Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ftp only works port connection type not passive

    Scheduled Pinned Locked Moved NAT
    15 Posts 5 Posters 22.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rsw686
      last edited by

      Is there something I am missing. FTP works only with the port connection type. Thus if I try and pull it up in firefox, etc that use passive connections it will not connect.

      Heres the error using passive mode. Seems that pftpx is not giving out the lan ip address for the client to connect to.

      COMMAND:> PASV
      227 Entering Passive Mode (10,10,1,15,149,86)
      COMMAND:> LIST
      STATUS:>  Connecting ftp data socket 10.10.1.15:38230…

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        In case you run anything older than this please upgrade: http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/

        1 Reply Last reply Reply Quote 0
        • R
          rsw686
          last edited by

          @hoba:

          In case you run anything older than this please upgrade: http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/

          I was using the 9-3-2006 snapshot, but just upgraded to the 9-12-2006 snapshot and am having the same issue still. Feel free to try and ftp to the server "wgnrs.dynalias.com". It accepts anonymous connections and is just a blank install of vsFTPd on Fedora Core 4.

          passive mode communication
          –-------------------------------------
          mason> ftp     
          ftp> passive
          Passive mode on.
          ftp> open wgnrs.dynalias.com
          Connected to wgnrs.dynalias.com.
          220 (vsFTPd 2.0.3)
          Name (wgnrs.dynalias.com): anonymous
          331 Please specify the password.
          Password:
          230 Login successful.
          Remote system type is UNIX.
          Using binary mode to transfer files.
          ftp> cd pub
          250 Directory successfully changed.
          ftp> ls
          421 Service not available, remote server has closed connection
          Passive mode refused. Try PORT
          No control connection for command: Transport endpoint is not connected

          port mode communication

          mason> ftp           
          ftp> open wgnrs.dynalias.com
          Connected to wgnrs.dynalias.com.
          220 (vsFTPd 2.0.3)
          Name (wgnrs.dynalias.com): anonymous
          331 Please specify the password.
          Password:
          230 Login successful.
          Remote system type is UNIX.
          Using binary mode to transfer files.
          ftp> cd pub
          250 Directory successfully changed.
          ftp> ls
          200 PORT command successful. Consider using PASV.
          150 Here comes the directory listing.
          226 Directory send OK.
          ftp> cd ..
          250 Directory successfully changed.
          ftp> ls
          200 PORT command successful. Consider using PASV.
          150 Here comes the directory listing.
          pub
          226 Directory send OK.
          5 bytes received in 0.0036 seconds (1.36 Kbytes/s)

          1 Reply Last reply Reply Quote 0
          • R
            rsw686
            last edited by

            After the upgrade I'm now getting a ton of msntp errors so I am clean installing the snapshot. Well see how it goes.

            Sep 14 01:21:33 msntp[3201]: msntp: Unknown error: 0
            Sep 14 01:21:33 msntp[3201]: msntp: unable to locate IP address/number
            Sep 14 01:21:33 msntp[3201]: msntp: bad daemon restart information
            Sep 14 01:21:33 msntp[3201]: d=18000 c=5 x=18000 op=1 l=/var/run/msntp.pid f=/var/db/msntp.state 61.129.66.79
            Sep 14 01:21:33 msntp[3201]: msntp options: a=2 p=0 v=1 e=0.100 E=5.000 P=2147483647.000

            1 Reply Last reply Reply Quote 0
            • R
              rsw686
              last edited by

              Got it clean installed to snapshot 09-12-06 and the msntp error looks like it cleared up see output below. I can't remember if the bad daemon restart information was always there or not. Anyways, ftp still has the same issue where passive transfers don't work.

              Sep 14 01:52:45 msntp[636]: msntp: 2006 Sep 14 01:52:45.132 + -0.000 +/- 0.206 secs
              Sep 14 01:52:45 msntp[636]: msntp: after 0.6 secs acc. 1 rej. 0 flush 0 max.off. 0.369 corr. 0.369
              Sep 14 01:52:44 msntp[636]: msntp: using NTP server 20six.fr (84.16.227.161)
              Sep 14 01:52:44 msntp[636]: msntp: bad daemon restart information
              Sep 14 01:52:44 msntp[636]: d=18000 c=5 x=18000 op=1 l=/var/run/msntp.pid f=/var/db/msntp.state 84.16.227.161
              Sep 14 01:52:44 msntp[636]: msntp options: a=2 p=0 v=1 e=0.100 E=5.000 P=2147483647.000

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                If your talking 'incoming ftp connection' to a internal FTP server on your LAN, then drop by overhere: http://forum.pfsense.org/index.php?topic=2071.msg11954#msg11954

                If all these posts describe your problem, than you will find a temp. solution over there.

                It's (re) boot persistent.

                And, just tested, Active and Passive FTP transfer works. (FTP Server = Serv-U (demo-latest) on LAN, FTP Client accessing from the Internet, using SmartFtp (demo-latest).

                PS: I don't think msntp is FTP related. I also upgraded to 1.0-SNAPSHOT-09-12-06 - built on Tue Sep 12 21:37:35 UTC 2006 - but didn't saw any issues. msntp just grabs the time from the net.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • R
                  rsw686
                  last edited by

                  @Gertjan:

                  If your talking 'incoming ftp connection' to a internal FTP server on your LAN, then drop by overhere: http://forum.pfsense.org/index.php?topic=2071.msg11954#msg11954

                  If all these posts describe your problem, than you will find a temp. solution over there.

