FTP Helper Question

  • I recently upgraded a pfSense box to 1.2.1 and shortly afterward started setting up a FTP server. This is a Dual-WAN setup.

    To get things working for now, I've resorted to turning off the FTP helper on the WAN interfaces and set up a port-range for passive FTP connections as well as hard code the external IP on the FTP server to one of the NATted external IPs. This works fine for now.

    However, I would prefer to use the FTP helper, as this would save me from having to hard-code the external IP on the FTP server as well as let me load-balance FTP on both WAN interfaces.

    So a couple questions:

    1. Even after enabling the FTP helper on all three interfaces, I never saw the pftpx daemon run on the WAN interface, only the LAN and OPT1 interface as expected. Looking at the system_start_ftp_helpers function in /etc/inc/config.inc, it seems that it's broken as it never adds the wan interface to the iflist array. Is this by design?

    2. I know that I can't use a Proxy-ARP IP, should a virtual ip of type "Other" work?

    3. If I use a CARP virtual IP, what should I enter for the Virtual IP Password, VHID Group and Advertising Frequency? Should I just leave them at the default?

  • You cannot use the ftp-helper with multiWAN.

    All services running on pfSense (like the ftp-helper) can only make use of the primary WAN.

  • I am talking about inbound FTP, not outbound FTP. I am already aware that outbound FTP will only go out on the primary WAN interface which is fine.

    Or does this affect inbound FTP as well?

    And either way, shouldn't I see a pftpx daemon running on the WAN interface if it is not disabled? Because I do not, and looking at the code, it is apparent that it can because of the way it is coded.

  • Got my questions answerd by cmb (thanks again!) on the support mailing list.  Here they are for the archives and anyone else searching the forums:

    For the FTP helper to be started on the WAN interface, you need have the FTP helper enabled for that interface, a NAT rule for server port 21 defined and if not NATing the WAN IP, be using a CARP Virtual IP address (not ProxyARP or Other).

    Anything can be entered for the CARP VIP password, group and frequency.

    The FTP helper is started by code in /etc/inc/filter.inc.

Log in to reply