Passive FTP works with port forward from WAN only…



  • Hello,

    I configure Pfsense with 2 NAT rules (+firewall rules) for a LAN FTP server Access:

    • Disable FTP helper is check on WAN+LAN
    • Source  Port  Destination 
      *            FTP    192.168.10.8
    • Source  Port range          Destination 
      *            55536-55540      192.168.10.8

    I configure my FTP (NAS qnap ts-639) with the same port range and the external IP address (WAN static IP)

    Everything works fine from outside but i'm unable to connect from LAN:

    Whan I use ftp.mydomain.com and i just have in my ftp client "Connection to 94.xx.xx.xx" ….
    and i get a timeout after.
    When i try with the internal ip (192.168.10.8), i'm block at:
    PASV
    Réponse : 227 Entering Passive Mode (94,xxx,xxx,xxx,216,242).
    Commande : LIST
    .....

    It's my first time with pfsense so i'have perhaps to add a rule on my LAN but i have already a
    any to any PASS rule...

    Thanks for your help,

    Sam





  • Thanks for this link.

    I ' tried the second method  (split DNS) and i get the same result

    PASV
    Réponse :  227 Entering Passive Mode (94,xxx,xxx,xxx,216,242).
    Commande :  LIST

    It's probably because i try to connect to 192.168.10.8 directly and the FTP server give back the external IP address. The first method is probably better in this case?



  • Shouldn't you be able to configure your FTP-server to listen/answer with the internal and the external address?
    If you cannot connect directly with the internal IP there is something missconfigured.



  • oops, something goes wrong with the FTP i think, after reboot, I can directly connect with the internal IP, but it's very slow :
    With ipcop (before) i have 20Mo/s and nom 500-600Ko/second…
    Sometimes, Filezilla return ftp socket connection error.



  • So you only have 500~600 kbps even if you leave out the pfSense completly and connect to the ftp server directly with it's internal IP?

    Or are you connecting via the pfSense to the internal IP?



  • sdeplo, so you've done NAT-reflection, right? For all ports?

    @GruensFroeschli:

    If you cannot connect directly with the internal IP there is something missconfigured.

    The problem is in passive mode as the server is configured to return public IP in response to PASV command. It does not matter where from he connects to this FTP server - from public or locally, server always responds with configured IP.



  • According to the sticky at the top of this forum, you should enable the helper on the WAN.

    Then, the only rule you need to set up, is a NAT one, to forward FTP port 21 to the server.  You should also configure the server, to give out it's own IP.

    That's exactly how I have my system set up, and external clients get my external IP, and internal clients get the internal IP.

    Cheers.



  • @EddieA:

    According to the sticky at the top of this forum, you should enable the helper on the WAN.
    Then, the only rule you need to set up, is a NAT one, to forward FTP port 21 to the server.

    It is very questionable that you have to do both at the same time because as soon as you enable helper all your FTP traffic (to port 21) will be captured by helper process no matter what forwarding you configure. I would correct this sticky.

    You should also configure the server, to give out it's own IP.

    How do you do that? I am really interested, please give us example of your config.



  • @Eugene:

    It is very questionable that you have to do both at the same time because as soon as you enable helper all your FTP traffic (to port 21) will be captured by helper process no matter what forwarding you configure.

    No, the helper, AFAIK, doesn't "capture" the traffic, or forward it, as it has no knowledge of where to send it.  It monitors incoming FTP traffic, remembering state if necessary.  It's then up to your NAT rule, to forward  to the server.  On outgoing traffic, it again monitors that traffic, and if a response to a PASV command is passing through, it modifies the IP address, from the internal IP, to the external, and again, if necessary, remembers state.

    I'm also guessing, that it does some "work" when it sees a PORT command, for an active FTP, as the incoming connection, to a high port, is not blocked by the firewall, which in theory, it should be.

    @Eugene:

    I would correct this sticky.

    Why, when it works correctly.

    @Eugene:

    You should also configure the server, to give out it's own IP.

    How do you do that? I am really interested, please give us example of your config.

    I use vsftp, on Linux, and in it's config file, I just leave out any options that override the PASV address, so it defaults to the IP of the box it's running on.

    Cheers.



  • @EddieA:

    No, the helper, AFAIK, doesn't "capture" the traffic, or forward it, as it has no knowledge of where to send it.  It monitors incoming FTP traffic, remembering state if necessary.  It's then up to your NAT rule, to forward  to the server.  On outgoing traffic, it again monitors that traffic, and if a response to a PASV command is passing through, it modifies the IP address, from the internal IP, to the external, and again, if necessary, remembers state.

    I'm also guessing, that it does some "work" when it sees a PORT command, for an active FTP, as the incoming connection, to a high port, is not blocked by the firewall, which in theory, it should be.

    Helper is a process which acts for client as a server and acts as client for the server.
    You think you connect to FTP server? No, you connect to FTP helper and this process on your behalf connects to FTP server:
    FTP client <–---> FTP helper <----> FTP server
    No direct communication client - server at all. Yes, helper knows everything about active and passive mode and handles them accordingly.

    @Eugene:

    I would correct this sticky.

    Why, when it works correctly.

    I would correct the part about firewall rules.

    @Eugene:

    You should also configure the server, to give out it's own IP.

    How do you do that? I am really interested, please give us example of your config.

    I use vsftp, on Linux, and in it's config file, I just leave out any options that override the PASV address, so it defaults to the IP of the box it's running on.

    If you leave it 'per default' yes it will be always using IP of the box (assuming one interface).

    And returning to original question of this topic - it should work (with with the help of ftp-helper) from both inside and outside.



  • @Eugene:

    Helper is a process which acts for client as a server and acts as client for the server.
    You think you connect to FTP server? No, you connect to FTP helper and this process on your behalf connects to FTP server:
    FTP client <–---> FTP helper <----> FTP server
    No direct communication client - server at all. Yes, helper knows everything about active and passive mode and handles them accordingly.

    I was trying to give the "simplified" view.  ;D

    @Eugene:

    I would correct the part about firewall rules.

    Which part.  Option 1 requires a NAT forward of port 21.  Option 2 requires both 21 and the PASV range.

    Cheers.



  • 1. Enable Proxy helper (by unchecking) on the WAN interface.
    2. Setup port forward rule using the FTP option to your FTP servers internal LAN IP.
    3. Watch the logs within your FTP server, if you have this setup correctly you will see sessions from the ip address of your PFsense box, NOT THE IP ADDRESS OF THE FTP CLIENT. If you are seeing sessions from the FTP clients public IP then the proxy helper is not working or not setup correctly.

    I do not understand in what way you can use ftp-helper on wan Interface. The only thing added when you enable ftp-helper on WAN is

    pass in quick on bge1 inet proto tcp from any port = ftp-data to (bge1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
    

    Thus, you have to manually forward port 21 and active port range to your FTP server connected to LAN. But no helper is working here.
    Corrected to:
    Thus, you have to manually forward port 21 and passive port range to your FTP server connected to LAN. But no helper is working here. And allow FTP server to initiate connections in active ports range


Log in to reply