RC3 and FTP

sh_man

I upgraded to RC3 last night and killed all FTP access from LAN to WAN/OPT1 (using dual WAN setup). It worked fine with RC2 (I have rolled back to keep the users happy).

Is there some config that I am missing that did not matter before RC3?

Gertjan

To use a FTP server on a PC in your LAN - and make it accesible from 'the world', you should do just this thing:
Create a NAT-Rule on the WAN interface, port 21 to the FTP server IP, port 21.
Automaticlay two rules will be created in the firewal list.

Check that you didn't disable the "FTP Helper … Disable the userland FTP-Proxy application" option on the Interfaces->WAN  & Interfaces->LAN.

Afterwards, you'll see a

ps auwx | grep pftpx | grep -v grep

proxy    617  0.0  0.1  656  420  ??  Ss  Mon12PM  0:00.47 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.1.1
proxy  30379  0.0  0.1  656  488  ??  Ss    6:33PM  0:00.00 /usr/local/sbin/pftpx -f 192.168.1.2 -b 83.193.54.47 -c 21 -g 21

83.193.54.47 => (my) WAN IP
192.168.1.2 => (my) LAN "FTP server" IP

This is enough to make FTP accesible from the 'outside'.

sh_man

Thanks for that - but I am trying to get from the LAn to FTP servers out on the web - not the other way round.

Literally, if I use RC3 it does not work, and RC2 it does work. No other settings are changed.

databeestje

does the rc3a update fix your problem?

hoba

Works fine here without issues. Also this is funny as somebody says just the opposite in this thread: http://forum.pfsense.org/index.php/topic,2281.msg13273.html#msg13273

jeroen234

no problem here on rc3 rc3a or rc3b

smeg9

I too am experiencing this problem, cannot access FTP sites on the internet, from within our LAN.
worked on beta2, but not on RC3

hoba

Everybody who is experiencing this problem please test the following:
Download and burn a RC3 livecd. Save your config.xml to a floppy to /conf/config.xml. Boot your machine up with floppy in drive and cdrom. Does it work then? If yes something broke somewhere along the upgrade(s). Reinstall pfSense with a fresh RC3 then (just hit option 99 and it will move your config.xml from the floppy over too).

sullrich

Make sure the ftp helper is enabled on Interfaces -> LAN.

If this still does not work, reinstall.

sh_man

Ok. Tried using RC3 livecd with current config - no dice. Still no FTP out to the net.

Installed RC3 from the livecd onto disk - complete reformat job. Then tried RC3a and RC3b - no change.

Have gone back to RC2.

All I can think of is that I have not set things up "properly" for FTP and that RC3 is a bit more strict.

hoba

Please send your config to holger <dot>bauer <at>citec-ag <dot>de. I'll have a look if I can see something obvious.</dot></at></dot>

hoba

Ok, I think I know what's going on. You have a restrictive setup at your LAN, only letting out certain ports. Port 21 is not enough to make ftp work. It uses some other ports after it has connected to the server too (depending on active and passive mode, portrange configured at the server and so on). Add a rule at LAN (and on any other interface where you need ftp to be working):

pass, proto tcp, source <localsubnet>, port any, destination 127.0.0.1, port any, gateway default

This way the ftphelper is reachable for the clients to handle the other needed ports. Also make sure the ftphelper is enabled at all interfaces that need outgoing ftp. Note that the ftphelper will send all ftp connections to the main WAN, it is not able to make use of policybasedrouting or loadbalancing.

Let me know if this works.</localsubnet>

sullrich

Yes, the FTP rules have been moved to after the USER RULES.  Prior the system would allow FTP no matter what before the USER RULES.  So what has happened is your restrictive LAN rules are now working correctly.

sh_man

Thanks for that. I'll get on to sorting it in the morning! Too much like hard work to test from home ;)

hoba

@sullrich:

Yes, the FTP rules have been moved to after the USER RULES.  Prior the system would allow FTP no matter what before the USER RULES.  So what has happened is your restrictive LAN rules are now working correctly.

It's not a bug, it's a feature  ;D

sh_man

Just tested and it works fine. Thanks guys.

Turns out that I have a catch all rule on the LAN to send traffic over the OPT1 interface. As the ftphelper is WAN that did not help. Some FTP clients work with the rule hoba gave above, others - like Adobe GoLive - needed a bit of a catch all for the specific machine to ensure that all the traffic goes via WAN.

Voami

I'm also having a problem with internet FTP on RC3.

Issue
–---

• We have an app that connnects to an ftp server in the traditional manner (i.e., non-passively)

• A tcpdump from the WAN interface of pfsense shows that login is successful, but pfsense is not properly mapping the internal client IP to the external IP of the firewall

230 Login successful.
type I
200 Switching to Binary mode.
syst
215 UNIX Type: L8
PORT 10,1,0,51,63,34
500 Illegal PORT command.

