FTP Helper Question
I recently upgraded a pfSense box to 1.2.1 and shortly afterward started setting up a FTP server. This is a Dual-WAN setup.
To get things working for now, I've resorted to turning off the FTP helper on the WAN interfaces and set up a port-range for passive FTP connections as well as hard code the external IP on the FTP server to one of the NATted external IPs. This works fine for now.
However, I would prefer to use the FTP helper, as this would save me from having to hard-code the external IP on the FTP server as well as let me load-balance FTP on both WAN interfaces.
So a couple questions:
1. Even after enabling the FTP helper on all three interfaces, I never saw the pftpx daemon run on the WAN interface, only the LAN and OPT1 interface as expected. Looking at the system_start_ftp_helpers function in /etc/inc/config.inc, it seems that it's broken as it never adds the wan interface to the iflist array. Is this by design?
2. I know that I can't use a Proxy-ARP IP, should a virtual ip of type "Other" work?
3. If I use a CARP virtual IP, what should I enter for the Virtual IP Password, VHID Group and Advertising Frequency? Should I just leave them at the default?
GruensFroeschli last edited by
You cannot use the ftp-helper with multiWAN.
All services running on pfSense (like the ftp-helper) can only make use of the primary WAN.
I am talking about inbound FTP, not outbound FTP. I am already aware that outbound FTP will only go out on the primary WAN interface which is fine.
Or does this affect inbound FTP as well?
And either way, shouldn't I see a pftpx daemon running on the WAN interface if it is not disabled? Because I do not, and looking at the code, it is apparent that it can because of the way it is coded.
Got my questions answerd by cmb (thanks again!) on the support mailing list. Here they are for the archives and anyone else searching the forums:
For the FTP helper to be started on the WAN interface, you need have the FTP helper enabled for that interface, a NAT rule for server port 21 defined and if not NATing the WAN IP, be using a CARP Virtual IP address (not ProxyARP or Other).
Anything can be entered for the CARP VIP password, group and frequency.
The FTP helper is started by code in /etc/inc/filter.inc.