FTP Client problem

stephenw10

No.
Passive FTP will work fine with the client behind pfSense without the proxy package.
Active FTP requires the client proxy package.

Since the Windows ftp client apparently only supports active mode you need the client proxy package.

https://www.netgate.com/docs/pfsense/nat/ftp-without-a-proxy.html#client-behind-pfsense

But are you sure those servers don't support encrypted mode? If they do you just switch to that.

Steve

johnpoz

So which is it you do not read english, or your trolling... Have been over this multiple times now!!

Please what part is unclear here

Again the ftp client (ftp.exe) in windows only supports ACTIVE... If you want to use active on clients behind pfsense then you need to install that package..

If your clients use passive then no you do not need the package...

And before that how can this be clearer

ms ftp client only supports active mode. If you want to use active mode ftp with client behind pfsense to ftp server outside pfsense you need to install the ftp package and configure it. Its called FTP_Client_Proxy in the packages.

Your ftp.exe command tells the server hey lets do passive - and the server answers back ok, lets do passive - connect here on this port... The problem is the ftp.exe from windows will not do passive... You have to use the ftp package in pfsense to allow for active connections from clients behind pfsense because the firewall needs to open the port back to the client..

sasa1

Hi,
it does not work either in active or passive mode.
I installed the ftp proxy package and I indicated the LAN as an interface to be used (I have not modified any other parameter) but also in this way I always have the same problem.

I'm sorry if I did not understand what you told me but I can not understand where I'm wrong.
Thanks.

stephenw10

If you set 'Log Connections' in the proxy settings do you see firewall log entries for it?

Do you see blocked traffic from the FTP server?

You might try using a different FTP client as a test here such as Filezilla. That will show you exactly what it's doing.

Steve

johnpoz

is the checkbox set to move it up the higher on the rules?

Here just tested this

C:\WINDOWS\system32>ftp speedtest.tele2.net
Connected to speedtest.tele2.net.
220 (vsFTPd 2.3.5)
200 Always in UTF8 mode.
User (speedtest.tele2.net:(none)): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
1000GB.zip
100GB.zip
100KB.zip
100MB.zip
10GB.zip
10MB.zip
1GB.zip
1KB.zip
1MB.zip
200MB.zip
20MB.zip
2MB.zip
3MB.zip
500MB.zip
50MB.zip
512KB.zip
5MB.zip
upload
226 Directory send OK.
ftp: 183 bytes received in 0.02Seconds 11.44Kbytes/sec.
ftp>

active works just fine with windows ftp client behind pfsense..

You can see where its allowed through the firewall with these rules

 	Jan 30 12:28:54 	► LAN 	(@0) 	90.130.70.73:20		192.168.9.100:55659		TCP:S
	Jan 30 12:28:54 	WAN 	(@0) 	90.130.70.73:20		192.168.9.100:55659		TCP:S

Here doing it again with sniff..

Notice the port command sent is my machine rfc1918 IP, the ftp client changes that to my public IP, and if you do the math on the command (217*256)+148 = 55700 which is the port the data channel is sent to..

sasa1

@stephenw10
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 0
Stato: Risoluzione dell'indirizzo IP x.y.eu in corso
Stato: Connessione a x.x.x.x:21...
Stato: Connessione stabilita, in attesa del messaggio di benvenuto...
Trace: CFtpControlSocket::OnReceive()
Risposta: 220 Microsoft FTP Service
Trace: CFtpLogonOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 5
Comando: USER pippo
Trace: CFtpControlSocket::OnReceive()
Risposta: 331 Password required
Trace: CFtpLogonOpData::ParseResponse() in state 5
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 5
Comando: PASS **********
Trace: CFtpControlSocket::OnReceive()
Risposta: 230 User logged in.
Trace: CFtpLogonOpData::ParseResponse() in state 5
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 9
Comando: OPTS UTF8 ON
Trace: CFtpControlSocket::OnReceive()
Risposta: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
Trace: CFtpLogonOpData::ParseResponse() in state 9
Stato: Accesso effettuato
Trace: Measured latency of 5 ms
Trace: CFtpControlSocket::ResetOperation(0)
Trace: CControlSocket::ResetOperation(0)
Trace: CFtpLogonOpData::Reset(0) in state 14

