MS FTP on DMZ not working for WAN Access



  • I have the following setup and can't seem to get the FTP working from the public IP.

    Pfsense - RC1 upgraded to RC2 (3 Nics):
    1 WAN (xx.xxx.xx.16/26)
    1 LAN (/24)
    1 DMZ (/24) = HTTP, HTTPS, FTP, IMAP, POP3, SMTP

    As you see I have a few services Nat'd to DMZ.  Everything works fine except FTP.  I can access services from LAN to DMZ through public and local IP.  And access WAN to DMZ.

    My FTP server is MS Ftp on Win 2003.  I am troubleshooting with the command line ftp on an XP machine.

    1. I can connect  and login using local IP from LAN to DMZ.  Then do a DIR command to list files.

    2. I can also connect and login using public IP from LAN to DMZ.  And from WAN to DMZ.  But when I do a DIR command I get the following errors:
    500 Invalid PORT Command.
    150 Opening ASCII mode data connection for /bin/ls.

    I have tried enabling/disabling the ftp helper on all interfaces at the same time.  Then each individual interface.  I have the FTP Nat'd with the 2 default Firewall rules.

    I have had no problems on any other router/firewalls until using pfsense.  Can someone give me a hand on this?  Been at this for a few days now with no luck.



  • Also forgot to mention I have tried opening up the passive port range still with no luck.



  • Ok got it working finally after a lot more trial and error.  Not sure what the deal is… maybe I am just stupid, but I am pretty sure it isn't supposed to work like this and is a bug.

    Here is the scoop:

    1. Uncheck "Disable the userland FTP-Proxy application" on WAN Interface

    2. Add NAT Port Forward rule for port 21 from WAN Interface to FTP Server private IP

    3. Accept te default Firewall rules created by step 2.

    4. Reboot to have ftp proxy bind to public wan ip and private ftp server ip... should look similiar to below.  run shell command to make sure it is working:

    ps awux | grep pftpx

    proxy    15757  0.0  0.3  656  428  ??  Ss  12:51PM  0:00.46  /usr/local/sbin/pftpx -f 10.0.0.180 -b XXX.XXX.xx.16 -c 21 -g 21

    5. Now at this step I noticed I could login to the FTP from external IP but could not receive data from the FTP... i.e. list content, receive file etc.  Though I could create a directory... it just would not show up via the client but checking the server it was there.  I knew it wasn't a permissions error on the server because nothing has changed there only implemented the new firewall.  And I can access the FTP fine from LAN to DMZ using private IP.

    6. Then here is the the weird thing.... I DELETE the NAT/Firewall rules for the FTP... which I only have port 21 setup.  Then I try the ftp client again and everythig works!  Both Active and Passive connections.  Why?  who knows.  But it does.

    Will I reboot anytime soon?  Probably not.... not until I need to, because with out the NAT/Firewall rules the ftp proxy will not get started and bound to the proper Ips.

    We will see over the next few days if for some reason the proxy quits working.

    Anybody have a take on this?  And as to why this happens?  Somebody might want to add this to the bug list.



  • Thanks for the great report.  I've fixed all of these problems.



  • Sounds good… so these fixes will be in the new build?



  • yes  :)



  • Ok here is another update.  Seems there is still a problem.

    I had a friend test the ftp from the command line who is physically outside the my network…. meaning has to cross the wan.  And it would not work.

    My test were showing I could connect to the FTP server on the DMZ via public address (and host name), but I was physically sitting on my LAN network during the test.

    In incremental steps I have tried:

    1.  To uncheck the ftp helper on the WAN... I don't think this really does anything but cause the ftp proxy to run... which requires a reboot.  And anyway it is already running from the intial test above. No good.

    2. Re-create the NAT port forward rules with default firewall rules.  No good.

    My friend tries to open via... ftp>open ftp.mydomain.com.  And replies back connected to ftp.  No rquest for login (does not allow anon conn).  And freezes the command line promt.  No physical connection to the FTP Server.

    Ok, I am stuck on this one.. can someone shed some light on what needs to be done to get through the WAN to the DMZ?



  • Ok… anyone?  Really need to get this working.



  • Tried re-installing the latest build from scratch and reconfiguring.  Still doesn't work.



