FTP problem since RC3 –> RC3e and now also 1.0 RELEASE



  • I got a small problem since I installed RC3 and installed all the patches till RC3e which is taking forever because each time the firewall reboots and then you can install the next patch.

    My problem is that I can reach FTP servers outside of my network however I can't reach my own FTP server anymore which is on a different subnet which is connected to different network port on the firewall (pfSense).

    Before RC3 it worked perfectly and I rember that I had to activate a checkbox so that servers internal would not be reached directly. I can't find that checkbox back now.

    Greetings, Marcel



  • Have a look at this thread - I suspect you ahve the same problem I did but in a slightly different way  :)

    http://forum.pfsense.org/index.php/topic,2282.0.html



  • It is even worse than I thought. I can go to external FTP servers with no problem as I wrote yesterday. I am now at home and wanted to contact the server….no FTP no HTTP no SSH so it must be the NAT that is broken now however this NAT is from the outside to the internal server however internal to internal on different subnet did not work either.

    I have updated from the latest RC2 to RC3 and when I discovered the problem I updated from RC3-->a-->b-->c-->d-->e and I still got the problem which I now discover is even seriouser.

    I will reenter the NAT rule on monday an I hope the problem will be resolved then.

    Marcel



  • do you have the nat refection on ?
    if not then thats youre problem you need nat refection to use youre outside ip adress from the inside



  • HTTP and SHH is working inside the network only FTP did not (passive or active) and I am now going to look at the NAT because from the outside I could not reach the server (HTTP/SSH/FTP).

    Will keep you informed.

    Greeting, Marcel



  • Nat reflection makes no difference and I can reach wit nat reflection enabled or with nat reflection disabled my other subnet an I don't have any static routes enabled.

    I think the best is that I go back to RC2 because that one was working for me….....

    Greeting, Marcel



  • Best thing is a fresh reinstall of RC3 unless you want to stay at RC2 forever. It's working just fine. Either something broke somewhere along the upgrade with your config or there is some kind of misconfiguration.



  • Will do and I will install the live CD and then restore the configuration pre-RC3.

    Is there any way to install the update a,b,c,d,e faster then through the webshell? I takes ages before I have install the updates and the computer has to reboot every update.

    Greetings, Marcel



  • Not atm but RC4 is already in the pipe. Maybe you want to hold up the reinstall until it gets released.



  • I am back on RC2 without the patches because the patch to 'i' was removed from the Sullrich directory and my internal FTP is working again AND AM SOOOOO PLEASED WITH IT!!

    I tried to install the Live CD of RC3 however it did wanted to boot so I said SCREW YOU and burned RC2 to be on the safe side and will try RC4 when it comes available.

    I had REALLY REALLY no luck with RC3 so I hope RC4 will be a breeze to install and use.

    Greetings, Marcel



  • I have still the same problem and it is also in 1.0 RELEASE. I can login to on the FTP client to FTP server from one subnet to an other subnet however I never get a listing of the files. Non on active not on passive.

    I can SSH and HTTP to the server however on FTP I can connect however I don't get a listing???

    This problem is since RC3!

    Greetings, Marcel



  • The symptoms you are describing are VERY similar to the ones I had.

    If you have the "Disable the userland FTP-Proxy application" unchecked on your LAN interface it will be expecting FTP traffic to be going through WAN interface.

    I had all my routes going through OPT1 so it logged on to the FTP server OK but then no list. Change my default route to WAN and it works OK.

    The comment was given that the FTP helper had been moved from before the user rules to after the user rules in RC3.

    FTP uses different ports to set up the connection and actually transfer data, so the initial bit works fine but the second set of ports never connect because the routing is incorrect.



  • Please see http://cvstrac.pfsense.com/tktview?tn=1138,6 for a known issue and a workaround when using multiwan with ftphelper and natreflection.



  • ??? ??? ??? ??? ???The mentioned work arround worked one time and then it stopped working  ??? ??? ??? ??? ???

    I am going back to RC2 again for the second time  till this problem is resolved.

