Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTP Hell

    Scheduled Pinned Locked Moved General pfSense Questions
    29 Posts 3 Posters 19.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nexusone
      last edited by

      I've searched, I've read all the related threads. I've tried everything mentioned. Nothing helps.

      External traffic trying to access ftp server on internal network has serious problems.

      Running latest rc2.

      Tried with nat rules, without nat rules, with ftp proxy, without ftp proxy, auto rules, manual rules. port forwarding, no port forwarding.

      command line works just fine. IE, firefox, etc etc. no go.

      I can access the same ftp server just fine via a Juniper Netscreen firewall so the server is fine. the clients are fine. the firewall is the problem. Any ideas other than "it works for me" ?

      I'

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        There where some bugs fixed recently..  Please upgrade to the latest snapshot mentioned in the announcements section.

        1 Reply Last reply Reply Quote 0
        • N
          nexusone
          last edited by

          running
          RC2 built on Tue Aug 1 18:14:08 UTC 2006

          Newer than this?

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            Yes.  You can view the date of the announcement in the forum.

            1 Reply Last reply Reply Quote 0
            • N
              nexusone
              last edited by

              okay. running RC2i now. Same problems.

              I know this is in other threads but could you please give me a checklist of configuration items to verify?

              Simple setup with 2 interfaces. what I call TRUST (green) and UNTRUST (red). /27 IP block, All addresses are proxy arped virtual addresses, 1:1 NAT setup for all.

              All egress traffic is allowed.

              Ingress is by explicit allowance.
              FTP server is ProFTPd.
              PassivePorts are set to 9000-9500 in ProFTPd server config.
              Ports 20,21,9000-9500 are allowed by pfsense wan rules.

              FTP Proxy is enabled (unchecked) in wan interface settings.

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                Make sure the WAN interface has the FTP helper enabled.  Reboot.

                Then issue a ps awux | grep pftpx from the shell and post back the results.

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by

                  RC2i is not the latest version. Use http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-07-06/

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by

                    Hoba is correct.  I should have noticed that before.  Please upgrade to the latest snapshot.

                    1 Reply Last reply Reply Quote 0
                    • N
                      nexusone
                      last edited by

                      ps awux | grep pftpx

                      root    1099  0.0  0.2  1516  1000  p0  S+    5:33PM  0:00.00 grep pftpx

                      Running the snapshot you linked to.

                      Which is interesting because the box is definitely unchecked, and I just did a reboot.

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by

                        It should have started a pftpx process for that nat redirects port 21.

                        1 Reply Last reply Reply Quote 0
                        • N
                          nexusone
                          last edited by

                          Still having problems.

                          I've now also tried this :: http://wiki.pfsense.com/wikka.php?wakka=IncomingFTPHowTo

                          Still no dice connecting from a browser in passive mode.

                          I dont see any running pftpx processes.

                          Using 1:1 NAT. Can someone help me? If I cant resolve this I need to find another platform and start getting it built.

                          1 Reply Last reply Reply Quote 0
                          • S
                            sullrich
                            last edited by

                            Update to the latest testing snapshot in ~sullrich

                            1 Reply Last reply Reply Quote 0
                            • N
                              nexusone
                              last edited by

                              updated to latest image from the 10th. i now see the following process running which is an improvement.

                              407 con  I      0:00.00  sh -c /usr/local/sbin/pftpx -c 81 -d -f 10.200.0.11 -g 81

                              10.200.0.11 is the internal address of the ftp server. 1:1 NAT from public IP -> Private IP.

                              Passive Mode still fails. I can login, but nothing else. Client either fails over to active mode or just errors out depending on client. Active mode works fine.

                              [11:45:29] SmartFTP v2.0.998.13
                              [11:45:29] Resolving host name "firefly.e-frontier.com"
                              [11:45:29] Connecting to 64.62.xxx.xxx Port: 21
                              [11:45:29] Connected to firefly.e-frontier.com.
                              [11:45:29] 220 ProFTPD 1.2.9 Server (ProFTPD Default Installation) [xxx]
                              [11:45:29] USER clwebmaster
                              [11:45:29] 331 Password required for xxx.
                              [11:45:29] PASS (hidden)
                              [11:45:30] 230 User xxx logged in.
                              [11:45:30] SYST
                              [11:45:30] 215 UNIX Type: L8
                              [11:45:30] Detected Server Type: UNIX
                              [11:45:30] FEAT
                              [11:45:30] 211-Features:
                              [11:45:30]  MDTM
                              [11:45:30]  REST STREAM
                              [11:45:30]  SIZE
                              [11:45:30] 211 End
                              [11:45:30] PWD
                              [11:45:30] 257 "/data/httpd/www.xxx.com" is current directory.
                              [11:45:30] TYPE A
                              [11:45:30] 200 Type set to A
                              [11:45:30] PASV
                              [11:45:30] 227 Entering Passive Mode (10,200,0,11,36,146).
                              [11:45:30] Opening data connection to 10.200.0.11 Port: 9362
                              [11:45:30] LIST -aL
                              [11:45:30] 0 bytes transferred. (0 bytes/s) (47 ms)

                              1 Reply Last reply Reply Quote 0
                              • S
                                sullrich
                                last edited by

                                You are publishing a FTP service to the internet?  If so you need to enable the ftp helper in interfaces, wan.

                                1 Reply Last reply Reply Quote 0
                                • N
                                  nexusone
                                  last edited by

                                  oh that was enabled long ago.

                                  by enabled, you mean the box is unchecked on the wan interface right?

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    sullrich
                                    last edited by

                                    Yes.  I don't see the pftpx process running for this case.

                                    If you are using a VIP then you need to use a CARP type VIP instead of proxyarp.

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      nexusone
                                      last edited by

                                      It's possible that that instance we see running is the result of my inserting that line into the config file as per the little howto I found that I mentioned in a previous post.

                                      Not an option in my environment. If I understand it correctly I would need to change my internal machines interface config to actually have the external address bound to it in order to make CARP work.

                                      What I'm curious about is why this is so difficult. Passing FTP with iptables, or any number of other firewalls is no different than any other ruleset. Why is it such a big hassle with pfsense?

                                      I appreciate all of your help and think what you're doing is great, i'm just looknig for some understanding.

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        nexusone
                                        last edited by

                                        <shellcmd>/usr/local/sbin/pftpx -c 81 -d -f 10.200.0.11 -g 81</shellcmd>

                                        is what i added to the <system>section.</system>

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          sullrich
                                          last edited by

                                          Try out the CARP option.  You won't be using it as a failvoer IP, it needs to have a real ip instead of proxyarp so that pftpx can bind to it.

                                          As you can imagine pfSense is not linux / iptables.    FTP has been the biggest pain in my ass and I really dislike it at this point, we'll just leave it at that.

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            sullrich
                                            last edited by

                                            @nexusone:

                                            <shellcmd>/usr/local/sbin/pftpx -c 81 -d -f 10.200.0.11 -g 81</shellcmd>

                                            is what i added to the <system>section.</system>

                                            Remove that, reboot.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.