Outbound and inbound FTP stopped working
-
can we draw up your network, and work through it
From what I can see with the passive command your client didn't try and connect to the IP and port given, and instead sent port command again, that the ftp server tried to connect too and pfsense sent on the lan to the 192.168 address. But that ftp server never responded.
None of this points to a pfsense problem. It seems the helper is changing the private ips to the public ones, and creating the states to allow the active connection from 20 to come in and sends it on to the ftp server.
You sniffed at both the wan and the lan interfaces and don't see where pfsense is doing anything wrong or not doing anything. It changes the IPs and forwards on the traffic it gets in answer to the port command..
Here the thing, from a client talking pasv to a ftp server on the pubic internet pfsense ftp helper doesn't really do anything. Your client makes a connection to the servers port 21, this is no different than a client going to a website. If the client then does a passive connection - the server says hey connect to me on port X, the client is then suppose to go connect to that port. Again pfsense ftp helper is not involved, your just a client making a connection to some port just like a web site.
Only if your server is behind pfsense and client come from the public does the passive does ftp helper have to do anything it has to open the port the server told the client to connect to and forward it to the server. And possible change the IP from a private to public if the servers pasv command gave a private.
if the client is on the public internet and does a active to your server behind pfsense. Pfsense does nothing different than if your ftp server was going to some website.
If the client is behind pfsense talking to a ftp server on public and does active connection, then ftp helper has to change the IP in the port command and to the public one and allow and forward the port that the sever on the public internet is going to talk to from port 20.
Since pfsense is not really doing anything in a client behind pfsense going to a pubic ftp server using passive, lets troubleshoot that problem. From a box on your 192 network, try and connect to say ftp.microsoft.com using passive!! Make sure the client support passive and easy to change and watch the connection. For example filezilla shows you what is happening and can easy be changed from active to passive mode on the client. If you sniff on pfsense wan, and client we can validate that pfsense is passing traffic and that client from the filezilla log and sniff that it got the command for what IP and port to connect to and that it actually tries to connect, and sniff on wan of pfsense will show us that connection went out to the internet.
-
You get A+ for patience. (-:
-
It is wearing thin ;) But would be easier if had access to a box inside his network, and pfsense..
While ftp can be a PITA, its not a complicated protocol. I really don't understand why anyone still uses it any more. Use sftp - its 1 port, its encrypted. You don't have these pasv vs active on a different session to deal with, etc..
I really don't see why anyone still uses ftp, other than maybe anonymous serving up files? If your going to serve them up anonymous - why not just do it over http ;)
-
It is wearing thin ;) But would be easier if had access to a box inside his network, and pfsense..
While ftp can be a PITA, its not a complicated protocol. I really don't understand why anyone still uses it any more. Use sftp - its 1 port, its encrypted. You don't have these pasv vs active on a different session to deal with, etc..
I really don't see why anyone still uses ftp, other than maybe anonymous serving up files? If your going to serve them up anonymous - why not just do it over http ;)
FTP in use because that is why the clients website provider uses :-(
I have asked is they support sftp or SCP to no avail..Re network diagram is super simple so did not think necessary to doc
192.168.53.x –--> 192.168.53.1 (Pfsense) 114.111.141.50 ------> whlac.org.au (ftp server)for inbound to my own ftp server ( used for testing)
192.168.53.5 (my internal FTP server) ---- 192.168.53.1 (Pfsense Inbound NAT) ) 114.111.141.50 <------ Any external clientSeveral internal host have the identical issue
I have just tried using Filezilla on the client and the connection / upload worked fine ! . It still fails using the command line though.
note I am uploading as part of a script and thus the command line is what I am needing to use and thus have not ried anything elseKen
-
You get A+ for patience. (-:
Hey boys Dont worry OK if that is the attitude. I Dunno why it might be wearing thin 'cos this is a really weird one that has got me stumped. As you say FTP is brain dead simple and shold "Just work" but this does not for some reason.
Thanks for your help John and Sorry to take up your time
Ken -
So filezilla works in what test you uploading to whlac.org.au in passive mode?
So 182.50.153.244 is the webhost ftp server you need to send stuff too. And your doing this from something on your 192.168 network.. Why can you not just use passive? What ftp client are scripting to? Windows build int ftp? You can script filezilla easy.. Or you could use winscp again scripts easy.
If on linux what ftp client are you using?
So when you used active connection pfsense changed the IP for your port command, and sent on the syn part of the connection from the server as you saw that on your sniff. But your client did not respond..
So you have something wrong on your client.
When you test from filezilla did you test both active and passive - did that work? Or just the passive worked?
As to webhost not supporting sftp, that is easy enough - change webhosts ;) Run your own vps, etc. Its not like you can not host a website at a billion different places. If one doesn't provide the services you want - move to one that does ;)
-
So filezilla works in what test you uploading to whlac.org.au in passive mode? When I tried just now yep
So 182.50.153.244 is the webhost ftp server you need to send stuff too. And your doing this from something on your 192.168 network.. Why can you not just use passive? What ftp client are scripting to? Windows build int ftp?
