Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RC3 and FTP

    Scheduled Pinned Locked Moved General pfSense Questions
    27 Posts 10 Posters 13.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sh_man
      last edited by

      I upgraded to RC3 last night and killed all FTP access from LAN to WAN/OPT1 (using dual WAN setup). It worked fine with RC2 (I have rolled back to keep the users happy).

      Is there some config that I am missing that did not matter before RC3?

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        To use a FTP server on a PC in your LAN - and make it accesible from 'the world', you should do just this thing:
        Create a NAT-Rule on the WAN interface, port 21 to the FTP server IP, port 21.
        Automaticlay two rules will be created in the firewal list.

        Check that you didn't disable the "FTP Helper … Disable the userland FTP-Proxy application" option on the Interfaces->WAN  & Interfaces->LAN.

        Afterwards, you'll see a

        ps auwx | grep pftpx | grep -v grep

        proxy    617  0.0  0.1  656  420  ??  Ss  Mon12PM  0:00.47 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.1.1
        proxy  30379  0.0  0.1  656  488  ??  Ss    6:33PM  0:00.00 /usr/local/sbin/pftpx -f 192.168.1.2 -b 83.193.54.47 -c 21 -g 21

        83.193.54.47 => (my) WAN IP
        192.168.1.2 => (my) LAN "FTP server" IP

        This is enough to make FTP accesible from the 'outside'.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • S
          sh_man
          last edited by

          Thanks for that - but I am trying to get from the LAn to FTP servers out on the web - not the other way round.

          Literally, if I use RC3 it does not work, and RC2 it does work. No other settings are changed.

          1 Reply Last reply Reply Quote 0
          • D
            databeestje
            last edited by

            does the rc3a update fix your problem?

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              Works fine here without issues. Also this is funny as somebody says just the opposite in this thread: http://forum.pfsense.org/index.php/topic,2281.msg13273.html#msg13273

              1 Reply Last reply Reply Quote 0
              • J
                jeroen234
                last edited by

                no problem here on rc3 rc3a or rc3b

                1 Reply Last reply Reply Quote 0
                • S
                  smeg9
                  last edited by

                  I too am experiencing this problem, cannot access FTP sites on the internet, from within our LAN.
                  worked on beta2, but not on RC3

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    Everybody who is experiencing this problem please test the following:
                    Download and burn a RC3 livecd. Save your config.xml to a floppy to /conf/config.xml. Boot your machine up with floppy in drive and cdrom. Does it work then? If yes something broke somewhere along the upgrade(s). Reinstall pfSense with a fresh RC3 then (just hit option 99 and it will move your config.xml from the floppy over too).

                    1 Reply Last reply Reply Quote 0
                    • S
                      sullrich
                      last edited by

                      Make sure the ftp helper is enabled on Interfaces -> LAN.

                      If this still does not work, reinstall.

                      1 Reply Last reply Reply Quote 0
                      • S
                        sh_man
                        last edited by

                        Ok. Tried using RC3 livecd with current config - no dice. Still no FTP out to the net.

                        Installed RC3 from the livecd onto disk - complete reformat job. Then tried RC3a and RC3b - no change.

                        Have gone back to RC2.

                        All I can think of is that I have not set things up "properly" for FTP and that RC3 is a bit more strict.

                        1 Reply Last reply Reply Quote 0
                        • H
                          hoba
                          last edited by

                          Please send your config to holger <dot>bauer <at>citec-ag <dot>de. I'll have a look if I can see something obvious.</dot></at></dot>

                          1 Reply Last reply Reply Quote 0
                          • H
                            hoba
                            last edited by

                            Ok, I think I know what's going on. You have a restrictive setup at your LAN, only letting out certain ports. Port 21 is not enough to make ftp work. It uses some other ports after it has connected to the server too (depending on active and passive mode, portrange configured at the server and so on). Add a rule at LAN (and on any other interface where you need ftp to be working):

                            pass, proto tcp, source <localsubnet>, port any, destination 127.0.0.1, port any, gateway default

                            This way the ftphelper is reachable for the clients to handle the other needed ports. Also make sure the ftphelper is enabled at all interfaces that need outgoing ftp. Note that the ftphelper will send all ftp connections to the main WAN, it is not able to make use of policybasedrouting or loadbalancing.

                            Let me know if this works.</localsubnet>

                            1 Reply Last reply Reply Quote 0
                            • S
                              sullrich
                              last edited by

                              Yes, the FTP rules have been moved to after the USER RULES.  Prior the system would allow FTP no matter what before the USER RULES.  So what has happened is your restrictive LAN rules are now working correctly.

                              1 Reply Last reply Reply Quote 0
                              • S
                                sh_man
                                last edited by

                                Thanks for that. I'll get on to sorting it in the morning! Too much like hard work to test from home ;)

                                1 Reply Last reply Reply Quote 0
                                • H
                                  hoba
                                  last edited by

                                  @sullrich:

                                  Yes, the FTP rules have been moved to after the USER RULES.  Prior the system would allow FTP no matter what before the USER RULES.  So what has happened is your restrictive LAN rules are now working correctly.

                                  It's not a bug, it's a feature  ;D

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    sh_man
                                    last edited by

                                    Just tested and it works fine. Thanks guys.

