FTP packets being blocked v2
-
Hello all,
I posted the topic "FTP packets being blocked" last week, but did not get any response.
Maybe I did not give enough information.I did some changes to my configs and now the situation can be better explained:
LAN (10.6.0.0/16) <=> pfSense <=> Cisco router <<=INTERNET=>> remote pfSense <=> remote LAN (192.168.2.0/24)
I have a pfSense (2.1-RC0) box behind a Cisco router. The latter's LAN interface IP is 10.0.0.1.
pfSense WAN interface: WAN, IP: 10.0.0.110/16, gateway: 10.0.0.1
pfSense LAN interface: LAN, IP:10.6.0.253/16I have an IPSec VPN between the Cisco router and a remote pfSense fw (on which I have no control).
I am trying to connect to an FTP server (IP: 192.168.2.21) located at the other end of the VPN.
The FTP client IP address is 10.6.1.196.
I have a rule on the LAN interface of the pfSense, as follows:pass in log quick on $LAN inet proto tcp from 10.6.1.196 to any flags S/SA keep state
1. When I use passive FTP to connect to the server, I am able to do that, but after the PASV command, the LIST command is unable to retrieve the directory listing.
I see the following packet blocked by pfSense in the log:WAN 192.168.2.21:3006 10.6.1.196:58456 TCP:SA
Question: why is pfSense blocking the response from the server, given that it has already seen the client send the SYN packet?
2. If I use active FTP, I am able to connect to the server, but again the LIST command is unable to retrieve the directory listing.
The pfSense log contains the following related lines:LAN 192.168.2.21:21 10.6.1.196:58497 TCP:A LAN 192.168.2.21:21 10.6.1.196:58497 TCP:PA LAN 192.168.2.21:21 10.6.1.196:58497 TCP:A LAN 192.168.2.21:21 10.6.1.196:58497 TCP:PA LAN 192.168.2.21:21 10.6.1.196:58497 TCP:A LAN 192.168.2.21:21 10.6.1.196:58497 TCP:PA LAN 192.168.2.21:21 10.6.1.196:58497 TCP:A LAN 192.168.2.21:21 10.6.1.196:58497 TCP:PA LAN 192.168.2.21:21 10.6.1.196:58497 TCP:A LAN 192.168.2.21:21 10.6.1.196:58497 TCP:PA LAN 192.168.2.21:21 10.6.1.196:58497 TCP:A LAN 192.168.2.21:21 10.6.1.196:58497 TCP:FA LAN 192.168.2.21:21 10.6.1.196:58497 TCP:R LAN 192.168.2.21:21 10.6.1.196:58497 TCP:R
I do hope that I have given enough information so that someone can provide an insight into this issue.
Any help is appreciated.
-
Hi there !
I understood that you have a FTP server behind the "remote pfSense".
To rule out any troubles concerning the "local setup" (LAN - pfSEnse - Router - Internet) you have one question to answer: can you connect to a DIFFERENT FTP server on the Internet ?If this works then you know the problem isn't local.
Btw: be careful: you have a local router-behind-router setup, which means a NAT-after-NAT setup. The FTP protocol needs special FTP-helpers and in your case BOTH have to cooperate well.
-
Sorry for the late reply.
Regarding whether I can connect to a different FTP server, I think the answer is yes (haven't tested thoroughly).
Regarding NAT, please note that I'm not doing NAT on the local pfSense box.The thing is that I don't have any problem when I bypass the local pfSense box, which indicates a potential problem with the latter.