FTP set up help
-
Well I have reinstalled pfSense so I could start from a fresh install.
Still can not get it to work.
See pics for my configuration.
The proxy setting I have tried as default or a value of 1.
The FTP client I have tried active or passive.
The log file shows it being passed but wireshark does not see it reaching the FTP server.
Any more ideas?
-
It is amazing how much trouble users have with such a simple thing.
For starters there is no reason to disable the helper if that is what you did? Not sure what you mean by proxy setting.
Your lan rule for 6100 to 6200 not required at all. The rule above it would allow the traffic in the first place. And traffic from your lan would not be hitting the pfsense lan inteface to get to that IP range anyway.. Unless you have more interfaces on the private side in pfsense? And then again the rule above that would allow the traffic.
if you using the ftp helper there is no need to forward any passive ports. ftp helper will do that for you.
I believe where most users have issues is they try and access their ftp server via the public IP/fqdn from some other client on the same private side of pfsense.
To be honest is there really a need for documentation to forward port 21 for ftp?? This is all that should be required to allow both active and passive ftp access from outside pfsense. With the helper in play.
I am using 2.1 and not having any problems with this at all.
Should be simple enough to watch the traffic hit your pfsense 21 rules - just setup logging on those. Then hit it from some client on the outside of your network.
You sure your not behind a double nat, ie something doing nat or firewalling in front of your pfsense box. This is also a common issue when users have issues with port forwarding. Because there nat router in front of their pfsense install that never allows the traffic to hit the pfsense interface in the first place.
-
I removed the 6100/6200 and set the proxy back to it's default value, still does not work.
As I said in my first post I use www.logmein.com to log into my computer at home, then use filezilla to try and access the FTP server. So I am not behind another NAT.
As I said in my last post the log file on pfsense shows port 21 being passed and that the wireshark, an Ethernet sniffer, does not show any packets to or from the FTP server.
As for whether better documentation is needed for FTP, is yes, cause it appears a lot of other people are having troubles also. The documentation is not up to date anyway.
I have 4 cards in the pfsense box they are
em0 - WAN 192.168.0.102 give by DHCP from the AT&T modem.
re0 - LAN 192.168.1.1
re1 - Wireless 192.168.10.1
re2 - AgileDemo 192.168.11.1I can ping the FTP sever from the pfsense box on the LAN interface.
So if the NAT and firewall rule are correct for FTP server 192.168.1.119 then I am at a lose still.
-
em0 - WAN 192.168.0.102 give by DHCP from the AT&T modem.
You say your not behind another nat – but clearly you are!! That is a private IP, so it is behind a NAT.. Have you forwarded traffic on your AT&T "router or gateway - if it hands out private ips via dhcp it is clearly not just a modem" device to your wan IP of 192.168.0.102, or put this IP in DMZ of your at&t router?
Even if in the DMZ of your at&t router - does it have a ftp helper.. Is it going to change private IPs to public? Is it going to open the ports for the passive connection?
So what does the traffic hitting your pfsense box wan have for destination since its clearly behind an nat if it as an IP of 192.168.0.102. Notice your block rules above your other rules, says block private IPs.. Since your behind a nat this could be blocking traffic.
Did you post this log entry showing that it passed the 21 traffic? I do not recall seeing this log?
Grab traffic at your wan interface and traffic at your lan interface re0 -- you can do this at the same time if you ssh and use tcpdump vs the gui under diag, which I believe only sets you sniff on one interface at a time.
When I get home - getting ready to head home now I can show example of doing the sniffs and the sniff of the traffic accessing internal ftp from outside, etc.
But again -- you are clearly behind a NAT on pfsense if your wan interface has a private IP address! ;)
-
Attached is the firewall log.
I had a long talk with AT&T when it was installed and told them that I had my own firewall and that they should pass everything through and I believe they are because I have accessed a video camera on port 9020 and 9220
I will talk with AT&T again to make sure someone has not changed the settings, no idea why they would, but will check any way.
-
You access a video camera on those ports via what IP?
Do you have those forwarded through your router? Is there some sort of 1 to 1 NAT?
