FTP Client Proxy Package - not working - 2.3.1
-
Dear all
We would like to use the FTP Client Proxy Package with PFSense 2.3.1 so that our user can use a external passive FTP.
We can start a ftp session but as soon as the client changes to the passive mode, the connection times out.
What could be wrong?
I attached the settings for the plugin.
Thank you and best regards
Steve
-
The FTP Client Proxy is not necessary for local clients and a remote passive FTP server. The client side does not need anything special in that case. The server side is typically to blame for passive FTP issues, and the client side for active FTP issues.
One exception might be if you have a load balancing group active. If you are not careful your port 21 connection could leave one WAN and the data connection could leave another WAN, which the server would most likely reject.
-
Hi jimp
Sorry was unclear. We block nearly every port from LAN to WAN.
As far as i understand the plugin, it should help in this situation with open the required ports for passive FTP on our side.
Is this correct?
Best regards
Steve
-
Yes it should help with that. Depending on how your rules are crafted you probably need to check "Early Firewall Rule" in the proxy options then.
-
Hi jimp
Is already active. See the screenshot from the first post.
Best regards
Steve
-
FTP Client Proxy is for active mode connections only, for passive mode its always static ports range which You need to manually open in the firewall (because you know this range) and thats all
This is whole idea of FTP Client Proxy - detect port (for active connection) and open this port in firewall, its nothing to do with passive mode.
Regards
fr0t -
FTP Client Proxy is for active mode connections only, for passive mode its always static ports range which You need to manually open in the firewall (because you know this range) and thats all
This is whole idea of FTP Client Proxy - detect port (for active connection) and open this port in firewall, its nothing to do with passive mode.
That isn't quite true of the ftp-proxy daemon we use. While it does not alter the contents of the packets in PASV mode, it attempts to add rules for passive mode clients connecting to a remote passive mode server.
From the man page:
In case of passive mode (PASV or EPSV):
nat from $client to $server port $port -> $proxy
pass in quick inet proto tcp
from $client to $server port $port
pass out quick inet proto tcp
from $proxy to $server port $portIf that's not working, something else in the ruleset or config must be getting in the way.
-
Can i check somewhere why it does not work?
Best regards
Steve
-
Check the firewall logs, check the state table, see if the traffic is getting through on the correct port(s) or being blocked.
