FTP Hell

  • I've searched, I've read all the related threads. I've tried everything mentioned. Nothing helps.

    External traffic trying to access ftp server on internal network has serious problems.

    Running latest rc2.

    Tried with nat rules, without nat rules, with ftp proxy, without ftp proxy, auto rules, manual rules. port forwarding, no port forwarding.

    command line works just fine. IE, firefox, etc etc. no go.

    I can access the same ftp server just fine via a Juniper Netscreen firewall so the server is fine. the clients are fine. the firewall is the problem. Any ideas other than "it works for me" ?


  • There where some bugs fixed recently..  Please upgrade to the latest snapshot mentioned in the announcements section.

  • running
    RC2 built on Tue Aug 1 18:14:08 UTC 2006

    Newer than this?

  • Yes.  You can view the date of the announcement in the forum.

  • okay. running RC2i now. Same problems.

    I know this is in other threads but could you please give me a checklist of configuration items to verify?

    Simple setup with 2 interfaces. what I call TRUST (green) and UNTRUST (red). /27 IP block, All addresses are proxy arped virtual addresses, 1:1 NAT setup for all.

    All egress traffic is allowed.

    Ingress is by explicit allowance.
    FTP server is ProFTPd.
    PassivePorts are set to 9000-9500 in ProFTPd server config.
    Ports 20,21,9000-9500 are allowed by pfsense wan rules.

    FTP Proxy is enabled (unchecked) in wan interface settings.

  • Make sure the WAN interface has the FTP helper enabled.  Reboot.

    Then issue a ps awux | grep pftpx from the shell and post back the results.

  • RC2i is not the latest version. Use http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-07-06/

  • Hoba is correct.  I should have noticed that before.  Please upgrade to the latest snapshot.

  • ps awux | grep pftpx

    root    1099  0.0  0.2  1516  1000  p0  S+    5:33PM  0:00.00 grep pftpx

    Running the snapshot you linked to.

    Which is interesting because the box is definitely unchecked, and I just did a reboot.

  • It should have started a pftpx process for that nat redirects port 21.

  • Still having problems.

    I've now also tried this :: http://wiki.pfsense.com/wikka.php?wakka=IncomingFTPHowTo

    Still no dice connecting from a browser in passive mode.

    I dont see any running pftpx processes.

    Using 1:1 NAT. Can someone help me? If I cant resolve this I need to find another platform and start getting it built.

  • Update to the latest testing snapshot in ~sullrich

  • updated to latest image from the 10th. i now see the following process running which is an improvement.

    407 con  I      0:00.00  sh -c /usr/local/sbin/pftpx -c 81 -d -f -g 81 is the internal address of the ftp server. 1:1 NAT from public IP -> Private IP.

    Passive Mode still fails. I can login, but nothing else. Client either fails over to active mode or just errors out depending on client. Active mode works fine.

    [11:45:29] SmartFTP v2.0.998.13
    [11:45:29] Resolving host name "firefly.e-frontier.com"
    [11:45:29] Connecting to 64.62.xxx.xxx Port: 21
    [11:45:29] Connected to firefly.e-frontier.com.
    [11:45:29] 220 ProFTPD 1.2.9 Server (ProFTPD Default Installation) [xxx]
    [11:45:29] USER clwebmaster
    [11:45:29] 331 Password required for xxx.
    [11:45:29] PASS (hidden)
    [11:45:30] 230 User xxx logged in.
    [11:45:30] SYST
    [11:45:30] 215 UNIX Type: L8
    [11:45:30] Detected Server Type: UNIX
    [11:45:30] FEAT
    [11:45:30] 211-Features:
    [11:45:30]  MDTM
    [11:45:30]  REST STREAM
    [11:45:30]  SIZE
    [11:45:30] 211 End
    [11:45:30] PWD
    [11:45:30] 257 "/data/httpd/www.xxx.com" is current directory.
    [11:45:30] TYPE A
    [11:45:30] 200 Type set to A
    [11:45:30] PASV
    [11:45:30] 227 Entering Passive Mode (10,200,0,11,36,146).
    [11:45:30] Opening data connection to Port: 9362
    [11:45:30] LIST -aL
    [11:45:30] 0 bytes transferred. (0 bytes/s) (47 ms)

  • You are publishing a FTP service to the internet?  If so you need to enable the ftp helper in interfaces, wan.

  • oh that was enabled long ago.

    by enabled, you mean the box is unchecked on the wan interface right?

  • Yes.  I don't see the pftpx process running for this case.

    If you are using a VIP then you need to use a CARP type VIP instead of proxyarp.

  • It's possible that that instance we see running is the result of my inserting that line into the config file as per the little howto I found that I mentioned in a previous post.

