ftp client passive mode

sasa1 · Mar 28, 2020, 9:48 PM

I have a problem with a server behind pfsense 2.4.4 because I am unable to access a remote ftp server in passive mode.
I can't understand where the problem can be because I installed the "FTP Client Proxy" component and on the server I enabled the incoming ports from 1024-65535.
but when i try to access a remote ftp server i get the error message:
Connesso a speedtest.tele2.net.
220 (vsFTPd 3.0.3)
200 Always in UTF8 mode.
Utente (speedtest.tele2.net:(none)): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.

in attach ftp configuration.
Thanks.
login-to-view

javier2020 · Mar 29, 2020, 5:26 AM

I think you don't need to use "FTP Client Proxy".

I have succeeded by adding the following parameters in the /etc/vsftpd.conf file on the FTP server.

pasv_enable=Yes
pasv_min_port=10100
pasv_max_port=10110

and then on PfSense use "Port forward" to forwarding tcp port range 10100-10110 and tcp port 21.

I hope it works for you.

sasa1 · Mar 29, 2020, 7:25 AM

but the ftp server is not mine and is not behind pfsense.
My problem is with the ftp client which needs to connect to an ftp server.
Thanks.

bigsy · Mar 29, 2020, 9:42 AM

@sasa1 I've just done a successful anonymous connection to the server details you posted.

This is behind pfs 2.4.5-RELEASE using Transmit for MacOS in passive mode. I do not have the FTP client proxy installed.

I've masked the server details in case you want to remove them from your post.

3: Connected to speedtest.xxx.xxx.
3: Cmd: USER anonymous
3: 331: Please specify the password.
3: Cmd: PASS password
3: 230: Login successful.
3: Cmd: TYPE A
3: 200: Switching to ASCII mode.
3: Logged in to speedtest.xxx.xxx as anonymous.
3: Cmd: SYST
3: 215: UNIX Type: L8
3: Cmd: PWD
3: 257: "/" is the current directory
3: Cmd: PWD
3: 257: "/" is the current directory
3: Disconnecting from server…
3: Cmd: QUIT
3: 221: Goodbye.

johnpoz · Mar 29, 2020, 9:50 AM

@sasa1 said in ftp client passive mode:

because I installed the "FTP Client Prox

That proxy is only need when you want to connect to internet ftp server via active mode.

There is zero to do with pfsense to connect to a ftp server on the internet in passive mode. Unless your limiting what ports a client can talk outbound to the internet there should be no issues.. This default is any any lan rule, so all outbound traffic to the internet from lan is allowed. this would be the port your trying to connect to in passive mode.

Understanding how the ftp protocol works is step one in trying to troubleshoot it.

Who makes the connection when in active or passive for the data connection.
https://slacksite.com/other/ftp.html

Here connecting to your server in 2 different modes... here is passive

Command:	PASV
Response:	227 Entering Passive Mode (90,130,70,73,109,28).

This tells the client to connect to ip 90.130.70.73 on port (109*256)+28 or 27932

Now when you connect via active mode the client will tell the server what port to connect too..

Command:	PORT 192,168,9,100,23,121

The client told the server to connect to 192.168.9.100 port 23*256+121, but for starters the server couldn't connect to my local IP... So the ftp active proxy would have to change that for you and open the ftp port.. Which might be in use already.. So you could have some random failures..

sasa1 · Mar 29, 2020, 10:00 AM

Hi,
on my pfsense I disabled the "ftp client proxy" and tried the connection to the remote server in ftp but I have this result:
230 Login successful.
ftp> ls
500 Illegal PORT command.
425 Use PORT or PASV first.
ftp>

Thanks.

johnpoz · Mar 29, 2020, 10:07 AM

Your still doing the port command - says so right there!! in what you posted.

And that it says its illegal is telling you most likely that you sent your rfc1918 address. Or you didn't at the wrong time..

Also if your trying to use the cmd line ftp client in windows - it doesn't support passive.. you can do the command all day.. It doesn't support it.. never has..

Here this is with using the ftp proxy - works just fine with windows client

ftp> user anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
1000GB.zip
100GB.zip
100KB.zip
100MB.zip
10GB.zip
10MB.zip
1GB.zip
1KB.zip
1MB.zip
200MB.zip
20MB.zip
2MB.zip
3MB.zip
500MB.zip
50MB.zip
512KB.zip
5MB.zip
upload
226 Directory send OK.
ftp: 183 bytes received in 0.02Seconds 9.63Kbytes/sec.
ftp>

sasa1 · Mar 29, 2020, 10:17 AM

on another PC that is in another network but with the same configuration (therefore always using the ftp Windows client and always behind pfsense) I can access the ftp server:

C:\Users\Administrator>ftp speedtest.tele2.net
Connesso a speedtest.tele2.net.
220 (vsFTPd 3.0.3)
200 Always in UTF8 mode.
Utente (speedtest.tele2.net:(none)): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
1000GB.zip
100GB.zip
100KB.zip
100MB.zip
10GB.zip

I would like to have the same possibility also on this PC where it doesn't work.
Thanks.

johnpoz · Mar 29, 2020, 10:26 AM

And for active to work, you would have to use the ftp client, and you would have to set it up... And the port your client says to use to talk to it would have to be open..