sasa1

@johnpoz I do not work, when I run "ls" I have the error message that I attach 0_1548873937691_ftp error.JPG

johnpoz

I don't see any port or pasv command sent in that log... Just sniff on the wan and lan of pfsense while you doing this so you can validate what is happening... ftp control is in the clear so as you see above you can see exactly what is sent by the client in the control channel. If when you sniff on the wan side you will see the ftp package change your port command to your actual public IP

Is pfsense behind a NAT? Not going to work if behind a NAT..

Is the wan of pfsense on a public IP? Sniff while you do that test of ftp to speedtest.tele2.net

So we can see exactly what is happening.

sasa1

yes, the computer is behind a NAT, it has a private IP address.

johnpoz

NO pfsense is its wan a rfc1918 or the is it public?

sasa1

@johnpoz on pfsense I have wan interface e lan interface, on wan interface I have an public IP address.

johnpoz

Like I said do a simple sniff.. And you can see exactly what is going on..

Here sniff (diag, packet capture on my wan) you can see my login on port 21... See where the PORT command gets changed to my public IP..

Then here comes the data connection to the port in the the port command

(200*256)+175 = port 51375

sasa1

This post is deleted!

sasa1

@johnpoz sorry I do not know how to capture the really useful information, in the figure I sent I deleted the private IP address that is shown in the capture

johnpoz

Dude are you hiding a 10.x.x.x address? Why??? They are private and do not route on the internet... That info is useless to anyone knowing what it is.. Its like telling you I live in the US.. or the planet Earth.. Notice how I didn't hide my 192.168.9.100 address ;) You can capture the info right on pfsense.. diagnostic menu packet capture.

Do the capture on your WAN interface so we can validate its getting changed to your public wan IP.. Then just download the capture and open with wireshark.

In wireshark just right click on say the syn of the control channel and say follow stream.

BTW, I am a mod so I can see your deleted post ;) There is ZERO reason to hide 10.0.0.18.. You need to validate that gets changed on your WAN.. This is why you need to do the sniff on the WAN of pfsense to validate your ftp package is working.

here

Then download and open with wireshark

sasa1

@johnpoz here is the log, I hope it contains useful information.
Thanks.

johnpoz

So he sent data connect to port 51069, which is correct per the PORT command.. (199*256)+125 but no answer..

Did the package not create the firewall rule? Did it not get placed at the top like I asked before

Did the pfsense forward it, but your client didn't answer? Sniff on the LAN side now when you do the test.. We can see from the sniff that the PORT command was changed to your public IP with that 167.x.x.x

So yeah its very useful information.

What are your firewall rules on your WAN? Are you running packages like Snort or Pfblocker?

sasa1

@johnpoz I have checked the "Early Firewall Rule" but I do not see any new rules in either LAN or WAN.
In Rules -> WAN I have only the default rules and I do not use Snot or similar packages.
Thanks. 0_1548929897416_rules WAN.PNG

johnpoz

Well from your sniff you can see that the data connection was sent on by pfsense - so its doing EXACTLY what it is suppose to do... Yet your client is NOT answering...

(193x256)+69 = port 49477

You see all the SYN to your clients IP 10.0.0.18... Why does it NOT answer? Host firewall?

So why would your client not answer. I can see that the port is not set to 20 as source.. But it was on your sniff on WAN, Its possible your client WANTS that... Click this in in the package

Now test it again.. Bet you works now.

sasa1

@johnpoz with WIndows Firewall disable the ftp problem did not occur !
there was no need to check "rewrite source ..".
On the windows firewall do I have to enable traffic on high ports?
thank you