Can't access FTP server behind pfsense

RChadwick

Coming from a DD-WRT router that just had ports opened for my servers, and worked fine for years, I plugged in my new PFSense box, and everything is now working except FTP. I read the manual, and searched the forums, and unchecked 'Disable the userland FTP-Proxy application' as well as 'Block Private Networks'. Now IE and Firefox can access my FTP server (Filezilla), but keeps disconnecting. Here's a clip of the log:

19. 9/13/2010 21:41:50 PM - (not logged in) (192.168.8.1)> Connected, sending welcome message…
    (000019) 9/13/2010 21:41:50 PM - (not logged in) (192.168.8.1)> 220 Welcome to the FTP Server
    (000019) 9/13/2010 21:41:50 PM - (not logged in) (192.168.8.1)> USER anonymous
    (000019) 9/13/2010 21:41:50 PM - (not logged in) (192.168.8.1)> 331 Password required for anonymous
    (000019) 9/13/2010 21:41:50 PM - (not logged in) (192.168.8.1)> PASS *****
    (000019) 9/13/2010 21:41:50 PM - anonymous (192.168.8.1)> 230 Logged on
    (000019) 9/13/2010 21:41:51 PM - anonymous (192.168.8.1)> CWD /
    (000019) 9/13/2010 21:41:51 PM - anonymous (192.168.8.1)> 250 CWD successful. "/" is current directory.
    (000019) 9/13/2010 21:41:51 PM - anonymous (192.168.8.1)> TYPE A
    (000019) 9/13/2010 21:41:51 PM - anonymous (192.168.8.1)> 200 Type set to A
    (000019) 9/13/2010 21:41:51 PM - anonymous (192.168.8.1)> PASV
    (000019) 9/13/2010 21:41:51 PM - anonymous (192.168.8.1)> 227 Entering Passive Mode (192,168,8,24,10,88)
    (000019) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> disconnected.
    (000020) 9/13/2010 21:42:12 PM - (not logged in) (192.168.8.1)> Connected, sending welcome message...
    (000020) 9/13/2010 21:42:12 PM - (not logged in) (192.168.8.1)> 220 Welcome to the FTP Server
    (000020) 9/13/2010 21:42:12 PM - (not logged in) (192.168.8.1)> USER anonymous
    (000020) 9/13/2010 21:42:12 PM - (not logged in) (192.168.8.1)> 331 Password required for anonymous
    (000020) 9/13/2010 21:42:12 PM - (not logged in) (192.168.8.1)> PASS *****
    (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> 230 Logged on
    (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> CWD /
    (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> 250 CWD successful. "/" is current directory.
    (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> TYPE A
    (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> 200 Type set to A
    (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> PASV
    (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> 227 Entering Passive Mode (192,168,8,24,10,95)
    (000020) 9/13/2010 21:44:13 PM - anonymous (192.168.8.1)> 421 Connection timed out.
    (000020) 9/13/2010 21:44:13 PM - anonymous (192.168.8.1)> disconnected.

Also, I'm trying to connect from the LAN. If I try and connect directly to the server's IP address, it works fine, but if I use the domain name, it looks like it's routing through pfsense, and it disconnects. Any ideas on what I'm doing wrong?

danswartz

Try enabling NAT reflection?

RChadwick

It's enabled. I can access my webserver's pages internally without problem. Thanks for the idea tho.

juminosy

@danswartz:

Try enabling NAT reflection?

Having the same problem as the OP, and NAT already enabled. :(

unusonusonronald Cruz

Guest

Don't use NAT reflection.  If you're using pfSense as your DNS forwarder, put exceptions in for your local machines so that LAN hosts will always get the internal IP address of instead of the external one.

RChadwick

I just got a chance to check from a computer outside my network, and the FTP seems to be fine. One small annoyance… In my FTP Server's logs, it shows the IP address of the pfsense box, instead of the remote IP. There isn't by chance a way around that, is there?

GruensFroeschli

This is the FTP helper running on the pfSense.

The way i set up ftp (and it always worked without flaw):

• Configure the ftp server to work in passive mode. Configure manually a passive range. eg: 21000 - 21999
• Disable the ftp helper.
• forward ports 21 and 21000-21999

RChadwick

That sounded like an ideal solution, but it doesn't work for me. I disabled the helper proxy, and forwarded the ports to the computer with the server. There doesn't seem to be a way to configure the FTP server to only use passive mode, but I configured IE to do so. Nothing shows up in the FTP logs, either from my local network, or remotely. Direct to the IP address within my network still works fine. Any ideas?