FTP in pfSense 2.0
-
That's currently a known issue. It hangs the box with everything except a dev kernel.
Some more patches went in to try to fix it before the builds from Saturday, but it still hangs for me.
-
The problem is still persist with the latest build 2011.02.01. I have a single WAN connection but i use many virtual IF alias. I have multiple ftp server behind NAT, forwarded the default tcp port: 21 and a passive port range (from different IF alias). If i try to passive FTP from masqued client machine to outside the pfsense box instant freeze. Nothing help but cold reset. This is a serious problem, i need to revert the whole system to 1.2.3 because of this issue (reinstall a fresh 1.2.3 and restore the configuration).
-
Ermal told me yesterday he has a lead on another possible fix but he needs to test it more before he commits it.
Yesterday I was unable to make my VM hang, when I could do it repeatedly on Friday, but I was working with FTP as a client, not a server. (Though I still saw FTP failures where the LIST command would hang the connection, it just didn't hang the OS)
-
if i delete all the NAT rules what is forward port 21 to internal FTP server then the box not freeze. i think the problem is complicated. internal FTP server behind a NAT with forwarded port 21 and FTP connect to anywhere else the standard tcp port 21(!) at the same time cause an instant freeze. if i connect to an ftp server what is not used the default tcp 21 port works like a charm. so i think the problem is the ftp helper kernel module. somehow the nat rule to the internal ftp server and the nat from internal to outside not compatible each other when both use the default tcp 21 port. the only explanations is the kernel module, and this issue freeze the kernel.
best option remove that module from the kernel or give an option on the gui to enable/disable ftp helper modul while the problem is permanently fixed. i dont use this module anyway :)
here is my enviroment:
WAN Address: 193.6.xxx.4
IF Alias: 193.6.xxx.13 NAT -> 192.168.9.13 port 21, port 13001-14000 (for passive range)
IF Alias: 193.6.xxx.14 NAT -> 192.168.9.14 port 21, port 14001-15000 (for passive range)
IF Alias: 193.6.xxx.15 NAT -> 192.168.9.15 port 21, port 15001-16000 (for passive range)My client PC: 192.168.9.249
The pfsense: 192.168.9.1
I try to FTP connection from my client PC to 212.92.xxx.12 port 21 (different ISP) with passive mode the pfsense freeze.
But if i try to connect to another ftp server what is used port 2121 it works.If i delete all three NAT rules what i describe above, the first scenario works too, so the problem is only the port 21.
my home configuration: alix board with embedded pfsense, letest 2.0 beta5 build
i use port forward for ftp, but only one nat rule exist and i use single WAN address without if alias. the passive mode ftp failed, hangs on only the listing, but only if i use total commander as client. in the flashfxp passive mode use PASV and it works. so the native passive mode failed only. but not hangs the router.the box freeze only when multiple if alias exist, multiple nat to multiple internal ftp server on the same interface and client connect from internal to external ftp at the same time use the default ftp port. i think it is definetly connected to ftp proxy kernel modul.
i try to use carp instead of if alias, but the box freeze again, so this is irrevelant.
sorry for my bad english, i wish i can help you to solve this issue :)
-
It should be fixed on snapshots of tomorrow.
-
@ermal:
It should be fixed on snapshots of tomorrow.
thank you! that was fast :)
-
can i try to update a new snapshot? it is possible to fix this issue?
-
All should be fixed on snapshots from today on.
-
i will try, and i post the results to here.
update: it is working! thanks again!
-
Just got around to testing this, but I wanted to also confirm that FTP / pfSense appears to be working.
I tested external server & internal client, external client & internal server, internal client & internal server.
EDIT: running 2.0-BETA5 (i386) built on Wed Feb 9 00:54:34 EST 2011
-
Hi,
With Pfsense 2.0 RC1 [built on Mon Mar 7 12:03:17 EST 2011 ]
FTP with Passif mode work like charm (with pfftpproxy)..
