RC3 and FTP
-
I upgraded to RC3 last night and killed all FTP access from LAN to WAN/OPT1 (using dual WAN setup). It worked fine with RC2 (I have rolled back to keep the users happy).
Is there some config that I am missing that did not matter before RC3?
-
To use a FTP server on a PC in your LAN - and make it accesible from 'the world', you should do just this thing:
Create a NAT-Rule on the WAN interface, port 21 to the FTP server IP, port 21.
Automaticlay two rules will be created in the firewal list.Check that you didn't disable the "FTP Helper … Disable the userland FTP-Proxy application" option on the Interfaces->WAN & Interfaces->LAN.
Afterwards, you'll see a
ps auwx | grep pftpx | grep -v grep
proxy 617 0.0 0.1 656 420 ?? Ss Mon12PM 0:00.47 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.1.1
proxy 30379 0.0 0.1 656 488 ?? Ss 6:33PM 0:00.00 /usr/local/sbin/pftpx -f 192.168.1.2 -b 83.193.54.47 -c 21 -g 2183.193.54.47 => (my) WAN IP
192.168.1.2 => (my) LAN "FTP server" IPThis is enough to make FTP accesible from the 'outside'.
-
Thanks for that - but I am trying to get from the LAn to FTP servers out on the web - not the other way round.
Literally, if I use RC3 it does not work, and RC2 it does work. No other settings are changed.
-
does the rc3a update fix your problem?
-
Works fine here without issues. Also this is funny as somebody says just the opposite in this thread: http://forum.pfsense.org/index.php/topic,2281.msg13273.html#msg13273
-
no problem here on rc3 rc3a or rc3b
-
I too am experiencing this problem, cannot access FTP sites on the internet, from within our LAN.
worked on beta2, but not on RC3 -
Everybody who is experiencing this problem please test the following:
Download and burn a RC3 livecd. Save your config.xml to a floppy to /conf/config.xml. Boot your machine up with floppy in drive and cdrom. Does it work then? If yes something broke somewhere along the upgrade(s). Reinstall pfSense with a fresh RC3 then (just hit option 99 and it will move your config.xml from the floppy over too). -
Make sure the ftp helper is enabled on Interfaces -> LAN.
If this still does not work, reinstall.
-
Ok. Tried using RC3 livecd with current config - no dice. Still no FTP out to the net.
Installed RC3 from the livecd onto disk - complete reformat job. Then tried RC3a and RC3b - no change.
Have gone back to RC2.
All I can think of is that I have not set things up "properly" for FTP and that RC3 is a bit more strict.
-
Please send your config to holger <dot>bauer <at>citec-ag <dot>de. I'll have a look if I can see something obvious.</dot></at></dot>
-
Ok, I think I know what's going on. You have a restrictive setup at your LAN, only letting out certain ports. Port 21 is not enough to make ftp work. It uses some other ports after it has connected to the server too (depending on active and passive mode, portrange configured at the server and so on). Add a rule at LAN (and on any other interface where you need ftp to be working):
pass, proto tcp, source <localsubnet>, port any, destination 127.0.0.1, port any, gateway default
This way the ftphelper is reachable for the clients to handle the other needed ports. Also make sure the ftphelper is enabled at all interfaces that need outgoing ftp. Note that the ftphelper will send all ftp connections to the main WAN, it is not able to make use of policybasedrouting or loadbalancing.
Let me know if this works.</localsubnet>
-
Yes, the FTP rules have been moved to after the USER RULES. Prior the system would allow FTP no matter what before the USER RULES. So what has happened is your restrictive LAN rules are now working correctly.
-
Thanks for that. I'll get on to sorting it in the morning! Too much like hard work to test from home ;)
-
Yes, the FTP rules have been moved to after the USER RULES. Prior the system would allow FTP no matter what before the USER RULES. So what has happened is your restrictive LAN rules are now working correctly.
It's not a bug, it's a feature ;D
-
Just tested and it works fine. Thanks guys.
Turns out that I have a catch all rule on the LAN to send traffic over the OPT1 interface. As the ftphelper is WAN that did not help. Some FTP clients work with the rule hoba gave above, others - like Adobe GoLive - needed a bit of a catch all for the specific machine to ensure that all the traffic goes via WAN.