YEP, batch file that does a billion other things too and has been running for about 4 years now, behing pfsense for 2 years no issueYou can script filezilla easy.. Or you could use winscp again scripts easy.
Yep and I then need to rewrite other apps to go and call a windows app to fix what went wrong.If on linux what ftp client are you using? ftp command line. it is a server so no X server
So when you used active connection pfsense changed the IP for your port command, and sent on the syn part of the connection from the server as you saw that on your sniff. But your client did not respond..
So traces tell us, When I set pasv in the FTP comand it still no work.So you have something wrong on your client. Possibly but why would 4 different clients ( 2 win2003, 1 x win 2008, and Debian ( server) all break at the same time?
When you test from filezilla did you test both active and passive - did that work? Or just the passive worked? Passive worked ( the default) so did not test further, I might later if get time
As to webhost not supporting sftp, that is easy enough - change webhosts ;) Run your own vps, etc. Its not like you can not host a website at a billion different places. If one doesn't provide the services you want - move to one that does ;)
It not my Webhost or my Script. I host the application on my server for a client. I have no control over their webhost or application. -
So if it was pfsense - why would filezilla work? Test the active connection using filezilla.
As I stated from the beginning understanding ftp is key to troubleshooting this. Why would you not test the active??? Just to have the info, be it you use it or not. And pretty sure that is what your script it using.
Your going to have to follow the path.. Sniff traffic on both sides of pfsense, are the ports right for the command given. Clearly taffic was sent to your client from pfsense. So why did it not respond??
-
Clearly taffic was sent to your client from pfsense. So why did it not respond??
Absolutely no idea which is why this is swo frustrating.
The only common thing between any of this is PFsense, Differnet FTP site works, Different client works, Seems that different FTP application works too, but I need to investigate that more it seems.
Ken
-
So different ftp sties work, different clients works. You have validated that pfsense is doing what it is suppose to do - yet you still think pfsense is the issue :rolleyes:
You have a sniff of pfsense sending your ftp machine traffic, and that machine not answering - but hey its pfsense, dude really??
-
So different ftp sties work, different clients works. You have validated that pfsense is doing what it is suppose to do - yet you still think pfsense is the issue :rolleyes:
You have a sniff of pfsense sending your ftp machine traffic, and that machine not answering - but hey its pfsense, dude really??
Rep Really!
Finally had a chance to dedicate some time to this again and schedule downtime to try some things.
First one was to install a new firewall with no rules aside from the default outbound nat and an inbound rule to my protected server i am using to upload from.Happy to say the result is that ftp upload works perfectly thru the newly installed firewall.
Reinstalled all of my other firewall rules and services to my hosted network and all is good.
I have no idea what has caused pfSense to break, but it most definitely did. From now on I will ensure that i will always have a second device to failover to, or a method to easily roll back to known good configuration at all times.
Thanks for your assistance
ps, if anyone is interested I can make available a vmware backup of the installation to facilitate further analysis.
Ken
-
"I have no idea what has caused pfSense to break"
You had a sniff of pfsense sending the traffic on - how is that pfsense broke??
-
Its sorta easy to change something you thought was small and break things…
Which takes me back to my statement 2 months ago. Wipe, reinstall. -
Its sorta easy to change something you thought was small and break things…
Which takes me back to my statement 2 months ago. Wipe, reinstall.Update from last night, the problem reappeared this morning with the new install.
reinstallagain with only no inbound rules at all and the default outbound NAT rules applied. Same thing is still happening. Not able to get the FTP data transfer happening.
In order to test i rejigged the windows host to bypass the firewall and connect directly to the internet FTP up and down works fine.
I have found a few posts on issues with Pfsense and Vmware Nics, has anyone ever experienced issue with PFsense on vamware ( esxi ) before?
In the original post on the subject I mentioned that the problem first arose after an unclean shutdown of the host. the only thing i can think of now is some weird interaction between Vmware and PfsenseKen
-
I am running pfsense on esxi, have been for years.
Dude you did a sniff on pfsense showing it sending the traffic on - and I thought you even had a sniff on the client seeing the traffic??? If not do that test again..
Seems to me is your ftp client/server is the problem and your looking in the wrong place..
-
yep we had packet captures that showed traffic both inside and out.
The ftp server my users are trying to connect to is accessible with no issue, from every other network / internet connection I have access to (6 different sites), and with as many different clients. Windows, Linux, smartphone. The ONLY site I cannot connect from successfully is those behind the PFsense ( and monowall) firewalls running i have tried on this Vmhost.
A windows server on the same vmnetwork but outside the firewall can ftp OK.The FTP server running behind this same vmhost, shows the same issues when trying to connect from outside regardless of what firewall I use. From within the VM network, I can connect to the ftp service running internally withing the protected network as long as do not have the firewall as the default gateway.
It seems that any connection to an FTP server that has the firewall in the path in any fashion fails.
As i mentioned all was working successfully with no changes to any of the clients, hosts, and networks up until the Vmserver was forced down.
The only thing I can now try is to replace the vmhost host itself ( or reinstall ESXi ) and see if the problem still persists.
The vmhost is the only place it can be failing.Ken