FTP in pfSense 2.0
-
There are still some known issues with the FTP proxy on 2.0 but it's being actively worked on over the last few days.
-
Try a snapshot later than this post or better of tomorrow it should be fixed.
-
nanobsd - Jan 17 21:39:59 - net5501
still no love :) same problem with passive ftp. did not test active. passive FTPS still works.
Roy…
-
nanobsd - Tue Jan 18 04:33:29 - net5501:
passive FTP seems to be working with this snapshot.
Thanks!
Roy…
-
Please be more specific which side of ftp works.
IE passive ftp as client behind nat works
active ftp client rdr to an internal server worksand such to make this easy for everybody.
-
nanobsd - Tue Jan 18 04:33:29 - net5501:
passive FTP client –-- {NAT - m0n0wall} --- (internet) --- {pfSense - NAT} --- {FTP Server} => Works!
passive FTPS client --- {NAT - m0n0wall} --- (internet) --- {pfSense - NAT} --- {FTP Server} => Works! (only tested implicit mode)
Did not test active FTP.
only tested with FileZilla Client.
Roy...
-
running 2.0-BETA5 (i386)
built on Tue Jan 18 03:34:33 EST 2011I've tested the following setup
FTP Server behind pfSense, natted on Opt1
FTP client external connecting to WAN, PASV
FTP client on LAN connecting to WAN, PASV
FTP client on LAN connecting to Opt1, PASVListing of directories doesn't seem to work the first time, but once it fails, all listings / transfers after that work as long as the connection is maintained. When the connection drops and needs to be re-established, the first PASV listing / transfer fails again and then it is good after that. Anybody else seeing this?
-
As a matter of clarification, do we need to set a rule to allow TCP traffic on the PASV port range, or is the FTP proxy supposed to dynamically create those rules at the same time that it's re-writing the ip address?
-
@PJ2:
Listing of directories doesn't seem to work the first time, but once it fails, all listings / transfers after that work as long as the connection is maintained. When the connection drops and needs to be re-established, the first PASV listing / transfer fails again and then it is good after that. Anybody else seeing this?
I did notice some initial problems after I connected that went away so I discounted them. However, I just re-tested and can confirm I'm seeing the same initial failure.
Roy…
-
just disable my passive port pass rule and was unable to connect via passive FTP so it looks like the rule is still required.
However, when I re-enabled the rule I got an error message back from pfsense and I couldn't get back into the GUI! Will try rebooting and see if that helps.
Edit: I was able to get back in after rebooting.
Roy…
-
Testing a client in passive mode with the 1 18 build. Functions until you try to re-initiate a prior connection then the whole machine goes down.
Each time a hard reboot is required and the file system gets corrupted. The file system gets fixed successfully during the boot sequence. I am not sure if the error has something to to do with the hard reboot or the fault but it is repeatable every time. I had putty log the output if anyone is interested in the gory details.
I already had a rule for passive FTP in place so nothing changed there.
Edit: Was running the SMP kernel. Did not see the same behavior with the developer kernel.
Nothing to do with it. Still crashes. -
Hi !
I confirm it works too…... But not all the time.
I have a dual-wan setup, and I can connect to my FTP server, passive mode, behind my pfsense, using latest snapshot, but only through one WAN, not through the other one.
Previously I had forced it manually to work having defined a passive range and unconditionnaly NAT + allow inbound rule. I disabled them all, and it now works through only one WAN.N.B.: the so-called WAN that works is not the WAN interface selected in the first setup, it's an additional VLAN, just the same as the one that doesn't work. I mention this because I remember that back in 1.2.x special rules were applied for WAN interface and nowhere else (e.g. spamd package). And to add one more bit of complexity, all these traffics are hitting CARP vIP (for redundancy, I have my 1.2.3 box ready in case 2.0 beta having attitude problems with me :)).
I can take snapshots or copy/paste parts of my config if needed for clarification.
Thank you a lot for your hard work (and sorry to give you some more) !