Configuration
–----------

• 2 WAN interfaces, but only one has outbound NAT configured (other is solely for server external availability)

• "Disable userland helper" is unchecked on all interfaces; ps shows that FTP helper is running on the LAN, and on all other internal interfaces as well

proxy  582  0.0  0.3  656  416  ??  Ss    7:17AM  0:00.38 /usr/local/sbin/pftpx -c 8021 -g 8021 <pf.sense.lan.address>proxy  598  0.0  0.4  656  452  ??  Ss    7:17AM  0:00.41 /usr/local/sbin/pftpx -c 8023 -g 8021 <pf.sense.int2.address>proxy  606  0.0  0.4  656  452  ??  Ss    7:17AM  0:00.41 /usr/local/sbin/pftpx -c 8024 -g 8021 <pf.sense.int3.address>* FTP RFC 959 data port violation workaround: Enabled

• The rule allowing the FTP traffic out
  *  LAN net  *  ! DMZNetworks  *  *  Default LAN ->anywhere but DMZs

  Which should also cover hoba's directive:
  @hoba:

  pass, proto tcp, source <localsubnet>, port any, destination 127.0.0.1, port any, gateway default

  This way the ftphelper is reachable for the clients to handle the other needed ports. Also make sure the ftphelper is enabled at all interfaces that need outgoing ftp. Note that the ftphelper will send all ftp connections to the main WAN, it is not able to make use of policybasedrouting or loadbalancing.</localsubnet>

I suspect i'm doing something wrong?
Your kind insights are appreciated.</pf.sense.int3.address></pf.sense.int2.address></pf.sense.lan.address>

Gertjan

@Voami:

• 2 WAN interfaces, but only one has outbound NAT configured (other is solely for server external availability)

• "Disable userland helper" is unchecked on all interfaces; ps shows that FTP helper is running on the LAN, and on all other internal interfaces as well

proxy   582  0.0  0.3   656   416  ??  Ss    7:17AM   0:00.38 /usr/local/sbin/pftpx -c 8021 -g 8021 <pf.sense.lan.address>proxy   598  0.0  0.4   656   452  ??  Ss    7:17AM   0:00.41 /usr/local/sbin/pftpx -c 8023 -g 8021 <pf.sense.int2.address>proxy   606  0.0  0.4   656   452  ??  Ss    7:17AM   0:00.41 /usr/local/sbin/pftpx -c 8024 -g 8021 <pf.sense.int3.address>ps

pftpx</pf.sense.int3.address></pf.sense.int2.address></pf.sense.lan.address>

Voami

@Gertjan:

Is your ps list complete here ?
Check some other posts (threads) about FTP and you'll find out that one more important pftpx task isn't running (doesn't show up in the list above).
It's the one that actually maps your WAN:21 port to your LAN_IP:21 port.

outbound

@Gertjan:

Whats syslog saying about pftpx (or: what says pftpx in the syslog) ?

• Running on an embedded platform

• Currently running bare RC3 (will patch up to RC3e at next reboot opportunity)

Voami

Applied all patches through RC3e, and after boot, still only see:

ps waux | grep ftp | grep -v grep

proxy  579  0.0  0.3  656  416  ??  Ss    8:45PM  0:00.01 /usr/local/sbin/pftpx -c 8021 -g 8021 <pfsense lan="" ip="">proxy  593  0.0  0.4  656  452  ??  Ss    8:45PM  0:00.01 /usr/local/sbin/pftpx -c 8023 -g 8021 <pfsense lan2="" ip="">proxy  601  0.0  0.4  656  452  ??  Ss    8:45PM  0:00.01 /usr/local/sbin/pftpx -c 8024 -g 8021 <pfsense lan3="" ip="">And no failure messages from pftpx in syslog. What are the conditions under which the missing task needs to run?</pfsense></pfsense></pfsense>

Gertjan

Shoot…

In my last post I was writing an answer based/concerning incoming FTP.
In your case, all is already up to handle outgoing ftp.
This must be a firewall question (or related) because 'from the box' FTP just works great - I use RC3e.
Using two internal interfaces this gives me:

ps auwx | grep pftpx | grep -v grep

proxy    612  0.0  0.1  656  424  ??  Ss  Fri12PM  0:00.47 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.1.1
proxy  29739  0.0  0.1  656  532  ??  Ss    5:17PM  0:00.00 /usr/local/sbin/pftpx -c 8022 -g 8021 192.168.2.1

Gertjan

To see some more info in the syslog, I killed all pftpx process, and restared them by hand like this:

killall pftpx

/usr/local/sbin/pftpx -D 7 -c 8021 -g 8021 192.168.1.1

/usr/local/sbin/pftpx -D 7 -c 8022 -g 8021 192.168.2.1

Remember, I have two interfaces.

