FTP Server Behind pfSense, Virtual IPs

JOTS · Oct 24, 2016, 12:56 PM

I have a basic IIS FTP server running behind pfSense, port 21 and passive range allowed in firewall. Virtual IPs are setup as IP Alias and 1:1 NAT is configured. I don't know if it was by mistake or not, but everything was working fine until I updated to 2.3.2-RELEASE-p1. I don't recall the version prior to the upgrade, but it would have been from mid-2014. Post upgrade, I get a username / password prompt from the FTP server, but then encounter a 200 and 227 error that seems to indicate it can't enter passive mode successfully. I keep seeing references to a proxy helper application, but other than a single value on the System Tunables page, I don't know what options are available or really what it does. Any assistance in restoring functionality would be greatly appreciated.

Thanks!

KOM · Oct 24, 2016, 1:33 PM

I had an FTP server running just fine under 2.3.2 before I nuked it in favour of a local ownCloud instance. I hate FTP with a passion and was just looking for an excuse to get rid of it. Don't use 1:1 NAT. A port-forward for 21 and one for your passive range should be enough.

JOTS · Oct 24, 2016, 1:43 PM

I'm using 1:1 NAT because I have a /28 on the WAN interface and using several public IPs for multiple internal servers. Is there a better way to do it?

KOM · Oct 24, 2016, 1:57 PM

Is there a better way to do it?

I prefer to only define the necessary connections.

When you capture an FTP login session, what does it say?

JOTS · Oct 24, 2016, 2:33 PM

Found the problem. The FTP server was not using the configured dynamic port range for some reason. Confirmed the port range and restarted the service and now all is well. Feel kind of stupid for not checking that sooner in the client logs. I guess this had nothing to do with the pfSense update, unless the proxy was doing something before that it isn't now. Thanks for pointing me in the right direction.

johnpoz · Oct 25, 2016, 4:13 PM

You can have lots and lots of Ips on your wan, doesn't mean you have to 1:1 nat them to stuff behind. Just port forward the traffic you need.

Im with KOM ftp should really just die already.. Why it hasn't just blows my mind.. Why are you not using SFTP for file transfers or just http/https? Why do you still need to be running such an old school protocol which was designed way before there was nat, etc. and everyone was just on public IPs.

Active/Passive - nat doesn't play nice.. Helpers/Proxies you to hide the complexity from the users/admins. But those are being dropped because to be honest ftp should of died off 5+ years ago at the latest.

Glad you got your issue sorted, but ftp is still not secure. Are you doing ftps or ftpes atleast? Why can you not move to a more secure easier to use protocol for movement of files?

KOM · Oct 25, 2016, 5:07 PM

I'm more than happy with our new ownCloud versus our crappy old FTP server.