FTP set up help

iFloris

Right, you have also forwarded data ports.
No, the lan address for passive connections is a setting in my ftp server application.

Have you tried scanning your firewall with a port-scanning tool? Forwarded ports should show as open.
I use this tool if I need to scan ports: shieldsup

kwiles

From what I have read, just by adding the PassivePorts line to the proftpd.conf file will enable passive mode.
But when I try and log into the ftp server, (from inside network) using passive mode, I get connected but it hangs and times out getting a directory listing.

Use active mode to connect and it works fine.

SFTP is a lot slower in transferring files than FTP but maybe I need to look into that.

kwiles

SFTP does not work either, I would prefer FTP over SFTP because we have large files that need transferring.

I can't believe it's this hard to setup a FTP server behind a pfsense firewall.

No one has a step by step instructions to set this up? I would think the ppl that developed pfsense would have one but have not found one.

Do I have a corrupt install of pfsense now?
Do I need to reinstall it?
How can I tell if the configuration files are corrupt?

iFloris

There is a step by step guide.
Howto setup ftp server behind pfsense
Going on what you wrote, you might still run into problems as you seem to be having difficulties in getting through NAT.

kwiles

Yes, I have seen that text but it appears to be for versions less than 2.x

Step 2
2. Enable Proxy helper (by unchecking) on the WAN interface.

This does not exist in version 2.x I don't think the docs have been touched since 1.x

In the Disadvantages section

1. A bit glitchy in the scripts that setup the rules within PFsense. I have seen the setup become currupt if you tinker too much with these settings back and forth and require a full reinstall and resetup of PFsense. (start from scratch, DO NOT use a backup config)

It seems the doc could be a lot more helpful.

EddieA

I run vsftp on a server inside my LAN, and the only thing I did in pfSense was to forward the ports, for NAT. I can ftp to that server, from the internet in either port or pasv mode without any issues.

BTW This is on a 2.0.1 setup.

Cheers.

FTP.jpg_thumb

kwiles

Well I have reinstalled pfSense so I could start from a fresh install.

Still can not get it to work.

See pics for my configuration.

The proxy setting I have tried as default or a value of 1.

The FTP client I have tried active or passive.

The log file shows it being passed but wireshark does not see it reaching the FTP server.

Any more ideas?

fw_lan.png_thumb

fw_wan.png_thumb

nat_settings.png_thumb

proftp_settings.png_thumb

johnpoz

It is amazing how much trouble users have with such a simple thing.

For starters there is no reason to disable the helper if that is what you did? Not sure what you mean by proxy setting.

Your lan rule for 6100 to 6200 not required at all. The rule above it would allow the traffic in the first place. And traffic from your lan would not be hitting the pfsense lan inteface to get to that IP range anyway.. Unless you have more interfaces on the private side in pfsense? And then again the rule above that would allow the traffic.

if you using the ftp helper there is no need to forward any passive ports. ftp helper will do that for you.

I believe where most users have issues is they try and access their ftp server via the public IP/fqdn from some other client on the same private side of pfsense.

To be honest is there really a need for documentation to forward port 21 for ftp?? This is all that should be required to allow both active and passive ftp access from outside pfsense. With the helper in play.

I am using 2.1 and not having any problems with this at all.

Should be simple enough to watch the traffic hit your pfsense 21 rules - just setup logging on those. Then hit it from some client on the outside of your network.

You sure your not behind a double nat, ie something doing nat or firewalling in front of your pfsense box. This is also a common issue when users have issues with port forwarding. Because there nat router in front of their pfsense install that never allows the traffic to hit the pfsense interface in the first place.

kwiles

I removed the 6100/6200 and set the proxy back to it's default value, still does not work.

As I said in my first post I use www.logmein.com to log into my computer at home, then use filezilla to try and access the FTP server. So I am not behind another NAT.

As I said in my last post the log file on pfsense shows port 21 being passed and that the wireshark, an Ethernet sniffer, does not show any packets to or from the FTP server.

As for whether better documentation is needed for FTP, is yes, cause it appears a lot of other people are having troubles also. The documentation is not up to date anyway.

I have 4 cards in the pfsense box they are
em0 - WAN 192.168.0.102 give by DHCP from the AT&T modem.
re0 - LAN 192.168.1.1
re1 - Wireless 192.168.10.1
re2 - AgileDemo 192.168.11.1

I can ping the FTP sever from the pfsense box on the LAN interface.

So if the NAT and firewall rule are correct for FTP server 192.168.1.119 then I am at a lose still.

johnpoz

em0 - WAN 192.168.0.102 give by DHCP from the AT&T modem.

You say your not behind another nat – but clearly you are!! That is a private IP, so it is behind a NAT.. Have you forwarded traffic on your AT&T "router or gateway - if it hands out private ips via dhcp it is clearly not just a modem" device to your wan IP of 192.168.0.102, or put this IP in DMZ of your at&t router?

Even if in the DMZ of your at&t router - does it have a ftp helper.. Is it going to change private IPs to public? Is it going to open the ports for the passive connection?

So what does the traffic hitting your pfsense box wan have for destination since its clearly behind an nat if it as an IP of 192.168.0.102. Notice your block rules above your other rules, says block private IPs.. Since your behind a nat this could be blocking traffic.

Did you post this log entry showing that it passed the 21 traffic? I do not recall seeing this log?

Grab traffic at your wan interface and traffic at your lan interface re0 -- you can do this at the same time if you ssh and use tcpdump vs the gui under diag, which I believe only sets you sniff on one interface at a time.

