Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] FTP server behind pfsense, cannot download from server

    Scheduled Pinned Locked Moved NAT
    12 Posts 3 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BerSerK
      last edited by

      Hi,

      I have a public ip with NAT 1:1, proxyARP VirtualIP and port forward to allow connectivity to an FTP server.

      I can connect to the server and upload files but I cannot download anything…

      Filezilla says :

      Commande :	PASV
      Réponse:	227 Entering Passive Mode (192,168,251,10,252,111)
      Commande :	RETR aws
      Réponse:	150 Opening ASCII mode data connection for aws (49907 bytes)
      

      after a while it timeout…

      I don't get it...and need help!

      Thanks

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Did you configure a passive port range?
        Did you create firewall rules allowing this passive portrange?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • B
          BerSerK
          last edited by

          Yes I have a "Ports" alias containing port 21 and 49152 to 65534.  Then I made a rule on my WAN interface to forward those ports to my server local DMZ IP.

          Thanks for the reply.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            I assume you created the additional port forward to trigger port forwards.
            This will not work since 49152-65534 is a bigger range than 500 ports.
            Read the note next to NAT reflection telling you that you cannot reflect ranges bigger than 500 ports.
            Also you cannot reflect more than 1000 ports overall.

            In your case i wouldn't bother with NAT reflection and set up split DNS for this server.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • B
              BerSerK
              last edited by

              I cannot use port range bigger than 500 ?

              From my lan I connect to the ftp server with the local dmz ip 192.168.251.10 and from the internet I use my public ip.  Do I still need split dns ?

              Thanks

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                You cannot reflect with NAT reflection port ranges bigger than 500.
                You CAN forward port ranges bigger than 500.

                But now i'm a bit confused.
                Are you using 1:1 NAT or are you using port forwards?

                If you connect locally to the server with it's internal IP then the request never goes over the pfSense.
                Are you telling me it doesn't work even if you connect with the local IP directly?
                In this case you have a missconfiguration on the server.

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • B
                  BerSerK
                  last edited by

                  you're right I'm not clear.

                  I use NAT 1:1.

                  So what I meant was that I have a firewall rule permitting the FTP ports on my WAN interface.

                  1 Reply Last reply Reply Quote 0
                  • B
                    BerSerK
                    last edited by

                    Ok, I found another strange thing.

                    If I ping the server in the DMZ from a PC in my LAN with this :

                    ping -l 1000 192.168.251.10
                    

                    ping replies are fine but if I do this :

                    ping -l 2000 192.168.251.10
                    

                    no ping replies…

                    So I guess I have a network config problem somewhere, what do you think ?

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschliG
                      GruensFroeschli
                      last edited by

                      What is the -1 2000 option?

                      If you look at the firewall log: Do you see anything blocked?
                      If you do a TCP dump on the LAN and the DMZ, Are the same packets getting through?

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • B
                        BerSerK
                        last edited by

                        the "-l" option is the send buffer size.

                        But I noticed that my problem is not with proftpd, it has to do something with the network because I also have problems with my SSH sessions, they timeout when I do something like "cat /var/log/dmesg"…so I'm still looking for the problem.

                        I'll be doing more tests in the coming week.

                        Thanks a lot for your help!

                        1 Reply Last reply Reply Quote 0
                        • D
                          danswartz
                          last edited by

                          Sounds like fragmentation is not being handled correctly.

                          1 Reply Last reply Reply Quote 0
                          • B
                            BerSerK
                            last edited by

                            Setting the MTU on my WAN interface to 1496 fixed the problem.

                            http://forum.pfsense.org/index.php/topic,13014.0.html

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.