Open port for ftp
-
Take a look on this doc, may help you.
http://slacksite.com/other/ftp.html
well that explains the FTP stuff, but i am certain the problem is with my setup in pfsense.
the consumer routers dont have as many options as pfsense (not the ones i used) and opening/fwd a few ports for ftp was very easy.
maybe i need to take a screen shot of my setup and upload it here.
brb
-
-
I think your putting to much thought into it.. All you need to do is create the NAT, and by default pfsense will create the wan rule for you.
So I just opened up ftp for a test.
so attached you will find first me creating the nat (port forward) You only need to pick ftp, your inside ip you want to forward to and the port, again ftp
So then you will see the nat listed (port forward)
And then you will see the wan rule is autocreated for you, unless you change that at the very bottom of creating the nat
NOW testing from outside your network, nat reflection could be causing you grief if your trying to access your ftp using public IP from a box inside your network.
And then finally you will see it working, access and then a dir listing which would use the data port. You only need to create a rule for ftp (21).. Now depending on your server or client if your doing active or passive, etc. Then you might have to do some extra – but out of the box it really should only take 2 seconds to forward ftp into one of your servers.
-
I think your putting to much thought into it.. All you need to do is create the NAT, and by default pfsense will create the wan rule for you.
So I just opened up ftp for a test.
so attached you will find first me creating the nat (port forward) You only need to pick ftp, your inside ip you want to forward to and the port, again ftp
So then you will see the nat listed (port forward)
And then you will see the wan rule is autocreated for you, unless you change that at the very bottom of creating the nat
NOW testing from outside your network, nat reflection could be causing you grief if your trying to access your ftp using public IP from a box inside your network.
And then finally you will see it working, access and then a dir listing which would use the data port. You only need to create a rule for ftp (21).. Now depending on your server or client if your doing active or passive, etc. Then you might have to do some extra – but out of the box it really should only take 2 seconds to forward ftp into one of your servers.
what you are saying is different from what was first recommended, so yes, i can see how i might be making this a bigger deal than it should be.
also, i am able to test from the outside in. i have pfsense using 1 ip of my available 13. i am logged on from another network trying to hit the pfsense box.i will take a look at your pics.
thanks for taking the time to make them.
-
johnpoz,
Post your tftp proxy setup too, ftp does not work only on port 21.
-
I think your putting to much thought into it.. All you need to do is create the NAT, and by default pfsense will create the wan rule for you.
So I just opened up ftp for a test.
so attached you will find first me creating the nat (port forward) You only need to pick ftp, your inside ip you want to forward to and the port, again ftp
So then you will see the nat listed (port forward)
And then you will see the wan rule is autocreated for you, unless you change that at the very bottom of creating the nat
NOW testing from outside your network, nat reflection could be causing you grief if your trying to access your ftp using public IP from a box inside your network.
And then finally you will see it working, access and then a dir listing which would use the data port. You only need to create a rule for ftp (21).. Now depending on your server or client if your doing active or passive, etc. Then you might have to do some extra – but out of the box it really should only take 2 seconds to forward ftp into one of your servers.
perfect…that worked w/o any issues at all.
thanks!
-
"ftp does not work only on port 21."
Where did I say it did??? I completely agree with you 20 source port in an active connection and the server creates this connection to the client. And then in passive some normally random port above 1024 would be sent to the client from the server through the control connection and the client would connect to that.
As to my tftp proxy setting – I do not use that.. But I am pretty sure that pfsense has a ftp helper built in, which I believe there has been some discussion on in the past that there is no way to turn it off?
But what would the tftp proxy have to do with ftp? tftp is NOTHING like ftp at all. Its normally UDP for one big difference ;)
-
Now it's clear to me, this sucessfull setup is for active connections only.
-
No that is not what I am saying either – I am not having any issues with passive either
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (24,13,xx,xx,19,137)
150 Connection accepted
-rw-r–r-- 1 ftp ftp 35 Jan 12 11:26 test.txt
226 Transfer OK
ftp> get test.txt
local: test.txt remote: test.txt
227 Entering Passive Mode (24,13,xx,xx,19,138)
150 Connection accepted
226 Transfer OK
35 bytes received in 0.00 secs (235.7 kB/s)There is FTP helper that handles this sort of thing – once you create the nat for the control channel, then pfsense should handle the rest of it for the data channels.
