Ftpsesame not starting on WAN interface.

roosterdude · Jul 28, 2008, 1:06 AM

Hi All,

I'm not sure if this needs to be in Carp, NAT or General forum, sorry.

We're having problems with the ftp-helper on the WAN port of a HA Carp Failover pair of firewalls.

I've attached a diagram of the setup we're using.

Both Firewalls are: 1.2-RELEASE

Basically the problem is that we can enable the ftp-helper on all interfaces apart from the WAN interface.

What we need to see running is ftpsesame on the WAN interface but regardless of the ftp-helper setting
we just can't get it to run.

We see the following only…
$ ps -ax | grep ftp
15803 ?? Ss 0:38.45 /usr/local/sbin/pftpx -c 8023 -g 8021 193.x.x.2
90643 ?? S 0:00.00 sh -c ps -ax | grep ftp
90645 ?? R 0:00.00 grep ftp
...This is with ftp helper enabled on WAN and SECURE/193.x.x.2 (which is a renamed OPT port)

We have however been able to get ftp sesame running manually by running the command....

/usr/local/sbin/ftpsesame -i em1

...and this indeed resolves the issue and enables ftp users outside of the network to connect to
ftp servers inside on the "SECURE" LAN.

We're using CARP as a failover VIP solution and we've got advanced outbound Manual NAT rule setup as follows...

Interface:WAN
Source:193.x.x.0/23
Source Port:*
Destination:*
Destination Port:*
NAT Address:82.x.x.20
NAT Port:*
Static Port:NO
Description:Use WAN-CARP For SECURE

I'd love to know why ftpsesame won't start automatically on the WAN port regardless of the setting of
ftp-helper on the WAN interface config page. Could it be the way we've got the above NAT configured?

I'm wondering if a more permanent solution could be to start ftpsesame more permantly on the WAN port by using...

<afterfilterchangeshellcmd>/usr/local/sbin/ftpsesame -i em0</afterfilterchangeshellcmd>

...in the config file. I've tried this on another HA fw pair and it seemed to do the trick
(as in ftpsesame was showing up in a ps -ax | grep ftp command).

To Clarify... we're using Carp and not proxy-arp IPs.

Also.. we're using publicly routable IP's in the WAN and SECURE interfaces.

Everything else works as expected on the firewalls :-)

Thankyou in advance.

cmb · Aug 4, 2008, 12:10 AM

Sounds like this might be a bug, though I don't have time to look into it immediately. Opened a "needstest" ticket to check into when time permits.

sullrich · Aug 4, 2008, 3:03 AM

ftpsesame is normally not used for this in pfSense. pftpx normally is.

Can you please follow these hints and see if any of these resolve your issue: http://devwiki.pfsense.org/FTPTroubleShooting

cmb · Aug 4, 2008, 4:33 AM

OP has a routed public IP subnet, pftpx is only used in the case of NAT, no?

roosterdude · Aug 5, 2008, 8:50 PM

To add to this… yes it is definitely a public IP subnet (PI space issued by RIPE).