Clients behind Pfsense cannot list external ACTIVE FTP servers
Everybody behind pfsense 2.1.5 (using pfsense as the router) cannot browse external ftp servers using active mode. The connection is established but the listing fails.
Normal routers don't have this problem.
How is this solvable?
Yes it is, for starters get on a current supported version. 2.1.5 has been EOL for quite some time, its over 2 years old for gosh sake. Upgrade to current and install the FTP_Client_Proxy
But that old of a version still had the built in helper/proxy just need to enable it. Keep in mind if these connections are ftps or ftpes where the control channel is encrypted it will not matter. Pfsense can not see the traffic in this case to open the ports needed from when the ftp server tries to make the data connection from source port 20. Nor change the clients reported IP to the public one vs its most likely rfc1918 address.
Understanding how ftp works is a MUST in wanting to support ftp in and out of a nat firewall.
I found the option you mentioned and am now testing across 20 + pcs behind pfsense. This problem completely caught us off guard to be honest.
About version 2.1.5 being old….. Stable and reliable deployment in a production environment requires many months of testing. I Can't jump at every new release.
Even so, at the time two versions were tested in-depth. 2.1.5 final and 2.2.2.
Looking at my notes, 2.2.2 failed because of:
- CARP would only function with LAGG at either LACP or FAILOVER
- Ironically LACP was broken and all firewall rules were ignored. All internal communication between interfaces would also fail.
- Limiters didn't work
- Deep packet inspection aka Layer7 also didn't work.
Any how thanks for the help, I will reply back if it works
And what about the 2.2.6 which is the current supported release in the 2.2 line..
I did not suggest you install ever new version that comes out… But what you do need to do is make sure the version you are running in your production setup is actively still supported. Which 2.1.5 is NOT!! You need to get to 2.2 at a min to be running a supported version.
Layer 7 gone and won't becoming back that I am aware of? If that is reason your not moving, then guess you will be using a non supported version with all the security issues that come with not running supported version forever??
If you need to do dpi, why not just run a real ids?
its more in the line of "if it works dont change it". All the functionality I need is working, except two things which came very recently:
- outside active ftp
- Having multiple voip clients inside pfsense connecting to the same external voip service (Dropped calls etc).
I have activated the tftp proxy option, selected all the interfaces, but it seems to fail. Should I create manual outbound rules?
For voip, I have installed the siproxd but all inbound calls end up falling after 40 seconds or less. Outbound calls work ok.
wtf does tftp proxy have to do with your ftp issue??
If I recall correctly the ftp proxy in pfsense 2.1 was in the tuneable section in advanced if debug.pfftpproxy I believe if set to 0 was on, if set to 1 was off.
I really would have to fire up that old copy to be sure.. Are you sure your clients are not using ftps where the control channel would be encrypted? Why can they not just use passive?
What good is an outbound nat going to do for active ftp?? Did you read over my ftp link and how ftp works be it active or passive, which side makes the data connection, etc??
How would you create an outbound nat to fix your issue? That just doesn't make any sense.
stuff I've read before making that post. Hence the doubt.
thanks for the help.