I start - and stopped - a FTP session from a LAN client (192.168.1.15), the  syslog output was then:

…
Oct 7 17:28:34 pftpx[30327]: #1 ending session
Oct 7 17:28:34 pftpx[30327]: #1 server close
#Oct 7 17:23:34 pftpx[30327]: #1 passive: client to server port 36285 via port 57466
Oct 7 17:23:27 pftpx[30327]: #1 FTP session 1/100 started: client 192.168.1.15 to server 64.193.213.135 via proxy 82.128.125.169
Oct 7 17:23:09 pftpx[30331]: listening on 127.0.0.1 port 8022
Oct 7 17:23:09 pftpx[30331]: listening on 127.0.0.1 port 8022
Oct 7 17:23:00 pftpx[30327]: listening on 127.0.0.1 port 8021
Oct 7 17:23:00 pftpx[30327]: listening on 127.0.0.1 port 8021
Oct 7 17:22:48 pftpx[29739]: pftpx exiting on signal 15
Oct 7 17:22:48 pftpx[29739]: pftpx exiting on signal 15
…

Voami

@Gertjan:

To see some more info in the syslog, I killed all pftpx process, and restared them by hand…
...
I start - and stopped - a FTP session from a LAN client (192.168.1.15)

I did the same:

• Killed all pftpx instantiations

• Restarted them with the -D 7 argument

• Tried an ftp connection. Result:

• FTP connection fails with

and there was no indication in the syslog that pftpx was grabbing it.

I located man pages and source code for pftpx, and the problem that I seem to be finding is a lack of an rdr rule to redirect traffic on my primary LAN to the pftpx daemon:

nat-anchor "pftpx/" all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on WAN inet from lan.1.ip.addr/24 to any -> (sis3) round-robin
nat on WAN inet from lan.2.ip.addr/24 to any -> (sis3) round-robin
nat on WAN inet from lan.3.ip.addr to any -> (sis3) round-robin
rdr-anchor "pftpx/" all
rdr-anchor "slb" all
no rdr on  LAN_3 proto tcp from any to <vpns>port = ftp
rdr on LAN_3 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8023
no rdr on  LAN_2 proto tcp from any to <vpns>port = ftp
rdr on LAN_2 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8024
      –---   
<bunch of="" inbound="" rdr="" rules="" on="" wan="" interfaces="">------
rdr-anchor "miniupnpd" all</bunch></vpns></vpns>

Voami

Apologies for the previous incomplete post.

@Gertjan:

To see some more info in the syslog, I killed all pftpx process, and restared them by hand…
...
I start - and stopped - a FTP session from a LAN client (192.168.1.15)

I did the same:

• Killed all pftpx instantiations

• Restarted them with the -D 7 argument

• Tried an ftp connection. Result:

  • FTP connects and logs in, but an "ls" fails with  "500 Illegal PORT command rejected"

  • No indication in syslogs of any acivity with pftpx

==> pftpx is not getting connections from the primary LAN

I then located man pages and source code for pftpx, and understood that pf needs a port redirect rule for each internal network to redirect the ftp traffic to the proxy listening on port 802x.

==> Does this rule exists?

I find an rdr rule for two of my LANs, but none for my primary LAN (comments added are mine):

#pfctl -s nat
nat-anchor "pftpx/" all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on WAN inet from lan.1.ip.addr/24 to any -> (sis3) round-robin
nat on WAN inet from lan.2.ip.addr/24 to any -> (sis3) round-robin
nat on WAN inet from lan.3.ip.addr to any -> (sis3) round-robin
rdr-anchor "pftpx/" all
rdr-anchor "slb" all
no rdr on  LAN_3 proto tcp from any to <vpns>port = ftp
rdr on LAN_3 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8023    # for one LAN
no rdr on  LAN_2 proto tcp from any to <vpns>port = ftp
rdr on LAN_2 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8024    # for another LAN
      –---   
<bunch of="" inbound="" rdr="" rules="" on="" wan="" interfaces="">------
rdr-anchor "miniupnpd" all

What I must discover
–------------------

• Why do I not have a NAT rule to provide transparent proxying on the primary LAN, when it works on the others?

  • Could it be an artifact of once being configured with "disable userland proxy"?

• Any other suggestions on how to make this happen?</bunch></vpns></vpns>

cauly

doesn't work for mi  >:(

I have pfsense 1.0.1 and e ftp server listening in the port 2121 in the ip x.x.x.3

i try with Disable the userland FTP-Proxy application  and enable, in wan and lan interfaces; but nothing happens
I create the nat forwardi and the rule (automatically)

OrCAD

with my dual wan work only port 21 Active mode… if try to download or dir change with passive mode reply is very long time then disconnection. . . .

sullrich

RC3 is quite old.  I am locking this thread to avoid confusion.