FTP in pfSense 2.0

FisherKing

Just got around to testing this, but I wanted to also confirm that FTP / pfSense appears to be working.

I tested external server & internal client, external client & internal server, internal client & internal server.

EDIT: running 2.0-BETA5 (i386) built on Wed Feb 9 00:54:34 EST 2011

phb.fr

Hi,

With Pfsense 2.0 RC1 [built on Mon Mar 7 12:03:17 EST 2011 ]

FTP with Passif mode work like charm (with pfftpproxy)..

But, on active mode, if client have "low" port for connect to ftp (< 3000 ?) all work like charm.
if client have high port (> 50.000) ftp client not show directory
(Freeze a LIST command)

I use propriotary software how working ONLY with Active mode :(

phb.fr

Hi,

I am going crazy, but i understand why ftp work for someone and not for other.

1 client with 2 machines (On otherWAN)
1 - windows 2k3
1 - Windows 2k8
Client use ftp.exe
–-->Dlink xDSL router ----> Internet  ------My Pfsense -----> Lan FTPServer

Windows2003 on active mode work
Windows2008 on active mode connection ok but at LS command "freeze" and after waiting 2 min "timeout"

Note : no Firewall on windows2008, no special rules ont DLINK.
On windows2003 ftp client trying to talk on port 2085
On windows2008 ftp client trying to talk on port 50058

No special rules on pfsense (Only forward port 21 to FTPLAN)

Note : If i NOT use pfsense but shorewall/iptables/ ip_conntrack_ftp on linux
(win2K3 AND win2K8 machines is working !)

Maybe pfftpproxy bug or windows 2k8 R2 specific TCP pile ?

Help me

eri--

Just provide a pfctl -vss of this when it happens.

phb.fr

IP_PublicWindowsClient –> Internet IP from client (Windows2k3 and Windows 2k8)
IPFTPLAN ---> Ip local (192.168.x.x where my ftp server)
IP_PublicFTP --> My Public IP
Note :  bge0 Is LAN

With Windows2K3 (Working)
all tcp IPFTPLAN :21 <- IP_PublicFTP:21 <- IP_PublicWindowsClient:2246       ESTABLISHED:ESTABLISHED
all tcp IP_PublicWindowsClient:2246 -> IPFTPLAN :21       ESTABLISHED:ESTABLISHED
bge0 tcp IP_PublicWindowsClient:2250 <- IPFTPLAN :20       FIN_WAIT_2:FIN_WAIT_2
all tcp IPFTPLAN :20 -> IP_PublicFTP:48730 -> IP_PublicWindowsClient:2250       FIN_WAIT_2:FIN_WAIT_2

---

With Windows2k8 not work
pfctl -vss | grep IP_PublicWindowsClient
all tcp IPFTPLAN :21 <- PublicFTP :21 <- PublicWindowsClient:49756       ESTABLISHED:ESTABLISHED
all tcp PublicWindowsClient :49756 -> IPFTPLAN :21       ESTABLISHED:ESTABLISHED
all tcp IPFTPLAN :20 -> PublicFTP:33868 -> PublicWindowsClient :49757       SYN_SENT:CLOSED

Thank for your help

Edit : No idea ermal ?

phb.fr

Test with 2.0RC1 15 Mar.

Same Problem.

eri--

Can you provide me traffic captures when this happens!
It seems strange that the same protocol does not work for different versions of Windows?

phb.fr

Hi,

For serucity reason and for best debug i send you XXXX.cap and log in private message.

the of course, the answer should be put here.

Best regards,

phb.fr

i am the only one with ftp problem?

Guest

Hi guys, don't know if it can help in your specifics scenarios, but as I fighted in the past for having a ftp server working well behind a pfsense box, here is what I had learned …

As an old protocol, ftp was not well designed to be NATed, if you use active mode, with port forward for port 21(connection) and port 20 (data), it works, not very fast but it works. The thing is that most ftp clients are pre-configured to use passive mode. And the problem we have is that passive mode use random ports to transmit data. So it's logic it freezes as port xxxx and not 20 or 21 is dropped by the box. In a ftp client GUI like in Filezilla, it will do some errors and retry transfer and browsing of files will be very slow or do not work.
To fix this, I remembered I used filezilla ftp server (free as the client) which allow you to set the port range used for passive connections, and this is very cool because then we just have to NAT this portrange (choose of a port range >1024 is better to respect conventions) in pfsense. This way it worked like a charm !

If you have contraints like you cannot set, on server side, the passive portsrange the server will use and that you cannot choose/change the ftp server solution then you'll have to use a dedicated public ip and do 1:1 nat.

jelder

I have a little problem with ftp too. I use fireftp (because its free) together with my webhost. But I wanna make uploads automatic at certain times during the day. Is there an other free program that let me do this. I just can't do it with fireftp :(

Guest

Try Cobian backup, it's a free and light tool that allow to set schedules transferring files to an ftp server.
http://educ.umu.se/~cobian/cobianbackup

keith_opswat

You can script something with the windows ftp command line and create a scheduled task or cron it with the linux command line ftp script.

robypiro

Hello to everyone. I've just installed the last version of pfsense 2 and I'm having the same problem with ftp: I opened ports 20 and 21 with a Lan Firewall rule, but I can't connect to external ftp sites. I tried to connect to ftp site using firefox and filezilla, it seems to start the conncection but it hangs

robypiro

I updated now at the last version, but problem persist! Please anyone could help me??

robypiro

Any news about use of ftp behind pfsense?