Windows ftp server/NAT & firewall rules
-
I don't know all the nitty gritty details, but yes the helper does replace the lan ip with the public ip. So when connecting from outside it appears as the ftp server is your public ip address. Pftpx handles all the translation. I'm using vsftpd on Fedora Core and was able to get it up and running with the default config. I know this is different than windows ftp, but it should work the same.
-
I wonder if anyone out there can confirm getting pfsense to work with the suggested configuration above with an FTP on a Windows (preferably WinXP) machine (i.e. unchecking "disable userland ftp proxy"). Although one would think the OS wouldn't make a difference, I just don't see how I could be screwing such a simple process up. FTP protocol should be the same regardless but something sure isn't right. Until I can figure out what it is I'll have to leave 2 NAT/firewall rules; 1 for the command and 1 for the data ports.
-
Make sure the XP firewall is turned off.
-
No local firewalls are running on the machine in question. And just in case, I made comparable allow rules on the XP firewall in case it ever made its way 'On'.
-
what error messages do you get on the ftpclient? does it login at all?
-
If the ftp helper app is checked (disabled) then it doesn't even allow the command port to pass so the client appears to hit a wall; no exchange is even started.
But strangely I've noticed when setting pfsense up again and when adding a NAT rule, the rule that I create (that subsequently enables firewall rules) comes back as dest unresolvable, I guess for the LAN IP, but I don't see how it could since that IP is setup for a static IP map and is online.
-
Using proxyarp?
-
No
-
Hi,
here a more detailed Version on how I have a working FTP Setup:
On the PFsense machine:
1. Check on every "Lan" and "Wan" Interface that the "Disable the userland FTP-Proxy application" Box is ticked.
2. On Nat I forwardet TCP/UDP Ports from 4000-4010, selected the Wan interface and let firewallrules be autocreated.On the Windows machine:
install Filezilla:
go to options and select the Ports on which this Server should liste - in my case changed from 21 to 4000
activated the Passive Range from 4001-4010 and ticked the box, that the Ip Adress of the FTP Server should be resolved from checking a webpage "filezilla something"Now you should be able to rech from another internet connection your FTP Server ftp:myftp.mydomain.com:4000
-
Your ftp server is listening on another port than 21? No wonder the ftphelper was not able to manage this traffic. It only supports port 21 setups out of the box.
-
I just setup Filezilla ftp server here on Win XP and it worked fine with any ftp client I threw at it. However the exact same (I think!) config on a remote site just got me a login, but no data connection. I could even make directories, but no LIST. Filezilla client did the same.
I then tried leap FTP client to connect to the remote Filezilla server and it works fine. ftp://ftp2.leapware.com/pub/lftp276.exe
I have no idea why Leap works and the others fail.
:-(
Moral of the story: its probably your ftp server config thats the problem, not the firewall.