Hi, Problem accesing FTP behind pfsense firewall
-
hello everybody. i would like to thanks in advance anybody who will try to help me.
In our company we moved from Checkpoint 500W safe@office to pfsense router.
Before the change, everything was fine with the FTP , and our clients could easily access to the ftp.
the rule at the checkpoint was simple: it called " Allow and Forward" , and the setting were : allow and forward port 21 to single host: 192.168.0.9.
Of course there was NAT setting between the Internal IP (192.168.0.9) to the External IP (lets say for example : 213.8.246.9after the installtion of pfsesne i creates a 1:1 NAT between the internal and external IP , and even validate that when i go out from the ftp i'm getting the external ip : 213.8.246.9
in addition , i created a port forward rule from any to the Internal IP at port 21 (and it also associated an auto rule after that).The problem:
when our clients trying to access the ftp site, they were able to connect and succesfuly authorized by our FTP , but they cannot perform any other command. (like LIST, GET, CD etc.)i have to say that from filezilla they also got a message like "Status: Server sent passive reply with unroutable address. Using server address instead."
Only when i change the setting to ACTIVE mode they able to connect with full sccess.
But if they try to open the FTP via browser they immidietly get an error on web page after they succeed type their Credentials. -
https://doc.pfsense.org/index.php/FTP_without_a_Proxy
Answered about 3 bazillion times, there's a search feature here.
-
hi ,
Thanks for your answer.
I also passed on almost every message here , but no one had the same problem like me and every suggest or tutorial simply does not help. -
but no one had the same problem like me
That's just complete nonsense. Plus, as suggested on the linked doc:
3. The server may also need to be configured to account for NAT. Some clients will ignore private addresses in passive responses so this may not be necessary.
your FTP server is misconfigured. It should be sending the public IP, not the RFC1918 one. ""Status: Server sent passive reply with unroutable address."
-
I just wanted to remind you that with the checkpoint firewall everything work just fine with a simple rule i mention.
Please, If you don't have the time or patience, there is no need to responde.
-
Sigh. Fix your FTP server. There's nothing to be done on pfSense beyond what's already documented by the docs I linked. If that doesn't work for you:
- switch to different FTP server
- switch to different FTP client
- stop using the FTP junk
If you are waiting for a miraculous solution, then there's none. End of story.
-
your other firewall has a helper/proxy just like pfsense USE to HAVE.. They finally removed such nonsense - hopefully will push people to move away from such an antiquated system like ftp.. When things work people just leave them, maybe breaking it and or making them actually understand the protocol and firewall to setup the rules and ftp server to work correctly.
ftp server works just fine behind pfsense both active and passive, clients work just fine to ftp outside of pfsense active or passive - if you setup the rules and client/server correctly.
You just do not have a helper doing it for you behind the scenes now like your other firewall is doing for you. Which can not work if using ftps since it can not see the encrypted control traffic.
Why would you not be running sftp vs ftp anyway??
-
Why would you not be running sftp vs ftp anyway??
I agree with everything else about dumping FTP; but in answer to this is "sometimes you're forced to". I have one situation; a program on a Windows machine that needed to get a license file after install. Deep in the bowels of the program it was actually doing an ftp to pull the license file (verified by packet capture). Yuck. Of course tech support had no idea what I was talking about when asking "why are you using ftp to pull down a license file instead of a more secure protocol". Simple answer was install the ftp proxy, enable FTP temporarily, get the license file, turn off proxy, disable ftp. Wife's computer, landscape design program, so no I had no alternative. :o
-
so they were using active ftp to grab a license file? Be cause in passive ftp you have to do nothing for it to work.. Only if you were running a passive server behind pfsense would you have to do anything on the firewall.
if they were using the built in ftp in windows that would use active ftp..
So this company had no website to pull the file, and they thought ftp was better in pulling a lic than just plain http? Makes no sense at all..
-
Our company use that Old fashion protocol just because it is a safe and simple way to transfer files between our lan to their system (via activeX called (chilkutFTP")
It its very simple and quick to perform commands like list, cd and get file , and that's why we choose that.I understand the problem is that i miss one rule or maybe a litlle setting but Unfortunately i'm getting the easy answer like "what the hell , read the manuel!"
u c, the manuel can't tell you what is wrong with your setting , and in any place you can find a problem with the list commands.
