FTP NAT not working after changing LAN address



  • Hello

    Today i changed in my 2.0 box the LAN's IP address because renumbering my network, it was 192.168.1.1/24 and now it's 172.16.2.1/23.

    I have some NAT rules to pass ssh, http, ftp… to a server. All them worked for months until i changed the LAN's IP.

    Now everything but FTP works. When i connect to FTP port (ADSL in OPT1) i can login, but when i do for example and ls it "hangs" and no reacts any more (nor timeout), it keeps hanged.

    I've tried everything i found in the net, deleting the rules, creating again, disabling the server (the one the NAT rule redirects the FTP) firewall (iptables - GNU/Linux).

    I have the ns_conntrack_ftp module loaded in the Linux box.

    I have found something about FTP helper in the pfSense box, but i don't found it in the 2.0 pfSense.

    Don't know what to do and how to solve it.

    The FTP server is pure-ftpd, I have a passive port range, and they are natted also to the FTP server. (PassivePortRange  42300 42800)

    Can anyone help me, or focus me about what is happening?

    Thanks.



  • Hello

    I've deleted (again) all FTP NAT (the port 21 one and the passive ports) rules and created again. No luck.

    I'm connecting FTP with debugging/verbose and this is what i get:

    220-This is a private system - No anonymous login
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    ftp: setsockopt: Bad file descriptor
    –-> AUTH GSSAPI
    500 This security scheme is not implemented
    ---> AUTH KERBEROS_V4
    500 This security scheme is not implemented
    KERBEROS_V4 rejected as an authentication type
    Name (machine.domain.tld:jose): jose
    ---> USER jose
    331 User jose OK. Password required
    Password:
    ---> PASS XXXX
    230 OK. Current restricted directory is /
    cmds.c:284: verbose=2 debug=1 overbose=2
    ---> SYST
    215 UNIX Type: L8
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> ls
    ftp: setsockopt (ignored): Permission denied
    ---> PASV

    And it stops here.



  • Hello again

    The FTP server in the LAN works well, so not a problem in this side. The PASV port it gives in tests is in the configured range that is "opened" in the pfSense box.

    It seems pfSense stops when the server gives the client the port.

    No one have idea of what to do before trying to reinstall the software and reconfigure everything again?

    Best,



  • Hello all,

    Finally I solved this reinstalling the pfSense box. After configuring the NAT rules, the FTP works again, well, I had to disable the ftp proxy (in the previous installation it didn't exist, perhaps because it was a beta upgraded to final, buy i added the tunable debug.pfftpproxy and set it to 1, without luck).

    Now it's working, but no idea why changing the LAN address broken that.

    I've not restored a configuracion, only "just in case", and configured everything from scratch.


Locked