So do a listen on your lan and wan interface on pfsense via simple tcpdump – do you see the packets
So for example open up a couple of ssh sessions. Then at same time run tcpdump
Here is wan
[2.1-DEVELOPMENT][root@pfsense.local.lan]/root(6): tcpdump -i 4 -n -q port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmx3f1, link-type EN10MB (Ethernet), capture size 96 bytes
07:08:34.395823 IP 173.236.157.143.19998 > 98.215.xxx.26.21: tcp 0
07:08:34.396602 IP 98.215.xxx.26.21 > 173.236.157.143.19998: tcp 0
07:08:34.478660 IP 173.236.157.143.19998 > 98.215.xxx.26.21: tcp 0
07:08:34.479792 IP 98.215.xxx.26.21 > 173.236.157.143.19998: tcp 47
07:08:34.480012 IP 98.215.xxx.26.21 > 173.236.157.143.19998: tcp 0
07:08:34.565247 IP 173.236.157.143.19998 > 98.215.xxx.26.21: tcp 0
07:08:34.602221 IP 173.236.157.143.19998 > 98.215.xxx.26.21: tcp 0That is on my lan interface of my pfsense box
[2.1-DEVELOPMENT][root@pfsense.local.lan]/root(6): tcpdump -i 3 -n -q port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmx3f0, link-type EN10MB (Ethernet), capture size 96 bytes
07:08:34.395972 IP 173.236.157.143.19998 > 192.168.1.4.21: tcp 0
07:08:34.396528 IP 192.168.1.4.21 > 173.236.157.143.19998: tcp 0
07:08:34.478732 IP 173.236.157.143.19998 > 192.168.1.4.21: tcp 0
07:08:34.479715 IP 192.168.1.4.21 > 173.236.157.143.19998: tcp 47
07:08:34.479794 IP 192.168.1.4.21 > 173.236.157.143.19998: tcp 0
07:08:34.565333 IP 173.236.157.143.19998 > 192.168.1.4.21: tcp 0
07:08:34.602293 IP 173.236.157.143.19998 > 192.168.1.4.21: tcp 0At the same time you could run sniff on your ftp server.. Maybe something else blocking on your network, maybe software firewall on your ftp box? All that should be required for ftp to work both active and passive forward tcp 21.
-
I had taken out the NAT rules for the camera and now they are back in.
I did nothing else but add the NAT rules you see.This works for both video stream and web pages on the camera.
You can not view the video without our software but you can get to the login web page from that camera.I will take down the camera at the some time later.
I used LogMeIn to access the video stream from a computer at my home and worked fine.
Will try the tcpdump when I can.
-
I notice those cameras are on a different network than your ftp server.
-
The only difference is that the LAN goes through a Gigabit switch to get to the FTP server and the AgileDemo network goes directly to the camera.
The switch is a none managed switch so no NAT in it.
-
waiting to see the tcpdump from your pfsense interfaces. If you see the packets on your wan, but not on your lan interface – then we have something look into.
-
-
well I didn't actually match them up but I see ftp packets out of your lan interface re0
11:01:19.581950 IP pool-173-57-104-76.dllstx.fios.verizon.net.62942 > 192.168.1.119.ftp:
So its forwarding the packets.. So if your ftp server is not seeing it, then its not pfsense fault
I posted up the easy thing to do for tcpdump.. So you don't see all that other noise, just ftp. And vs the name resolution you just get IPs
tcpdump -i 4 -n -q port 21
-i 4 or -i 3 is my index of my interfaces - you can use either name or index, I used index.. You can view your index off of tcpdump -D
example
tcpdump -D
1.gif0
2.ovpns1
3.vmx3f0
4.vmx3f1
5.lo0I can look a bit deeper, but I see packets on your lan interface going to your ftp server on port 21.. But I did not see any response - so that tells me either your ftp server never saw the packets, or he is not answering.
In my lan sniff you see the server answer back
07:08:34.396528 IP 192.168.1.4.21 > 173.236.157.143.19998: tcp 0I don't see anything coming from ftp back – so its not getting the packets your putting on the lan interface of your pfsense, or its just not listening on 21, or it has a firewall blocking? But clearly you can see from your sniff of your re0 that packets to ftp on 21 were put on the wire. So pfsense did what you told it to do, forward the packets to that IP on its lan interface.
