Ftpsesame not starting on WAN interface.

  • Hi All,

    I'm not sure if this needs to be in Carp, NAT or General forum, sorry.

    We're having problems with the ftp-helper on the WAN port of a HA Carp Failover pair of firewalls.

    I've attached a diagram of the setup we're using.

    Both Firewalls are: 1.2-RELEASE

    Basically the problem is that we can enable the ftp-helper on all interfaces apart from the WAN interface.

    What we need to see running is ftpsesame on the WAN interface but regardless of the ftp-helper setting
    we just can't get it to run.

    We see the following only…
    $ ps -ax | grep ftp
    15803  ??  Ss     0:38.45 /usr/local/sbin/pftpx -c 8023 -g 8021 193.x.x.2
    90643  ??  S      0:00.00 sh -c ps -ax | grep ftp
    90645  ??  R      0:00.00 grep ftp
    ...This is with ftp helper enabled on WAN and SECURE/193.x.x.2 (which is a renamed OPT port)

    We have however been able to get ftp sesame running manually by running the command....

    /usr/local/sbin/ftpsesame -i em1

    ...and this indeed resolves the issue and enables ftp users outside of the network to connect to
    ftp servers inside on the "SECURE" LAN.

    We're using CARP as a failover VIP solution and we've got advanced outbound Manual NAT rule setup as follows...

    Source Port:*
    Destination Port:*
    NAT Address:82.x.x.20
    NAT Port:*
    Static Port:NO
    Description:Use WAN-CARP For SECURE

    I'd love to know why ftpsesame won't start automatically on the WAN port regardless of the setting of
    ftp-helper on the WAN interface config page.  Could it be the way we've got the above NAT configured?

    I'm wondering if a more permanent solution could be to start ftpsesame more permantly on the WAN port by using...

    <afterfilterchangeshellcmd>/usr/local/sbin/ftpsesame -i em0</afterfilterchangeshellcmd>

    ...in the config file.  I've tried this on another HA fw pair and it seemed to do the trick
    (as in ftpsesame was showing up in a ps -ax | grep ftp command).

    To Clarify... we're using Carp and not proxy-arp IPs.

    Also.. we're using publicly routable IP's in the WAN and SECURE interfaces.

    Everything else works as expected on the firewalls :-)

    Thankyou in advance.

  • Sounds like this might be a bug, though I don't have time to look into it immediately.  Opened a "needstest" ticket to check into when time permits.

  • ftpsesame is normally not used for this in pfSense.  pftpx normally is.

    Can you please follow these hints and see if any of these resolve your issue: http://devwiki.pfsense.org/FTPTroubleShooting

  • OP has a routed public IP subnet, pftpx is only used in the case of NAT, no?

  • To add to this… yes it is definitely a public IP subnet (PI space issued by RIPE).