    Not an option in my environment. If I understand it correctly I would need to change my internal machines interface config to actually have the external address bound to it in order to make CARP work.

    What I'm curious about is why this is so difficult. Passing FTP with iptables, or any number of other firewalls is no different than any other ruleset. Why is it such a big hassle with pfsense?

    I appreciate all of your help and think what you're doing is great, i'm just looknig for some understanding.

  • <shellcmd>/usr/local/sbin/pftpx -c 81 -d -f -g 81</shellcmd>

    is what i added to the <system>section.</system>

  • Try out the CARP option.  You won't be using it as a failvoer IP, it needs to have a real ip instead of proxyarp so that pftpx can bind to it.

    As you can imagine pfSense is not linux / iptables.    FTP has been the biggest pain in my ass and I really dislike it at this point, we'll just leave it at that.

  • @nexusone:

    <shellcmd>/usr/local/sbin/pftpx -c 81 -d -f -g 81</shellcmd>

    is what i added to the <system>section.</system>

    Remove that, reboot.

  • removed that line, rebooted again..

    $ ps -ef
      562  v0  Is    0:00.02  login [pam] (login)
      563  v0  I      0:00.01  -sh (sh)
      564  v0  I+    0:00.01  /bin/sh /etc/rc.initial
      262 con- S      0:00.01  /usr/sbin/tcpdump -l -n -e -ttt -v -i pflog0
      263 con- I      0:00.00  logger -t pf -p local0.info
      391 con- S      0:00.04  [choparp]
      393 con- I      0:00.01  /bin/sh /usr/local/bin/runmsntp.sh /var/run/runmsnt
      395 con- I      0:00.00  /usr/local/bin/msntp -v -r -P no -l /var/run/msntp.
      397 con- I      0:00.00  logger -p daemon.info -i -t msntp
      478 con- IN    0:00.02  /bin/sh /var/db/rrd/updaterrd.sh
      553 con- SN    0:00.01  /usr/local/sbin/check_reload_status

    no psftpx process now. I'm unclear on how I can setup CARP. It keeps insisting that I give it an address that exists on a real interface. The public IP doesnt exist on any real interfaces, thats the entire point of the firewall. if I give it the real internal address that does exist i dont see how that will enable inbound traffic on the public ip to reach the internal ip.

    see my quandry?

    maybe it's time to cut my losses and give up. how frustrating

  • Not sure I understand this..  What do you mean the public ip is not on the firewall? Is this a bridge?

  • when atempting to create the CARP virtual IP I get this error

    The following input errors were detected:

    * Sorry, we could not locate an interface with a matching subnet for 64.62.xxx.xxx/32. Please add an ip in this subnet on a real interface.

    This address doesnt exist on any "real interfaces" other than the wan port of the firewall itself and that is/was as a proxyarp virtual address.  I just read the CARP faq but havent gained any clarity as a result.

  • Please supply the wan addresses in question.  The CARP ip needs to lie in the same subnet as the wan IP.

  • okay. proxy arp address is now carp. i had to expand the sn mask to encompass the whole subnet instead of just the specific host.

    i applied but results are still the same. i dont see any pftpx process running.

    my rules allow 20,21 and 9000-9500 (for the passive ports). any others needed?

  • It needs to be "21" only.

    I am really not sure why you are using port 20.

  • Oh I see what your doing.

    Remove all rules, all nat rules.

    Add your port forward for port 21 if your not going to use 1:1.

    If you plan on using 1:1 then you need to open up the range that the firewall is expecting.  The far easiest solution to this is to port forward only port 21, tcp, however.

  • Okay. This is a BIG THANK YOU for the patience.

    And a big YOU'RE WELCOME to the next person that comes along wanting FTP to work.


    • You have public addresses on your WAN interface and private addresses on your LAN interface.
    • You require NAT between interfaces
    • You require inbound PASSIVE AND ACTIVE FTP connections to work.


    • Setup your WAN and LAN interfaces as normal.
    • Create a Virtual IP Address for the IP you want assigned to your FTP server.
          -This is your EXTERNAL ADDRESS
          - You must choose CARP, not ProxyARP as the type
          - You must use the subnet mask of your ip block, not /32 for the specific host as you can for ProxyARP types.
    • Create a NAT Port Forward for port 21, forward from the external address you used for the CARP VIP, and tell it your INTERNAL FTP SERVER IP so that it can forward the port correctly.
    • Allow it to create appropriate inbound rules, or go over to rules and create a rule on your WAN interface for PORT 21 to your INTERNAL FTP SERVER IP.

    I had a terrible time getting this to work, but it DOES work if you hold your arms just right, and stand in the corner, and look at the computer through a mirror while you do the configuration. :)

Log in to reply