    Greetings, Marcel



  • The workaround works fine, even after more than 1 day now at my office setup (dual wan setup utilizing policybasedrouting and a loadbalance anything rule at the bottom with 2 internal subnets, LAN and DMZ). I can use ftp in active and passive mode to different servers. I just checked and verified this once again. After applying the workaround reset states just to make sure. Also move the rule to the very top of your rules on each interface where you need it (usually internal interfaces).



  • @msatter:

    ??? ??? ??? ??? ???The mentioned work arround worked one time and then it stopped working  ??? ??? ??? ??? ???

    I am going back to RC2 again for the second time  till this problem is resolved.

    Greetings, Marcel

    The problem IS solved, you really need to listed to hoba!



  • Course I am listening to Hoba and I tried it two times and it just won't "budge". When I am looking at the status no UDP is showing up internal and external there is UDP connection on FTP when I connect to a external FTP.

    I am using aliasses for the source and the ports in the rules (ports 20 and 21) to reach my internal FTP server. I even removed all my loadbalancing and also in the rules.

    I don't have a loadbalance anything rule only the build in block anything rule at the end you don't see in the list only in the comment underneath.

    I am now on RC2 on a USB stick and my HDD contains 1.0 release so I can experiment with different setting after boot-up from stick or HDD.

    I don't know what is going wrong and I put all the lines in place as suggested however no result after it worked for one time.

    Greetings, Marcel

    edit: I can HTTP the server, I can SSH the server, I have a connect FTP to the server however no LIST-ing of the files



  • I had problems with FTP before RC3, however with the 1.0-RELEASE it works great. Start over from scratch. Add the FTP rule and make sure you uncheck disable FTP helper on the WAN interface. It will just work.



  • @msatter:

    I am using aliasses for the source and the ports in the rules (ports 20 and 21) to reach my internal FTP server. I even removed all my loadbalancing and also in the rules.

    ftp happens on more than these 2 ports. In case you have a restrictive ruleset you need to allow connections to the ftphelper to open additionally needed ports.



  • !!!!!!!!WORKARROUND!!!!!!!!!!!

    Finally solved after skipping RC3 and almost REL 1.0 I found the trouble maker and now I can connect!!!!!!

    It was in Ticket 15066 / 15067 I now deactivated the block all to DMZ (the other subnet) rule on the the LAN (sorry, I am really restrictive in my rules).

    I can now proceed with implementing the firewall because this "not working as expected" part of the pfSense firewall drove me almost nuts because Hoba and Sullrich kept telling me that it should work as expected.

    One happy pfSense user, Marcel

    Check-in Number:  15067
    Date: 2006-Oct-17 17:28:17 (local)
    2006-Oct-17 21:28:17 (UTC)
    User: sullrich
    Branch:
    Comment: Woops, we need the ftp anchor BEFORE the user rules, and the inital PASS rules AFTER.

    This controls the initial port 21 connetion and once that is allowed through the ftp rules installed by pftpx should bypass USER_RULES.
    Tickets:
    Inspections:
    Files:
    pfSense/etc/inc/filter.inc      1.922 -> 1.923     4 inserted, 3 deleted



  • This bug has been fixed.  A new release will be forthcoming in the next couple weeks.



  • @hoba:

    The workaround works fine, even after more than 1 day now at my office setup (dual wan setup utilizing policybasedrouting and a loadbalance anything rule at the bottom with 2 internal subnets, LAN and DMZ). I can use ftp in active and passive mode to different servers. I just checked and verified this once again. After applying the workaround reset states just to make sure. Also move the rule to the very top of your rules on each interface where you need it (usually internal interfaces).

    Really strange,
    I have also a dual WAN config with standart gateway for most things (except port 80) on opt1 and problems with external ftp servers.
    I applied the workaround on http://cvstrac.pfsense.com/tktview?tn=1138,6 and now active ftp works as it should but with passive ftp I get no directory listing form external ftp server.
    Is there an other workaround for this  ;)
    Greetings,
    techatdd



  • Hoba tx a lot. You made my day :D Couldn't understand why it wouldn't work after RC3…


Log in to reply