As you can see from above I was clearly in passive mode and pulled a file from the server. (I snipped out part of my public IP for security reasons)
And here it is working in active mode, which if passive is off then your active.
ftp> passive
Passive mode off.
ftp> ls
200 Port command successful
150 Opening data channel for directory list.
-rw-r–r-- 1 ftp ftp 35 Jan 12 11:26 test.txt
226 Transfer OK
ftp> get test.txt
local: test.txt remote: test.txt
200 Port command successful
150 Opening data channel for file transfer.
226 Transfer OK
35 bytes received in 0.01 secs (6.8 kB/s)edit: now where you can have problems is if both server and clients are behind nat. In the examples I have given only the server is behind my nat. My client is from my webhost ssh access, so its on a public IP – working from home today because of snow, but tmrw from work I can do testing with both my server and the client being behind a nat.
Yeah ftp can be fun ;) But with the ftp helper you should not have to do anything manually for your rules be it active or passive into your server.
edit2: was just having a conversation with colleague at work the other day about ftp protocol -- its kind of a mess with todays networks and all the nats and such.. When it was created the net was a much different place -- now if you want some more fun start playing with ftps -- are you going implicit or explicit, and problem is now the port command is inside a secure tunnel so firewall/router helpers can not modify the commands with the correct IPs, etc. So you have problems with that for sure -- if that is the case then yeah you have to create some manual rules for the ports that your going to use.
To be honest I would go with sftp vs ftp, or just ftp over ssh tunnel -- its easier for sure with sftp since your only dealing with 1 port ssh port normally 22 and not control and data ports active and passive, etc. etc.
-
There is FTP helper that handles this sort of thing – once you create the nat for the control channel, then pfsense should handle the rest of it for the data channels.
Where is the ftp helper?
In portuguese forum there are many people with ftp issues, this simple nat did not worked for them.
Without no tftp enabled interfaces and without any wan rule to passive mode, I have no idea how it's working.
As I don't publish ftp server, I cant try it here. but I still what to help them to solve these publication problem.
-
The ftp helper is part of pfsense/freebsd
It changes the IP to reflect your public IP even though the server on the private will send its private IP
So here is sniff of ftp from on server interface, and then on the wan side of the of pfsense box
Notice that the IP was changed to reflect public IP vs the private IP the server sent.
In active mode, your normal lan rule is any any – atleast this is default, so server has no issue making the connection from source port 20 to whatever IP and port the client sent.
So here are the 2 sniffs, so my public IP is 24.13.x.x and private is 192.168.1.4 -- so this is first one is what I captured right the servers interface -- see it says to connect to port 5004 on a private IP, which the client would never be able to do.. But the ftp helper in pfsense/freebsd changes that to the correct public IP. And allows the traffic since its part of the ftp session. There is no rule saying that port 5004 (which is going to change all the time) should be sent to the ftp servers private IP. The ftp helper portion handles this.
edit: If I had to guess to why they are having probems, I would guess they are trying to create rules that don't need to be created. Or they are having issues with nats on both sides and something is broke, or double nats – have seen lots of setups with double nats, and yeah that can break all kinds of shit where helper of pfsense changes it to its wan IP, which is still private because pfense is behind a nat. and then router after pfsense might not have helper or sessions get confused.
To help would really need to know if they are wanting to use active or passive -- how are they testing it? Your prob going to have issues trying to hit your public IP from your private lan -- you really need to be actually outside the pfsense lan network to test if your forward is working correctly. What ftp server are they using, quite a few of them can be set to do their own thing to try and help with behind a nat, using static passive ports, changing the ip sent out - maybe this is mis configured, etc. etc..
ftp can be fun like I said -- and yes in this day of nats on both ends and users not understanding the protocol it can be even more fun ;)
-
You may be having trouble with the pfsense ftp "helper." Check this out:
http://doc.pfsense.org/index.php/FTP_Troubleshooting
-
Yeah that is not longer valid – where do you turn the ftp helper on or off? Like I mentioned early I don't believe there is a way to disable the helper??
-
@tomdlgns:
Tom, i got the same problem but i followed your screenshoot tutorial and it works like a charm now
many thanks
pf sense is not for newbies… that come from the home router boxes like dlink and linksys
this is serious stuff
Thanks man
Rolo. -
If you feel that 20 needs to be forwarded - you clearly do not understand how ftp works.
There is NO situation in ftp where you would need to forward port 20.. There just isn't
I would suggest you take a look at http://slacksite.com/other/ftp.html
Its a great easy to understand writeup on how ftp works both in active and passive mode. After you look at it, in what scenario would you need to allow unsolicited traffic to be sent to your ftp server behind your firewall on port 20?
Nutshell:
In active server makes the data connection to some client port, client told server to connect to from a source port of 20 – this is outbound traffic so no forward!In passive, client makes some connection to data port (not 20) that server tells client to connect to, which helper would open or you would have to manually configure on your firewall and setup on your ftp server to use.
As to pfsense being complicated - I would agree that much more can be done with it then your typical soho, etc. But in general operation I don't see it any more complicated than any other web based ui to any soho router out there.