  • It works fine here, honestly…  Make sure your not using a proxy arp type interface.  Also refer to the faq entries in faq.pfsense.com pertaining to ftp.



  • @sullrich:

    It works fine here, honestly…   Make sure your not using a proxy arp type interface.  Also refer to the faq entries in faq.pfsense.com pertaining to ftp.

    How do I … "Make sure your not using a proxy arp type interface"?  I am not a big network guru, so I am not sure how to do this.  Thanks.



  • Proxy arp type entry for Virtual IP's.

    Also ensure that your helper is enabled on Interfaces -> WAN.

    Delete all firewall rules and nat rules pertaining to this connection and readd the ftp rules.  Leave the 2 rules intact.

    Ensure that both rules have correct values set.  I fixed a bug where it was not specifying the interface ip address correctly in one of the firewall rules that are automatically added.



  • Still can get working…

    Proxy arp type entry for Virtual IP's.
    Not using Virtual Ips.. only WAN Interface Ip

    Also ensure that your helper is enabled on Interfaces -> WAN.
    helper is enabled on WAN interface only

    Delete all firewall rules and nat rules pertaining to this connection and readd the ftp rules.  Leave the 2 rules intact.
    Deleted the ftp Nat/FW Rules and added back both Nat/FW Rules

    Ensure that both rules have correct values set.  I fixed a bug where it was not specifying the interface ip address correctly in one of the firewall rules that are automatically added.

    Nat Rule shows:
    WAN  TCP  21 (FTP)  10.0.x.180 (ext.: xx.xx.xx.16)  21 (FTP)  WAN –> FTP Server

    FW Rules show:

    TCP  *  *  10.0.x.180  21 (FTP)  *  NAT WAN --> FTP Server     
    TCP  *  *  [blank]  21 (FTP)  *  NAT WAN –> FTP Server

    Also:
    $ ps awux | grep pftpx
    proxy    633  0.0  0.2   656   412  ??  Ss    8:38PM   0:00.00 /usr/local/sbin/pftpx -f 10.0.x.180 -b xx.xx.xx.16 -c 21 -g 21
    proxy    775  0.0  0.2   656   444  ??  Ss    8:38PM   0:00.00 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.x.1

    $ pfctl -s rules | grep ftp
    anchor "ftpsesame/" all
    pass in quick on sis2 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
    anchor "ftpproxy" all
    anchor "pftpx/
    " all
    pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on sis0 inet proto tcp from any port = ftp-data to (sis0) port > 49000 user = 62 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
    pass in quick on sis0 inet proto tcp from any to 10.0.x.180 port = ftp keep state label "USER_RULE: NAT WAN --> FTP Server"
    pass in quick on sis0 proto tcp from any to any port = ftp flags S/SA keep state label "USER_RULE: NAT WAN --> FTP Server"

    Does this look correct?  Any ideas?  Thanks.



  • TCP  *  *  [blank]  21 (FTP)  *  NAT WAN –> FTP Server

    That is wrong.

    Please run:

    cat /etc/inc/filter.inc | grep Id

    From a shell and report back.



  • Actually, I forgot to include the files in the upgrade.  ::)

    Please upgrade.  Start from the last version you installed.

    fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2a.sh | sh -
    fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2b.sh | sh -
    fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2c.sh | sh -
    fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2d.sh | sh -
    fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2e.sh | sh -
    fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2f.sh | sh -
    fetch -q -o - http://www.pfsense.com/~sullrich/update_to_rc2g.sh | sh -



  • Ok ran updates… then applied nat/rules, still not working... see below:

    cat /etc/inc/filter.inc | grep Id
    /* $Id: filter.inc,v 1.575.2.234 2006/08/23 20:19:18 sullrich Exp $ */

    ps awux | grep pftpx
    proxy    633  0.0  0.2   656   412  ??  Ss    8:38PM   0:00.00 /usr/local/sbin/pftpx -f 10.0.x.180 -b xx.xx.xx.16 -c 21 -g 21
    proxy    775  0.0  0.2   656   444  ??  Ss    8:38PM   0:00.00 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.x.1

