FTP on 1-1 NAT (again?)

  • hi

    Im running:

    built on Sun Feb 24 17:04:58 EST 2008

    on a sever with two NIC. Running 1-1 nat. Ive setup 10 virtual IPs using p-arp (and also tried c-arp for one IP) and then afterwards setup the 1-1 nat.

    I can access all servers on port 80 and ssh and so on - no problem so the NAT thing is working so far. But FTP is not. I can connect but I get no data -no dir list or anything.

    this has been writting about a lot it seams and I tried all combinations I could figure out (I think) based on the points writting different places.

    With and Without FTP helper enabled on WAN and/or LAN and p-arp/c-arp

    Nothing helps. FTP servers are all working (I mean before moving from PIX to pfsense).

    I ofcause made a firewall rule to allow ALL trafic on ALL ports to ALL servers from my own IP to make sure its not something simple as this blocking and the rule is of cause the first in the list.

    there is a dhcp setup and from that (I think an outbound nat) could this be the problem?

    what can I try - what info can I supply to show the problem?

  • Old thread, but did you go through the things in this list?


  • For 1.2 release…  THIS is regarding INBOUND FTP - from your public ip to internal server via 1:1

    I use the FTP and 1:1 scenario and I can tell you that it works if the NAT / LAN has all ports / protocols open, BUT if you start restricting SMTP, HTTP, HTTPS to certain internal clients or servers for outbound, then it breaks the only FTP option - PORT mode.  Don't even try passive as this never worked from all my reading here and testing...

    So PORT mode works fine if your NAT / LAN RULES is wide open (*  LAN net  *  *  *  *     Default LAN -> any   ); however, if you start limiting outbound connection (typically done in Enterprise companies for additional security), the FTP PUKES!

    FTP is BROKEN in pfSense and the developers will all tell you to look elsewhere for a solution and even go to say find another firewall - I love that one.  So even if you try to pay for an Enterprise support, it is still broken - I haven't tested it in 1.2.1 or for that matter 1.3 hopefully fixed there - can anyone confirm?

    References for PASS vs PORT mode (simplest and best reading) - http://www.g6ftpserver.com/forum/index.php?showtopic=2058

  • To put this into more common terms, Scott, let me see if I can clarify your situation:

    • Inbound FTP.
    • No FTP helpers
    • 1:1 NAT
    • Restrictive outbound rules
    • Active FTP connections fail because the server can not connect back to the client as those ports are blocked

    Sounds about right from what I understand.

    Linux has a couple kernel modules to help with these types of situtations - the nf_conntrack_ftp and nf_nat_ftp modules.  These listen in on FTP connections and adjust packet filter rules to allow related FTP connections to work as well as rewriting certain passive FTP commands to use the appropriate IP addresses instead of local IP addresses.

    I'm not that familar with FreeBSD, but I'm assuming that no similar pf modules exist?

  • Oh, BTW, Scott. To fix your active FTP issue, your FTP server should initiate all active FTP commands from port 20.

    So if you add a rule that looks like this your specific FTP issue should be fixed:

    LAN, Proto=TCP, Source=FTP-Server, Port=20, Destination=, Port=, Gateway=*

    Oh, and Inbound Passive FTP works just fine if you follow the guide. This setup works just fine for me in multiple setups:

    1. Disable FTP Helper on WAN interface(s)
    2. Configure FTP server to use a narrow port range for passive connections (say 50000-50250)
    3. Configure FTP server to specify external/NATted IP for passive connections
    4. Configure pfSense to NAT ports 21 and 50000-50250 to the FTP server (can do a 1:1 mapping w/Proxy Arp IP if you wish, too)
    5. Configure pfSense to allow access to ports 21 and 50000-50250 to the FTP server

  • excellent drees….great info to get half of the PASSIVE working...the last piece is the actual FTP Server you use....must be able to set the public ip of your 1:1 FTP Server and also assign the random ports you mentioned....just thought I'd add in the FTP server

    1.  pfSense and FTP Passive ftp using these suggestion you mentioned with NAT and rules
    2.  change the settings of your ftp server to actually use PASSIVE setting (consult your ftp server vendor's manual - in my case G6ftp)

    Thanks to bits and pieces everywhere, PASSIVE is Now working

    NOTE:  From a security standpoint, PASSIVE FTP is more secure (thus better) because you do not have to open up Outbound ports to ALL!

  • @scottnguyen:

    NOTE:  From a security standpoint, PASSIVE FTP is more secure (thus better) because you do not have to open up Outbound ports to ALL!

    Not true, as you see in my previous post, to get active FTP working securely, you simply need to match the source port (TCP:20) of your FTP server. If you don't trust your FTP server to be opening connections to anywhere from a single port, you've got other problems. :)

  • If you don't mind, could you provide screenshot of this setup?  I am now for sure confused…Happy New Year!

  • works for me too, thanks  ;D ;D ;D ;D

Log in to reply