But, on active mode, if client have "low" port for connect to ftp (< 3000 ?) all work like charm.
if client have high port (> 50.000) ftp client not show directory
(Freeze a LIST command)I use propriotary software how working ONLY with Active mode :(
-
Hi,
I am going crazy, but i understand why ftp work for someone and not for other.
1 client with 2 machines (On otherWAN)
1 - windows 2k3
1 - Windows 2k8
Client use ftp.exe
–-->Dlink xDSL router ----> Internet ------My Pfsense -----> Lan FTPServerWindows2003 on active mode work
Windows2008 on active mode connection ok but at LS command "freeze" and after waiting 2 min "timeout"Note : no Firewall on windows2008, no special rules ont DLINK.
On windows2003 ftp client trying to talk on port 2085
On windows2008 ftp client trying to talk on port 50058No special rules on pfsense (Only forward port 21 to FTPLAN)
Note : If i NOT use pfsense but shorewall/iptables/ ip_conntrack_ftp on linux
(win2K3 AND win2K8 machines is working !)Maybe pfftpproxy bug or windows 2k8 R2 specific TCP pile ?
Help me
-
Just provide a pfctl -vss of this when it happens.
-
IP_PublicWindowsClient –> Internet IP from client (Windows2k3 and Windows 2k8)
IPFTPLAN ---> Ip local (192.168.x.x where my ftp server)
IP_PublicFTP --> My Public IP
Note : bge0 Is LANWith Windows2K3 (Working)
all tcp IPFTPLAN :21 <- IP_PublicFTP:21 <- IP_PublicWindowsClient:2246 ESTABLISHED:ESTABLISHED
all tcp IP_PublicWindowsClient:2246 -> IPFTPLAN :21 ESTABLISHED:ESTABLISHED
bge0 tcp IP_PublicWindowsClient:2250 <- IPFTPLAN :20 FIN_WAIT_2:FIN_WAIT_2
all tcp IPFTPLAN :20 -> IP_PublicFTP:48730 -> IP_PublicWindowsClient:2250 FIN_WAIT_2:FIN_WAIT_2
With Windows2k8 not work
pfctl -vss | grep IP_PublicWindowsClient
all tcp IPFTPLAN :21 <- PublicFTP :21 <- PublicWindowsClient:49756 ESTABLISHED:ESTABLISHED
all tcp PublicWindowsClient :49756 -> IPFTPLAN :21 ESTABLISHED:ESTABLISHED
all tcp IPFTPLAN :20 -> PublicFTP:33868 -> PublicWindowsClient :49757 SYN_SENT:CLOSEDThank for your help
Edit : No idea ermal ?
-
Test with 2.0RC1 15 Mar.
Same Problem.
-
Can you provide me traffic captures when this happens!
It seems strange that the same protocol does not work for different versions of Windows? -
Hi,
For serucity reason and for best debug i send you XXXX.cap and log in private message.
the of course, the answer should be put here.
Best regards,
-
i am the only one with ftp problem?
-
Hi guys, don't know if it can help in your specifics scenarios, but as I fighted in the past for having a ftp server working well behind a pfsense box, here is what I had learned …
As an old protocol, ftp was not well designed to be NATed, if you use active mode, with port forward for port 21(connection) and port 20 (data), it works, not very fast but it works. The thing is that most ftp clients are pre-configured to use passive mode. And the problem we have is that passive mode use random ports to transmit data. So it's logic it freezes as port xxxx and not 20 or 21 is dropped by the box. In a ftp client GUI like in Filezilla, it will do some errors and retry transfer and browsing of files will be very slow or do not work.
To fix this, I remembered I used filezilla ftp server (free as the client) which allow you to set the port range used for passive connections, and this is very cool because then we just have to NAT this portrange (choose of a port range >1024 is better to respect conventions) in pfsense. This way it worked like a charm !If you have contraints like you cannot set, on server side, the passive portsrange the server will use and that you cannot choose/change the ftp server solution then you'll have to use a dedicated public ip and do 1:1 nat.
-