    $ pfctl -s rules | grep ftp
    anchor "ftpsesame/" all
    pass in quick on sis2 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
    anchor "ftpproxy" all
    anchor "pftpx/
    " all
    pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on sis0 inet proto tcp from any port = ftp-data to (sis0) port > 49000 user = 62 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
    pass in quick on sis0 inet proto tcp from any to 10.0.x.180 port = ftp keep state label "USER_RULE: NAT WAN --> FTP Server"
    pass in quick on sis0 inet proto tcp from any to xx.xx.xx.16 port = ftp keep state label "USER_RULE: NAT WAN --> FTP Server"

    Debug info from SmartFTP client:

    [22:33:03] SmartFTP v2.0.997.4
    [22:33:03] Resolving host name "ftp.mydomain.com"
    [22:33:03] Connecting to xx.xx.xx.16 Port: 21
    [22:33:03] Connected to ftp.mydomain.com.
    [22:33:03] 220-Microsoft FTP Service
    [22:33:04] 220 WARNING: You must have authorization to access this system. All connections are logged and monitored.
    [22:33:04] USER myuser
    [22:33:04] 331 Password required for myuser.
    [22:33:04] PASS (hidden)
    [22:33:04] 230 User myuser logged in.
    [22:33:04] SYST
    [22:33:06] 215 Windows_NT
    [22:33:06] Detected Server Type: Windows NT
    [22:33:06] FEAT
    [22:33:06] 211-FEAT
    [22:33:06]     SIZE
    [22:33:06]     MDTM
    [22:33:06] 211 END
    [22:33:06] TYPE I
    [22:33:06] 200 Type set to I.
    [22:33:06] REST 0
    [22:33:06] 350 Restarting at 0.
    [22:33:06] PWD
    [22:33:06] 257 "/" is current directory.
    [22:33:06] TYPE A
    [22:33:06] 200 Type set to A.
    [22:33:06] PORT 10,0,x,180,12,203

    [22:33:06] 500 Invalid PORT Command.        <–- Errors out here trying active mode... then switches to passive

    [22:33:06] Automatic failover of data connection mode from "Active Mode (PORT)" to "Passive Mode (PASV)".

    [22:33:06] PASV
    [22:33:06] 227 Entering Passive Mode (10,0,x,180,191,108).
    [22:33:06] Opening data connection to 10,0,x,180 Port: 49004

    [22:33:06] LIST -aL                                   <–- Errors out here ... forces server to close connection

    [22:33:06] 0 bytes transferred. (N/A/s) (0 ms)
    [22:33:06] 426 Connection closed; transfer aborted.
    [22:33:26] An established connection was aborted by the software in your host machine.
    [22:33:26] Server closed connection

    DEBUG from MS FTP command line:

    ftp> debug
    Debugging On .
    ftp> open ftp.mydomain.com
    Connected to ftp.mydomain.com.
    220-Microsoft FTP Service
    220 WARNING: You must have authorization to access….
    User (ftp.mydomaind.com:(none)): myuser
    ---> USER myuser
    331 Password required for myuser.
    Password:
    ---> PASS mypwd
    230 User myuser logged in.
    ftp> dir
    ---> PORT 10,0,x,180,13,3
    500 Invalid PORT Command.
    ---> LIST
    150 Opening ASCII mode data connection for /bin/ls.         <--- command line freezes here...

    Both test scenarios the server shows logged in, but neither will let you run commands.  Can't list directory, Can't push data to server... nor pull data from server.  Which tells me there is something wrong with the passive ports across the firewall.  I can't even do it across the LAN anymore while the nat/firewall rules in place.



  • Please show the firewall rules summary view that you showed before that contained the "blank" entry



  • Current Firewall rules after patches:

    TCP  *  *  10.0.x.180 21 (FTP)  *  NAT WAN –> FTP Server     
    TCP  *  *  WAN address  21 (FTP)  *  NAT WAN --> FTP Server

    I just tried removing the NAT Port forward... thinking that it makes no sense since the proxy would be doing the forwarding.  Is this a correct assumption?

    Anywaym after that I could LIST the directory information from  the LAN now.

    Still need to test from outside... have to get someone to test this for me.



  • Ok tested externally and all is working after the NAT rule is deleted!  Thanks.


Locked