Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTP Helper Question

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      drees
      last edited by

      I recently upgraded a pfSense box to 1.2.1 and shortly afterward started setting up a FTP server. This is a Dual-WAN setup.

      To get things working for now, I've resorted to turning off the FTP helper on the WAN interfaces and set up a port-range for passive FTP connections as well as hard code the external IP on the FTP server to one of the NATted external IPs. This works fine for now.

      However, I would prefer to use the FTP helper, as this would save me from having to hard-code the external IP on the FTP server as well as let me load-balance FTP on both WAN interfaces.

      So a couple questions:

      1. Even after enabling the FTP helper on all three interfaces, I never saw the pftpx daemon run on the WAN interface, only the LAN and OPT1 interface as expected. Looking at the system_start_ftp_helpers function in /etc/inc/config.inc, it seems that it's broken as it never adds the wan interface to the iflist array. Is this by design?

      2. I know that I can't use a Proxy-ARP IP, should a virtual ip of type "Other" work?

      3. If I use a CARP virtual IP, what should I enter for the Virtual IP Password, VHID Group and Advertising Frequency? Should I just leave them at the default?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG Offline
        GruensFroeschli
        last edited by

        You cannot use the ftp-helper with multiWAN.

        All services running on pfSense (like the ftp-helper) can only make use of the primary WAN.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • D Offline
          drees
          last edited by

          I am talking about inbound FTP, not outbound FTP. I am already aware that outbound FTP will only go out on the primary WAN interface which is fine.

          Or does this affect inbound FTP as well?

          And either way, shouldn't I see a pftpx daemon running on the WAN interface if it is not disabled? Because I do not, and looking at the code, it is apparent that it can because of the way it is coded.

          1 Reply Last reply Reply Quote 0
          • D Offline
            drees
            last edited by

            Got my questions answerd by cmb (thanks again!) on the support mailing list.  Here they are for the archives and anyone else searching the forums:

            For the FTP helper to be started on the WAN interface, you need have the FTP helper enabled for that interface, a NAT rule for server port 21 defined and if not NATing the WAN IP, be using a CARP Virtual IP address (not ProxyARP or Other).

            Anything can be entered for the CARP VIP password, group and frequency.

            The FTP helper is started by code in /etc/inc/filter.inc.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.