I just showed you ftp client works just fine.. I gave you the info on how ftp actual works..

If something is not working, I suggest you sniff on pfsense for this ftp traffic and take a look to what could be going wrong..

If this client is on a different network, say your DMZ you listed - the ftp active proxy would have to be listening on that interface as well, you only have it listening on your LAN.

You can have it listen on multiple interfaces

login-to-view

sasa1 · Mar 29, 2020, 10:37 AM

so "Enable the FTP Proxy" (about FTP Client Proxy) must be enabled?
I have enabled the component again and I have selected all the networks but the error message remains the same.
what can I check in pfsense to find the problem?
thanks.

johnpoz · Mar 29, 2020, 10:45 AM

@sasa1 said in ftp client passive mode:

so "Enable the FTP Proxy" (about FTP Client Proxy) must be enabled?

YES if your going to do ACTIVE mode! Already went over this... windows ftp client can not do passive, so if you want to use that then yes your going to have to use the ftp proxy package..

sasa1 · Mar 29, 2020, 10:55 AM

I have enabled "ftp client proxy" and I have selected all the networks but the error message is this:
ftp> ls
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.

johnpoz · Mar 29, 2020, 11:03 AM

@sasa1 said in ftp client passive mode:

200 PORT command successful. Consider using PASV.
425 Failed to establish connection.

And what port was trying to be used... Sniff on pfsense and look and see!

Try a different client that gives you better logging, like filezilla which will show you the port command sent. So you can see what IP and port... Then sniff on pfsense - is the proxy changing it on your wan.. Is the port your telling to connect to already in use? etc..

Your not policy routing out some vpn are you, etc. What is the make up of your setup... If it working on 1 network.. clearly it works, etc.. so you have to figure out what other issue is there..

sasa1 · Mar 29, 2020, 2:55 PM

I tried with filezilla and a strange thing happens, if I use the domain name it gives me an error if instead I use the IP address it works:

Stato: Risoluzione dell'indirizzo IP speedtest.tele2.net in corso
Stato: Tentativo di connessione non riuscito con "EAI_NONAME - Nome nodo e nome server non forniti, o sconosiuti".
Errore: Impossibile collegarsi al server
Stato: In attesa di un nuovo tentativo...
Stato: Connessione a 90.130.70.73:21...
Stato: Connessione stabilita, in attesa del messaggio di benvenuto...
Stato: Server non sicuro, non supporta FTP su TLS.
Stato: Il server non supporta caratteri non ASCII.
Stato: Accesso effettuato
Stato: Lettura elenco cartelle...
Stato: Elenco cartella di "/" completato

is very strange !

johnpoz · Mar 29, 2020, 3:33 PM

My guess is you typo'd the name... simple to test if resolves or not.. do a dig or or nslookup, or whatever your fav dns tool is..

$ dig speedtest.tele2.net

; <<>> DiG 9.16.0 <<>> speedtest.tele2.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8563
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;speedtest.tele2.net.           IN      A

;; ANSWER SECTION:
speedtest.tele2.net.    0       IN      A       90.130.70.73

;; Query time: 8 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Sun Mar 29 10:31:06 Central Daylight Time 2020
;; MSG SIZE  rcvd: 64

Or maybe you put in url like http:// not sure.. what your doing wrong.

Can not tell from what you posted if your using active or passive. Pretty sure filezilla defaults to passive.. Which we have been over already multiple times!!

sasa1 · Mar 29, 2020, 4:12 PM

the strange thing is this..that the name is correctly resolved !!

nslookup speedtest.tele2.net
Server: one.one.one.one
Address: 1.1.1.1

Risposta da un server non autorevole:
Nome: speedtest.tele2.net
Addresses: 2a00:800:1010::1
90.130.70.73

with filezilla, using the IP address, it works both in active and in passive mode.

johnpoz · Mar 29, 2020, 5:04 PM

Yeah that doesn't make any sense at all... Local issue is you typo'd the name when you put it in to filezilla or had a space or something wrong... Works fine here with name.. filezilla would use the same dns as your OS... Unless its switched to trying to do doh or something?

So so these machines not even using pfsense for dns..

login-to-view

sasa1 · Mar 30, 2020, 7:35 AM

I have typed the name several times and it is the same that I use when I try the connection from the DOS client, I really can't understand!
however with Filezilla using the IP address I can make the ftp connection.

what can I check to understand where the problem is in the ftp connection using the DOS client?
Thanks.

johnpoz · Mar 30, 2020, 10:33 AM

Dude we already went over this - what are you NOT understanding about active vs passive??

the built in windows ftp client will NOT do passive - period! So your ftp proxy package would have to be setup.. Which multiple people have shown you works just fine..

sasa1 · Mar 30, 2020, 10:38 AM

I already installed the "ftp proxy client" package but it still doesn't work.

I should add that on other servers (which are in other datacenters) where I have configured pfsense in the same way, ftp access works fine.
I don't understand why only in this circumstance the access in ftp access doesn't work.
Thanks.