connecting to WAN, PASV
FTP client on LAN connecting to WAN, PASV
FTP client on LAN connecting to Opt1, PASVListing of directories doesn't seem to work the first time, but once it fails, all listings / transfers after that work as long as the connection is maintained. When the connection drops and needs to be re-established, the first PASV listing / transfer fails again and then it is good after that. Anybody else seeing this?
-
As a matter of clarification, do we need to set a rule to allow TCP traffic on the PASV port range, or is the FTP proxy supposed to dynamically create those rules at the same time that it's re-writing the ip address?
-
@PJ2:
Listing of directories doesn't seem to work the first time, but once it fails, all listings / transfers after that work as long as the connection is maintained. When the connection drops and needs to be re-established, the first PASV listing / transfer fails again and then it is good after that. Anybody else seeing this?
I did notice some initial problems after I connected that went away so I discounted them. However, I just re-tested and can confirm I'm seeing the same initial failure.
Roy…
-
just disable my passive port pass rule and was unable to connect via passive FTP so it looks like the rule is still required.
However, when I re-enabled the rule I got an error message back from pfsense and I couldn't get back into the GUI! Will try rebooting and see if that helps.
Edit: I was able to get back in after rebooting.
Roy…
-
Testing a client in passive mode with the 1 18 build. Functions until you try to re-initiate a prior connection then the whole machine goes down.
Each time a hard reboot is required and the file system gets corrupted. The file system gets fixed successfully during the boot sequence. I am not sure if the error has something to to do with the hard reboot or the fault but it is repeatable every time. I had putty log the output if anyone is interested in the gory details.
I already had a rule for passive FTP in place so nothing changed there.
Edit: Was running the SMP kernel. Did not see the same behavior with the developer kernel.
Nothing to do with it. Still crashes. -
Hi !
I confirm it works too…... But not all the time.
I have a dual-wan setup, and I can connect to my FTP server, passive mode, behind my pfsense, using latest snapshot, but only through one WAN, not through the other one.
Previously I had forced it manually to work having defined a passive range and unconditionnaly NAT + allow inbound rule. I disabled them all, and it now works through only one WAN.N.B.: the so-called WAN that works is not the WAN interface selected in the first setup, it's an additional VLAN, just the same as the one that doesn't work. I mention this because I remember that back in 1.2.x special rules were applied for WAN interface and nowhere else (e.g. spamd package). And to add one more bit of complexity, all these traffics are hitting CARP vIP (for redundancy, I have my 1.2.3 box ready in case 2.0 beta having attitude problems with me :)).
I can take snapshots or copy/paste parts of my config if needed for clarification.
Thank you a lot for your hard work (and sorry to give you some more) !
P.S. : don't know if it's related to the randomly repeated errors "kernel: arpresolve: can't allocate llinfo for x.x.x.x" ? I can't get rid of these permanently.
-
Testing for FTP client problems today with 2.0-BETA5 (i386) built on Sat Jan 29 23:42:13 EST 2011
Fresh update with smp kernel: locked up after a few connection attempts. repeated problem twice
Loaded dev kenel: cannot repeat behavior, connection still hangs sometimes on LIST
Reloaded smp kernel: same behavior as with dev kernel
Rebooted: works great. no connection hangs.
Ideas?