P.S. : don't know if it's related to the randomly repeated errors "kernel: arpresolve: can't allocate llinfo for x.x.x.x" ? I can't get rid of these permanently.
-
Testing for FTP client problems today with 2.0-BETA5 (i386) built on Sat Jan 29 23:42:13 EST 2011
Fresh update with smp kernel: locked up after a few connection attempts. repeated problem twice
Loaded dev kenel: cannot repeat behavior, connection still hangs sometimes on LIST
Reloaded smp kernel: same behavior as with dev kernel
Rebooted: works great. no connection hangs.
Ideas? -
That's currently a known issue. It hangs the box with everything except a dev kernel.
Some more patches went in to try to fix it before the builds from Saturday, but it still hangs for me.
-
The problem is still persist with the latest build 2011.02.01. I have a single WAN connection but i use many virtual IF alias. I have multiple ftp server behind NAT, forwarded the default tcp port: 21 and a passive port range (from different IF alias). If i try to passive FTP from masqued client machine to outside the pfsense box instant freeze. Nothing help but cold reset. This is a serious problem, i need to revert the whole system to 1.2.3 because of this issue (reinstall a fresh 1.2.3 and restore the configuration).
-
Ermal told me yesterday he has a lead on another possible fix but he needs to test it more before he commits it.
Yesterday I was unable to make my VM hang, when I could do it repeatedly on Friday, but I was working with FTP as a client, not a server. (Though I still saw FTP failures where the LIST command would hang the connection, it just didn't hang the OS)
-
if i delete all the NAT rules what is forward port 21 to internal FTP server then the box not freeze. i think the problem is complicated. internal FTP server behind a NAT with forwarded port 21 and FTP connect to anywhere else the standard tcp port 21(!) at the same time cause an instant freeze. if i connect to an ftp server what is not used the default tcp 21 port works like a charm. so i think the problem is the ftp helper kernel module. somehow the nat rule to the internal ftp server and the nat from internal to outside not compatible each other when both use the default tcp 21 port. the only explanations is the kernel module, and this issue freeze the kernel.
best option remove that module from the kernel or give an option on the gui to enable/disable ftp helper modul while the problem is permanently fixed. i dont use this module anyway :)
here is my enviroment:
WAN Address: 193.6.xxx.4
IF Alias: 193.6.xxx.13 NAT -> 192.168.9.13 port 21, port 13001-14000 (for passive range)
IF Alias: 193.6.xxx.14 NAT -> 192.168.9.14 port 21, port 14001-15000 (for passive range)
IF Alias: 193.6.xxx.15 NAT -> 192.168.9.15 port 21, port 15001-16000 (for passive range)My client PC: 192.168.9.249
The pfsense: 192.168.9.1
I try to FTP connection from my client PC to 212.92.xxx.12 port 21 (different ISP) with passive mode the pfsense freeze.
But if i try to connect to another ftp server what is used port 2121 it works.If i delete all three NAT rules what i describe above, the first scenario works too, so the problem is only the port 21.
my home configuration: alix board with embedded pfsense, letest 2.0 beta5 build
i use port forward for ftp, but only one nat rule exist and i use single WAN address without if alias. the passive mode ftp failed, hangs on only the listing, but only if i use total commander as client. in the flashfxp passive mode use PASV and it works. so the native passive mode failed only. but not hangs the router.the box freeze only when multiple if alias exist, multiple nat to multiple internal ftp server on the same interface and client connect from internal to external ftp at the same time use the default ftp port. i think it is definetly connected to ftp proxy kernel modul.
i try to use carp instead of if alias, but the box freeze again, so this is irrevelant.
sorry for my bad english, i wish i can help you to solve this issue :)
-
It should be fixed on snapshots of tomorrow.
-
@ermal:
It should be fixed on snapshots of tomorrow.
thank you! that was fast :)
-
can i try to update a new snapshot? it is possible to fix this issue?