I understand i have a misconfigure server …ok , it is very big word. it can be anything.
I just want to understand what is the mysterious setting i have to set at the FTP server. that's all. u have all the information u need .
meanwhile i rolled back to the checkpoint (and of course evreything back to work fine) and it is very annoying i cant install that free solution (and better....so i heard) just because that stupid rule i miss.
-
Our company use that Old fashion protocol just because it is a safe and simple way to transfer files betwe
ROFL. Look, it's neither simple (badly broken with NAT both client- and server-side), nor secure (since, apparently you don't use encrypted FTP, otherwise there would be nothing changed for you b/w 2.1.x and 2.2.x, since the helper of course never worked with encrypted traffic.)
-
so they were using active ftp to grab a license file? Be cause in passive ftp you have to do nothing for it to work.. Only if you were running a passive server behind pfsense would you have to do anything on the firewall.
if they were using the built in ftp in windows that would use active ftp..
So this company had no website to pull the file, and they thought ftp was better in pulling a lic than just plain http? Makes no sense at all..
Agreed it makes no sense at all; but that's what I had to do and noone understood what I was talking about.
-
So your the admin, and you made the move to pfsense from checkpoint? Why are you involved with this and don't know how to create a firewall rule to allow public access to your ftp server??
Maybe you should hire someone.. You can hire services from pfsense if you can not figure it out..
So what ports is your ftp server using for its passive range? You would need to forward this to the firewall, just like you do with the port 21 control channel. So in your ftp server set the ftp passive range to be say 5000 to 6000, then forward those tcp ports to your server. You will also need to make sure the server uses its actual public IP and not its private IP.
You really should understand how ftp works if your going to be doing the firewall rules for your company..
excellent write up http://slacksite.com/other/ftp.htmlIf the clients were using active should work unless you block your ftp server from talking to the public net?? So you have rules limiting your network to say 80, 443, etc.. In an active connection you have no idea what port the client will tell your server to connect too..
-
OK guys , Apparently none of you really can not read and understand both time(2 operations that is quite complicated)
I didn't say that i don't know how to create a rule , mr johnpoz ,
If you will read it again u'll figure i just need to know what extra rule do i miss ,
And all of that in assumuing that the same rules and configuration from the checkpoint were works just fine.I guess none of you is really an IT proffesional person and can understand that in the REAL world of IT, sometimes u need to compromise on the technology to make the connection with your clients easier.
Here, we are working with activeX , very simple connection and control. u need to consider time , and Time to market elements, in avery apsect of your work.and That was a litlle monologue of 20 secs on how things works.
Of course the ftp server using it's public ip , as i already say i was set a NAT 1:1 between the private and public ip.
I also configure the ftp server to use a narrow range of passive ports , someting like 5500-5700.
I guess the only thing i have miss is that explicit port forward of these passive ports i mention above.
If anything i just say is incrorrect u are very welcome to repsonde.
-
I guess the only thing i have miss is that explicit port forward of these passive ports i mention above.
Because configuring things as documented is much more difficult than producing 3 days worth of incessant rants. Right.
-
I think that u forgot that the purpose of this forum is not to educate people , but to trying to help,
even if you helped before the same Q.anyway,
have a good day , and Happinessdvir.
-
I think that u forgot that the purpose of this forum is not to educate people, but to trying to help,
OH RLY? You can purchase support for that.
-
Hi again,
So , i decided today to give a second chance , configured my ftp to work with the passive ports 5500-5700 and added that rule to the firewall.
still the command LIST didnt work.here is a screenshot (attached) , what do u think could be the mistake here:
-
Your firewall rule looks good. What about the corresponding NAT rule? How did you configure your FTP server? I run Filezilla Server behind pfSense 2.2.4 without any problems.
-
I set a 1:1 NAT between the internal IP (192.168.0.9) and the external (213.8.246.209)
here is the passive ports range at the FTP server :
