FTP Server behind pfSense - purpose of CARP IP?



  • I have setup an FTP server (pure-ftpd) behind pfsense. Basically, I followed http://forum.pfsense.org/index.php/topic,15811.html, using the port forwarding approach. I think this is a great guide, very helpful.

    What I am wondering about:

    I have followed almost all steps, forwarding ports 20, 21 and the passive port range to the ftp server and setting the ftp server to reply to PASV commands with the external IP.

    I have not yet setup a virtual CARP IP (step 4). But it's working already.

    Reading through the explanations in the above mentioned thread, I think I understand why it's working - but I don't understand what I would need the virtual CARP IP for: If the ftp server already responds with the correct address, what's the additional benefit of configuring a virtual CARP IP?

    I'm just trying to understand how it's supposed to work. Thanks!


  • Rebel Alliance Developer Netgate

    Does it really work for both active and passive FTP? With the FTP helper enabled or disabled?

    The CARP VIP is usually required if you need the FTP helper (proxy) because it cannot bind to a Proxy ARP or Other type VIP.



  • FTP-Helper was not disabled on LAN and WAN. However, pure-ftpd showed real IPs, not proxy IPs upon login.

    I have disable FTP-Helper now on both interfaces to see if this makes a difference.



  • Yes, same result (active and passive ftp working from WAN) with FTP Helpers disabled.



  • On my setup, simply port forwarding is all I needed to do. I did it with a P-ARP VIP since my primary IP is done by DHCP.

    Since the ports are forwarded, and it seems to me you don't have extra IPs (or aren't trying to use anything but the primary IP), you don't need any CARPs.


Log in to reply