When I get home - getting ready to head home now I can show example of doing the sniffs and the sniff of the traffic accessing internal ftp from outside, etc.

But again -- you are clearly behind a NAT on pfsense if your wan interface has a private IP address! ;)

kwiles

Attached is the firewall log.

I had a long talk with AT&T when it was installed and told them that I had my own firewall and that they should pass everything through and I believe they are because I have accessed a video camera on port 9020 and 9220

I will talk with AT&T again to make sure someone has not changed the settings, no idea why they would, but will check any way.

fw_log.png_thumb

johnpoz

You access a video camera on those ports via what IP?

Do you have those forwarded through your router? Is there some sort of 1 to 1 NAT?

So do a listen on your lan and wan interface on pfsense via simple tcpdump – do you see the packets

So for example open up a couple of ssh sessions. Then at same time run tcpdump

Here is wan
[2.1-DEVELOPMENT][root@pfsense.local.lan]/root(6): tcpdump -i 4 -n -q port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmx3f1, link-type EN10MB (Ethernet), capture size 96 bytes
07:08:34.395823 IP 173.236.157.143.19998 > 98.215.xxx.26.21: tcp 0
07:08:34.396602 IP 98.215.xxx.26.21 > 173.236.157.143.19998: tcp 0
07:08:34.478660 IP 173.236.157.143.19998 > 98.215.xxx.26.21: tcp 0
07:08:34.479792 IP 98.215.xxx.26.21 > 173.236.157.143.19998: tcp 47
07:08:34.480012 IP 98.215.xxx.26.21 > 173.236.157.143.19998: tcp 0
07:08:34.565247 IP 173.236.157.143.19998 > 98.215.xxx.26.21: tcp 0
07:08:34.602221 IP 173.236.157.143.19998 > 98.215.xxx.26.21: tcp 0

That is on my lan interface of my pfsense box
[2.1-DEVELOPMENT][root@pfsense.local.lan]/root(6): tcpdump -i 3 -n -q port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmx3f0, link-type EN10MB (Ethernet), capture size 96 bytes
07:08:34.395972 IP 173.236.157.143.19998 > 192.168.1.4.21: tcp 0
07:08:34.396528 IP 192.168.1.4.21 > 173.236.157.143.19998: tcp 0
07:08:34.478732 IP 173.236.157.143.19998 > 192.168.1.4.21: tcp 0
07:08:34.479715 IP 192.168.1.4.21 > 173.236.157.143.19998: tcp 47
07:08:34.479794 IP 192.168.1.4.21 > 173.236.157.143.19998: tcp 0
07:08:34.565333 IP 173.236.157.143.19998 > 192.168.1.4.21: tcp 0
07:08:34.602293 IP 173.236.157.143.19998 > 192.168.1.4.21: tcp 0

At the same time you could run sniff on your ftp server.. Maybe something else blocking on your network, maybe software firewall on your ftp box? All that should be required for ftp to work both active and passive forward tcp 21.

kwiles

I had taken out the NAT rules for the camera and now they are back in.
I did nothing else but add the NAT rules you see.

This works for both video stream and web pages on the camera.
You can not view the video without our software but you can get to the login web page from that camera.

I will take down the camera at the some time later.

I used LogMeIn to access the video stream from a computer at my home and worked fine.

Will try the tcpdump when I can.

nat_camera.png_thumb

camera_webpage.png_thumb

johnpoz

I notice those cameras are on a different network than your ftp server.

kwiles

The only difference is that the LAN goes through a Gigabit switch to get to the FTP server and the AgileDemo network goes directly to the camera.

The switch is a none managed switch so no NAT in it.

johnpoz

waiting to see the tcpdump from your pfsense interfaces. If you see the packets on your wan, but not on your lan interface – then we have something look into.

kwiles

Tcpdumps attached.

If you want it run with different options let me know.
I used the following commands.

For WAN
tcpdump -i em0 > em0.dat

For LAN
tcpdump -i re0 > re0.dat

I do see ftp on the LAN side but I am not versed in tcpdump to understand what I am reading.

em0.txt
re0.txt

johnpoz

well I didn't actually match them up but I see ftp packets out of your lan interface re0

11:01:19.581950 IP pool-173-57-104-76.dllstx.fios.verizon.net.62942 > 192.168.1.119.ftp:

So its forwarding the packets.. So if your ftp server is not seeing it, then its not pfsense fault

I posted up the easy thing to do for tcpdump.. So you don't see all that other noise, just ftp. And vs the name resolution you just get IPs

tcpdump -i 4 -n -q port 21

-i 4 or -i 3 is my index of my interfaces - you can use either name or index, I used index.. You can view your index off of tcpdump -D

example

tcpdump -D
1.gif0
2.ovpns1
3.vmx3f0
4.vmx3f1
5.lo0

I can look a bit deeper, but I see packets on your lan interface going to your ftp server on port 21.. But I did not see any response - so that tells me either your ftp server never saw the packets, or he is not answering.

In my lan sniff you see the server answer back
07:08:34.396528 IP 192.168.1.4.21 > 173.236.157.143.19998: tcp 0

I don't see anything coming from ftp back – so its not getting the packets your putting on the lan interface of your pfsense, or its just not listening on 21, or it has a firewall blocking? But clearly you can see from your sniff of your re0 that packets to ftp on 21 were put on the wire. So pfsense did what you told it to do, forward the packets to that IP on its lan interface.