-
I'm also having a problem with internet FTP on RC3.
Issue
–----
We have an app that connnects to an ftp server in the traditional manner (i.e., non-passively)
-
A tcpdump from the WAN interface of pfsense shows that login is successful, but pfsense is not properly mapping the internal client IP to the external IP of the firewall
230 Login successful.
type I
200 Switching to Binary mode.
syst
215 UNIX Type: L8
PORT 10,1,0,51,63,34
500 Illegal PORT command.Configuration
–-----------
2 WAN interfaces, but only one has outbound NAT configured (other is solely for server external availability)
-
"Disable userland helper" is unchecked on all interfaces; ps shows that FTP helper is running on the LAN, and on all other internal interfaces as well
proxy 582 0.0 0.3 656 416 ?? Ss 7:17AM 0:00.38 /usr/local/sbin/pftpx -c 8021 -g 8021 <pf.sense.lan.address>proxy 598 0.0 0.4 656 452 ?? Ss 7:17AM 0:00.41 /usr/local/sbin/pftpx -c 8023 -g 8021 <pf.sense.int2.address>proxy 606 0.0 0.4 656 452 ?? Ss 7:17AM 0:00.41 /usr/local/sbin/pftpx -c 8024 -g 8021 <pf.sense.int3.address>* FTP RFC 959 data port violation workaround: Enabled
-
The rule allowing the FTP traffic out
* LAN net * ! DMZNetworks * * Default LAN ->anywhere but DMZsWhich should also cover hoba's directive:
@hoba:pass, proto tcp, source <localsubnet>, port any, destination 127.0.0.1, port any, gateway default
This way the ftphelper is reachable for the clients to handle the other needed ports. Also make sure the ftphelper is enabled at all interfaces that need outgoing ftp. Note that the ftphelper will send all ftp connections to the main WAN, it is not able to make use of policybasedrouting or loadbalancing.</localsubnet>
I suspect i'm doing something wrong?
Your kind insights are appreciated.</pf.sense.int3.address></pf.sense.int2.address></pf.sense.lan.address> -
-
-
2 WAN interfaces, but only one has outbound NAT configured (other is solely for server external availability)
-
"Disable userland helper" is unchecked on all interfaces; ps shows that FTP helper is running on the LAN, and on all other internal interfaces as well
proxy 582 0.0 0.3 656 416 ?? Ss 7:17AM 0:00.38 /usr/local/sbin/pftpx -c 8021 -g 8021 <pf.sense.lan.address>proxy 598 0.0 0.4 656 452 ?? Ss 7:17AM 0:00.41 /usr/local/sbin/pftpx -c 8023 -g 8021 <pf.sense.int2.address>proxy 606 0.0 0.4 656 452 ?? Ss 7:17AM 0:00.41 /usr/local/sbin/pftpx -c 8024 -g 8021 <pf.sense.int3.address>ps
pftpx</pf.sense.int3.address></pf.sense.int2.address></pf.sense.lan.address>
-
-
Is your ps list complete here ?
Check some other posts (threads) about FTP and you'll find out that one more important pftpx task isn't running (doesn't show up in the list above).
It's the one that actually maps your WAN:21 port to your LAN_IP:21 port.outbound
Whats syslog saying about pftpx (or: what says pftpx in the syslog) ?
-
Running on an embedded platform
-
Currently running bare RC3 (will patch up to RC3e at next reboot opportunity)
-
-
Applied all patches through RC3e, and after boot, still only see:
ps waux | grep ftp | grep -v grep
proxy 579 0.0 0.3 656 416 ?? Ss 8:45PM 0:00.01 /usr/local/sbin/pftpx -c 8021 -g 8021 <pfsense lan="" ip="">proxy 593 0.0 0.4 656 452 ?? Ss 8:45PM 0:00.01 /usr/local/sbin/pftpx -c 8023 -g 8021 <pfsense lan2="" ip="">proxy 601 0.0 0.4 656 452 ?? Ss 8:45PM 0:00.01 /usr/local/sbin/pftpx -c 8024 -g 8021 <pfsense lan3="" ip="">And no failure messages from pftpx in syslog. What are the conditions under which the missing task needs to run?</pfsense></pfsense></pfsense>