FTP in kernel helper - what does it do and does it work



  • Hi

    I am currently running pfsense 2.0 aa on bsd 7,

    I am having difficulty with (remote) FTP servers and multi-wan
    [ I know this is a problem many people have ]

    As I understand the problems, I would need the following to fix them

    Passive : the 'helper' would need to make sure my data connection routed out of the same wan interface as my ctrl connection
    Active : the 'helper' would need to add a NAT / firewall rule to Nat the server initiated data connection back to the client

    My questions are ( for now ) as follows

    1 - does the in kernel helper try and achieve either / both / none of these ??
    2 - is the in kernel helper in the bsd 7 build of 2.0 ( or just 8.0 )
    3 - is the in kernel helper considered fully / partialy / not working at the moment

    Thanks,

    AJ



  • It is supposed to handle everything in ftp.
    Try rdr a ftp port in 2.0 which was not that fun on 1.2.3 ;)

    Please get tcpdump traces with full packet contents for the cases it does not work.
    BTW are you running ftp on normal port!?



  • When the network is quiet i will grab some dumps with tcpdump -i em{0/3} -vvvXs 0 host {ftpserver} - do you need lan and wan ??

    To clarify,

    the client is in my wan,
    the server is on the internet,
    the servers are 3rd party so I cannot change config on them,
    the servers are running on port 21 with both active and passive support.

    I did wonder if this might be a problem with double NAT - as my wan connection is on a class C to an adsl router and is natting out of that [not bridging] ??

    Will post the dumps soon

    AJ



  • I wonder if your other nat is doing this.

    Anyway post dumps from lan and wan and i will get you an answer.



  • why aren't people just forwarding the listening port, the data port and a pasv port range. That's the normal thing to do on a regular firewall/nat device.



  • On 2.0 you just need to rdr the listening port but this is the other issue the client behind a nat.


Log in to reply