                  It's (re) boot persistent.

                  And, just tested, Active and Passive FTP transfer works. (FTP Server = Serv-U (demo-latest) on LAN, FTP Client accessing from the Internet, using SmartFtp (demo-latest).

                  PS: I don't think msntp is FTP related. I also upgraded to 1.0-SNAPSHOT-09-12-06 - built on Tue Sep 12 21:37:35 UTC 2006 - but didn't saw any issues. msntp just grabs the time from the net.

                  No I know the msntp issue is not related. Just that I was advised to goto the latest snapshot and when I did the upgrade msntp errors starting popping up every minute. Thus I ended up doing a clean install.

                  My ftp issue is not the same. My IP address hardly changes and I don't use PPoE. Yes this is an incoming ftp issue.

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by

                    Msntp has nothing to do with FTP.  Upgrade to the latest testing snapshot.

                    1 Reply Last reply Reply Quote 0
                    • T
                      Tomba
                      last edited by

                      @rsw686:

                      Is there something I am missing. FTP works only with the port connection type. Thus if I try and pull it up in firefox, etc that use passive connections it will not connect.

                      Heres the error using passive mode. Seems that pftpx is not giving out the lan ip address for the client to connect to.

                      COMMAND:> PASV
                      227 Entering Passive Mode (10,10,1,15,149,86)
                      COMMAND:> LIST
                      STATUS:>  Connecting ftp data socket 10.10.1.15:38230…

                      Did you make sure to define which ports the FTP server uses as PASV ports ? If you don't the FTP server will pick a free portnumber at random, which I'm sure your firewall will block.
                      If the answer is yes; do you also allow traffic to pass ? (Firewall –> Rules should have an entry for your PASV port range)
                      If the answer is no; define which ports the PASV data transport should use and add a rule to allow traffic to pass in pfSense.

                      BTW maybe you should consider using webdav; a client is default in almost any OS (including Windows) and when used with SSL it's safer than FTP as well (e.g. passwords don't get sent over the internet in clear text)

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by

                        There is no reason to forward anything but port 21.

                        The entire reason of the FTP helper is to prevent the user from needing to tear open the firewall.

                        The FTP Helper dynamically opens ports as they are needed.

                        1 Reply Last reply Reply Quote 0
                        • T
                          Tomba
                          last edited by

                          @sullrich:

                          There is no reason to forward anything but port 21.

                          The entire reason of the FTP helper is to prevent the user from needing to tear open the firewall.

                          The FTP Helper dynamically opens ports as they are needed.

                          I didn't know this was what the FTP helper was for :)

                          In that case I have the exact same problem because without the PASV port forwards enabled on my pfSense box (RC2) I get the exact same problem…. (with Serv-U FTP)

                          1 Reply Last reply Reply Quote 0
                          • S
                            sullrich
                            last edited by

                            Upgrade to http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/

                            1 Reply Last reply Reply Quote 0
                            • R
                              rsw686
                              last edited by

                              @sullrich:

                              Upgrade to http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/

                              I already updated to the latest version SNAPSHOT-09-12-06 and am still having the problem. The ftp helper will not open the ports for passive mode. Only works for port mode. I even tried defining my ip address in vsftp for passive mode and it still does not work.

                              The guy who recommended I use something else, thats not the point. I would like to get FTP working. I normally use SSH anyways.

                              1 Reply Last reply Reply Quote 0
                              • S
                                sullrich
                                last edited by

                                #1 Make sure you are using CARP type ips for virtual ips
                                #2 Make sure the port forward is for port "21" ONLY

                                If you are on the latest version and follow the above it really should work.

                                1 Reply Last reply Reply Quote 0
                                • GertjanG
                                  Gertjan
                                  last edited by

                                  @sullrich:

                                  #1 Make sure you are using CARP type ips for virtual ips
                                  #2 Make sure the port forward is for port "21" ONLY

                                  If you are on the latest version and follow the above it really should work.

                                  Sure ?

                                  I'm using a PPPoE connection on the WAN interface, and I can assure you that

                                  1. These two ones are running after reboot (and IP 24H 'hup'):
                                    /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.1.1
                                    /usr/local/sbin/pftpx -c 8022 -g 8021 192.168.2.1
                                  2. This one won't be there (except when making an initial FTP port 21 rule in the NAT table - Apply)
                                    /usr/local/sbin/pftpx -f 192.168.1.2 -b 82.125.93.41 -c 21 -g 21
                                    If a FTP port 21 rule was already present, I have do remove ot before (as the 2 auto created firewall WAN rules).

                                  Am I saying wrong, or do I miss something?
                                  When filter.inc installs pftpx [wanIP] [lanIP]…, pftpx will bail out (visible in the system log).

                                  Anyway, checking check_reload_status.c right now to see wo is runnig what and when.... (rather simple piece of code at first - but your baby IS complicated when you dig into it...  )

                                  No "help me" PM's please. Use the forum, the community will thank you.
                                  Edit : and where are the logs ??

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.