FTP support needs work
-
I've spent hours reading through these forums and other sites, trying to get inbound passive FTP working. Nothing works.
I'm going to resort to trying to define the passive port range on the servers (all kinds of operating systems and FTP servers, this should be fun to figure out), and then open those ports on the firewall. Even then I don't know if it will work, because when my FTP servers receive the PASV command, they respond with their own internal IP address. Yes I could change this (on the linux servers anyway, I don't see anyway to do it in windows 2000 IIS), but anyway this breaks internal FTP!
I think there needs to be some large type warnings that come along with pfsense, alerting potential users that FTP does not always work.
Reading through these forums, I can see I'm not alone on this.
-
Ok, I tried my plan, setting the passive ports on one of the linux servers, and changing it to report as its external IP. This works, but it breaks internal FTP.
Is there anyway around this? Some way to have the server respond as its internal IP, but have the firewall translate it to the external IP as it passes through? Our old Cisco box did this, I think they called it an FTP fix-up.
Plus, I don't think there is any way to tell IIS FTP to respond to PASV commands with anything other than its own, real, internal IP?
-
Ok, here's how I got around these problems, hopefully this is useful to others who are having problems with FTP.
For my windows servers, I'm installing FileZilla FTP server, and dumping IIS. FileZilla is easy to configure a port range (vs registry hacks for IIS), and easy to configure it to use whatever IP address you want when announcing its external IP address (IIS can't even do this). Additionally, it has a setting for NOT using this external IP when talking to internal clients! So internal FTP still works.
For linux, I just added these options to my vsftpd.conf file. Most other linux FTP servers will have something similar.
pasv_address=<my_external_ip></my_external_ip>
pasv_min_port=<my_beginning_port_range></my_beginning_port_range>
pasv_max_port=<my_ending_port_range></my_ending_port_range>Then I opened that port range on the firewall for hosts that need FTP.
Still, I am hoping the FTP stuff is working better in the next release of pfSense, then we may be able to move our other public subnet over from the Cisco box to a pfSense box.