Where is FTP-Helper?
-
Sorry if this is a obvious question but I have been trying to get my ftp server open for the world (my senior project class) to use. I got PFSense up and running a few hours ago and have been spending several hours trying to get it so my teammates can access my ftp server.
SPECS
Firewall - PFSense 2.0
FTP_Server - Ubuntu vsftpWhat I've done.
*Read Wiki, Sticky and searched through multpiple threads, googled..
*Ive tried forwarding port 21, 20
*Limiting passive ports on vsftpd and forwarding those
*disabling passive ftp (works but not point and click for windows, which I need it to be)What I've been stuck on
*Virtual CARP IP's ?
*Where is FTP-Helper, I can't find it under interfaces > WAN or LANThanks you very much, I and my senior project team greatly appreciate it!
-
for VSFTPD you will need he following:
pasv_address= <external_ip>pasv_min_port= <start_port>pasv_max_port= <end_port>Once this is set, port forward external_IP (which is either WAN Address or VIP (Carp or other) ) address to the matching internal_IP from start_port to end_port in a separate rule from the port 21 forward. If you are using port forward, then you are also going to have to use manual outbound NAT as well and force the traffic from your internal_IP to use the VIP address. If you are using 1:1 nat, you will not use port forward, but you will have to create the firewall rules.</end_port></start_port></external_ip>
-
Thank you so much for your help, I am not successful yet but I believe I am on the right track. I'll explain what I did and see if you can find any problems in my approach.
============================
On my ftp server (LAN IP 192.168.1.3) I addedpasv_address=77.155.123.123 pasv_min_port=100 pasv_max_port=110
to my /etc/vsftpd.conf , then restarted vsftpd
Then on pfsense I
- Virtual IPs > +
Address = 77.155.123.123
Apply Changes
*NAT > +
Destination port = 21
Redirect target IP = 192.168.1.3
Save*NAT > +
Destination = 77.155.123.123 ()
Destination port = 100-110
Redirect target IP = 192.168.1.3
Save
Apply Changes*NAT > Outbound
Mode = Manual
Save*NAT > Outbound > +
Source - Address = 192.168.1.3
Save
Apply ChangesI know I did something wrong, I bet somewhere near the bottom of my steps but VIP's are all very new to me =
I bet I messed up by picking a random outgoing VIP (it would complain if I used my real WAN), also my WAN is dynamic and changes every few months. I probably also messed up when creating the outgoing NAT, as it changes the Source-Address from 192.168.1.3 to 192.168.1.0.Anyway thanks for your help, hopefully I can be up and running as soon as possible so my project mates don't give up on me…
- Virtual IPs > +
-
on the outbound NAT, you have to use the 77.155.123.123 instead of the WAN address. static port can be used, but should not matter.
-
Thanks for your help, I might test this and report back i the future.
For now I have everything going well using ownCloud. It's less steps for my group to remember as well.
-
Thanks for this, I found how to have a working configuration on pfSense for my FTP server (on pfSense 2.0.1).
First, I still don't know or understand where the FTP-helper is located. Everywhere in the documentation, wiki, tutorials, the FTP-helper is mentioned under Interfaces>WAN, but I could never see it, and it doesn't appear at all in the web interface. I actually lost hours looking for this damn FTP-helper, and I don't know if it still exists in pfSense 2.0. But I guess I got it working without it anyway.
Let's say my ftp server is on 192.168.0.50 on port 21, using port 20 for ftp-data and ports 5000:5100 as the passive range.
It's Filezilla Server, and I configured it to return the public IP addresse which let's say is something like 80.2.5.42.First what I did on pfSense was :
NAT inbound
Port forward 20:21 to 192.168.0.50, ports 20:21
Port forward 5000:5100 to 192.168.0.50, ports 5000:5100with the corresponding firewall rules.
It worked, but not for everybody. Someone couldn't actually connect to the FTP, either in active or passive mode. It worked with the previous firewall we used, but only in active mode.
It looks like this guy was working in a place where a firewall was set up, blocking any traffic originating from port>1024 (I guess to block P2P, etc).
I dumped the packets here on both sides on pfSense (LAN & WAN) and I saw that everything originating from 192.168.0.50:21 was mapped to 80.2.5.42:21, because the TCP session originated from the FTP client on 80.2.5.42:21. But everything that came back from 192.168.0.50:20 was mapped to a random port on 80.2.5.42, and so was blocked by the remote firewall.
Thanks to this thread, I switched the NAT outbound rule generation to manual and added two rules, one to configure 192.168.0.50:20 as a static port and one to map 192.168.0.50 5000:5100 as static ports too, both rules before the default ones, and it looks to work fine now, for everyone.