Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Clients behind Pfsense cannot list external ACTIVE FTP servers

    NAT
    2
    7
    1616
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spyshagg last edited by

      Hi

      Everybody behind pfsense 2.1.5 (using pfsense as the router) cannot browse external ftp servers using active mode.  The connection is established but the listing fails.

      Normal routers don't have this problem.

      How is this solvable?

      thanks

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Yes it is, for starters get on a current supported version.  2.1.5 has been EOL for quite some time, its over 2 years old for gosh sake.  Upgrade to current and install the FTP_Client_Proxy

        But that old of a version still had the built in helper/proxy just need to enable it.  Keep in mind if these connections are ftps or ftpes where the control channel is encrypted it will not matter.  Pfsense can not see the traffic in this case to open the ports needed from when the ftp server tries to make the data connection from source port 20.  Nor change the clients reported IP to the public one vs its most likely rfc1918 address.

        Understanding how ftp works is a MUST in wanting to support ftp in and out of a nat firewall.
        http://www.slacksite.com/other/ftp.html

        1 Reply Last reply Reply Quote 0
        • S
          spyshagg last edited by

          I found the option you mentioned and am now testing across 20 + pcs behind pfsense.  This problem completely caught us off guard to be honest.

          About version 2.1.5 being old….. Stable and reliable deployment in a production environment requires many months of testing. I Can't jump at every new release.

          Even so, at the time two versions were tested in-depth. 2.1.5 final and 2.2.2. 
          2.1.5 won

          Looking at my notes, 2.2.2 failed because of:

          • CARP would only function with LAGG at either LACP or FAILOVER
          • Ironically LACP was broken and all firewall rules were ignored. All internal communication between interfaces would also fail.
          • Limiters didn't work
          • Deep packet inspection aka Layer7 also didn't work.

          Any how thanks for the help, I will reply back if it works

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            And what about the 2.2.6 which is the current supported release in the 2.2 line..

            I did not suggest you install ever new version that comes out… But what you do need to do is make sure the version you are running in your production setup is actively still supported.  Which 2.1.5 is NOT!!  You need to get to 2.2 at a min to be running a supported version.

            Layer 7 gone and won't becoming back that I am aware of?  If that is reason your not moving, then guess you will be using a non supported version with all the security issues that come with not running supported version forever??

            If you need to do dpi, why not just run a real ids?

            1 Reply Last reply Reply Quote 0
            • S
              spyshagg last edited by

              its more in the line of "if it works dont change it".  All the functionality I need is working, except two things which came very recently:

              • outside active ftp
              • Having multiple voip clients inside pfsense connecting to the same external voip service (Dropped calls etc).

              I have activated the tftp proxy option, selected all the interfaces, but it seems to fail.  Should I create manual outbound rules?

              For voip, I have installed the siproxd but all inbound calls end up falling after 40 seconds or less. Outbound calls work ok.

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                wtf does tftp proxy have to do with your ftp issue??

                If I recall correctly the ftp proxy in pfsense 2.1 was in the tuneable section in advanced if debug.pfftpproxy I believe if set to 0 was on, if set to 1 was off.

                I really would have to fire up that old copy to be sure.. Are you sure your clients are not using ftps where the control channel would be encrypted?  Why can they not just use passive?

                What good is an outbound nat going to do for active ftp??  Did you read over my ftp link and how ftp works be it active or passive, which side makes the data connection, etc??

                How would you create an outbound nat to fix your issue?  That just doesn't make any sense.

                1 Reply Last reply Reply Quote 0
                • S
                  spyshagg last edited by

                  relax.

                  stuff I've read before making that post. Hence the doubt.

                  thanks for the help.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy