FTP… oh what a thorn in my side

cr_hyland

What is the deal with FTP? It was a nightmare in 1.2.x and I had massive hopes 2.0 would resolve all of the issues but no. I have used many different software and hardware firewalls over the years and although I have converted every firewall at my customers sites to pfSense I still cant get used to the fact that FTP is for the most part broken or very troublesome.
I absolutely love pfSense and am even using 2.0 alpha for a bunch of 16 webservers ( I know ive been warned not to ) but I still see little hope of FTP working properly.

I have 3 interfaces

wan
lan
webservers

wan and webservers are bridged.

I have created rules to allow port 20 and 21 in on the wan interface to the webservers but no ftp traffic gets through. Regardless of whether the clients are using passive of active ftp.
If I open all ports on the firewall ftp works fine.

Clients get as far as entering the username and password but cannot create the data connection after that.

It was similar problems with 1.2.x hence the reason for upgrading to 2.0 to try and resolve this.

Any help would be much appreciated.
And keep up the good work. 2.0 is going to be a cracker :-)

eri--

Can you get me a tcpdump on this machine with full packet headers.
A command like:
tcpdump -i $int -vvvXs 0 tcp

rpsmith

General FTP Setup:

WAN Rule: | Pass | WAN | TCP | * | * | FTP-Server | port 21 | (NAT rule also required if not bridging).
LAN Rule for outbound port 20 only required if you do not have a default LAN to any rule.

For passive mode you will need a WAN rule to pass a TCP port range to your FTP-Server.
I usually use 50200-50215.  You might need to make this range larger if you have lots of concurrent users.
WAN Rule: | Pass | WAN | TCP | * | * | FTP-Server | port 50200-50215 | (NAT rule also required if not bridging).

And finally you will also need to configure your FTP-Server's Passive Port Range to reflect the same port range used above and tell your FTP-Server what its public IP is.

rpsmith…

nocer

just wondering if the proxy runs correctly…

cheers,

eri--

There is no proxy on 2.0 it is handled in kernel.
That is why i need the tcpdump.

In 2.0 for the Lan rule you need it the WAN no. Though now that i remember it will work only on NAT cases and that is why it does not work on the bridge case. I will take a look later on to see if i can fix even that case.

cr_hyland

I will get the tcp dump and post in a couple of minutes…

So currently 2.0 doesnt support ftp on the bridged interface, is that correct or did I pick it up wrong?

Also, ive just tried using filezilla as my ftp client and in passive mode it gets as far as MLSD then connection timed out. Cannot retrieve directory listing.

Cheers for all the replies..

vorgusa

Did you try using the FTP helper for the WAN or webserver interfaces?

cr_hyland

There is no ftp helper in 2.0 latest builds to my knowledge..