                                    Turns out that I have a catch all rule on the LAN to send traffic over the OPT1 interface. As the ftphelper is WAN that did not help. Some FTP clients work with the rule hoba gave above, others - like Adobe GoLive - needed a bit of a catch all for the specific machine to ensure that all the traffic goes via WAN.

                                    1 Reply Last reply Reply Quote 0
                                    • V
                                      Voami
                                      last edited by

                                      I'm also having a problem with internet FTP on RC3.

                                      Issue
                                      –---

                                      • We have an app that connnects to an ftp server in the traditional manner (i.e., non-passively)

                                      • A tcpdump from the WAN interface of pfsense shows that login is successful, but pfsense is not properly mapping the internal client IP to the external IP of the firewall

                                      230 Login successful.
                                      type I
                                      200 Switching to Binary mode.
                                      syst
                                      215 UNIX Type: L8
                                      PORT 10,1,0,51,63,34
                                      500 Illegal PORT command.

                                      Configuration
                                      –----------

                                      • 2 WAN interfaces, but only one has outbound NAT configured (other is solely for server external availability)

                                      • "Disable userland helper" is unchecked on all interfaces; ps shows that FTP helper is running on the LAN, and on all other internal interfaces as well

                                      proxy  582  0.0  0.3  656  416  ??  Ss    7:17AM  0:00.38 /usr/local/sbin/pftpx -c 8021 -g 8021 <pf.sense.lan.address>proxy  598  0.0  0.4  656  452  ??  Ss    7:17AM  0:00.41 /usr/local/sbin/pftpx -c 8023 -g 8021 <pf.sense.int2.address>proxy  606  0.0  0.4  656  452  ??  Ss    7:17AM  0:00.41 /usr/local/sbin/pftpx -c 8024 -g 8021 <pf.sense.int3.address>* FTP RFC 959 data port violation workaround: Enabled

                                      • The rule allowing the FTP traffic out
                                        *  LAN net  *  ! DMZNetworks  *  *  Default LAN ->anywhere but DMZs

                                        Which should also cover hoba's directive:
                                        @hoba:

                                        pass, proto tcp, source <localsubnet>, port any, destination 127.0.0.1, port any, gateway default

                                        This way the ftphelper is reachable for the clients to handle the other needed ports. Also make sure the ftphelper is enabled at all interfaces that need outgoing ftp. Note that the ftphelper will send all ftp connections to the main WAN, it is not able to make use of policybasedrouting or loadbalancing.</localsubnet>

                                      I suspect i'm doing something wrong?
                                      Your kind insights are appreciated.</pf.sense.int3.address></pf.sense.int2.address></pf.sense.lan.address>

                                      1 Reply Last reply Reply Quote 0
                                      • GertjanG
                                        Gertjan
                                        last edited by

                                        @Voami:

                                        • 2 WAN interfaces, but only one has outbound NAT configured (other is solely for server external availability)

                                        • "Disable userland helper" is unchecked on all interfaces; ps shows that FTP helper is running on the LAN, and on all other internal interfaces as well

                                        proxy   582  0.0  0.3   656   416  ??  Ss    7:17AM   0:00.38 /usr/local/sbin/pftpx -c 8021 -g 8021 <pf.sense.lan.address>proxy   598  0.0  0.4   656   452  ??  Ss    7:17AM   0:00.41 /usr/local/sbin/pftpx -c 8023 -g 8021 <pf.sense.int2.address>proxy   606  0.0  0.4   656   452  ??  Ss    7:17AM   0:00.41 /usr/local/sbin/pftpx -c 8024 -g 8021 <pf.sense.int3.address>ps

                                        pftpx</pf.sense.int3.address></pf.sense.int2.address></pf.sense.lan.address>

                                        No "help me" PM's please. Use the forum, the community will thank you.
                                        Edit : and where are the logs ??

                                        1 Reply Last reply Reply Quote 0
                                        • V
                                          Voami
                                          last edited by

                                          @Gertjan:

                                          Is your ps list complete here ?
                                          Check some other posts (threads) about FTP and you'll find out that one more important pftpx task isn't running (doesn't show up in the list above).
                                          It's the one that actually maps your WAN:21 port to your LAN_IP:21 port.

                                          outbound

                                          @Gertjan:

                                          Whats syslog saying about pftpx (or: what says pftpx in the syslog) ?

                                          • Running on an embedded platform

                                          • Currently running bare RC3 (will patch up to RC3e at next reboot opportunity)

                                          1 Reply Last reply Reply Quote 0
                                          • V
                                            Voami
                                            last edited by

                                            Applied all patches through RC3e, and after boot, still only see:

                                            ps waux | grep ftp | grep -v grep

                                            proxy  579  0.0  0.3  656  416  ??  Ss    8:45PM  0:00.01 /usr/local/sbin/pftpx -c 8021 -g 8021 <pfsense lan="" ip="">proxy  593  0.0  0.4  656  452  ??  Ss    8:45PM  0:00.01 /usr/local/sbin/pftpx -c 8023 -g 8021 <pfsense lan2="" ip="">proxy  601  0.0  0.4  656  452  ??  Ss    8:45PM  0:00.01 /usr/local/sbin/pftpx -c 8024 -g 8021 <pfsense lan3="" ip="">And no failure messages from pftpx in syslog. What are the conditions under which the missing task needs to run?</pfsense></pfsense></pfsense>

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.