Help - FTP Clients Behind Pfsense 2.0 unable to connect to filezilla FTP server



  • I have Pfsense 2.0 Installed with Squid and Squid Gaurd. Every thing is working fine. Only have problem with FTP.

    I have 2 FTP servers out of my office

    1: First server is on 1and1.co.uk
    2: 2nd one is Filezilla FTP server on a live IP machine.

    I have set the (debug pf ftpproxy) value to 1 in Advance>System Tunables.

    My clients are behind Pfsense 2.0 NAT. and able to connect to first FTP server

    My Clients behid pfsense 2.0 NAT are unable to access the 2nd FTP server (filezilla)

    Following are the filezilla FTP server logs

    Connected, sending welcome message…
    220 Welcome to FTP
    USER administrator
    331 Password required for administrator
    PASS **********
    230 Logged on
    PWD
    257 "/" is current directory.
    TYPE I
    200 Type set to I
    PASV
    227 Entering Passive Mode
    MLSD
    425 Can't open data connection.

    I have another pfsense 1.2.3 and with userland FTP proxy helper disabled and both FTP servers are accessible.

    Please help me in this regard. Thanks

    P.S
    MY Filezilla FTP server is not behind pfsense. its Windows 2003 Machine on public Live IP.



  • Not just to FileZilla, to any type of FTP Server.

    And it seems nobody knows what the problem is, and nobody has a good solution.

    I personally have tried it all.

    Set-up is as follows (so there is no confusion)

    Internet 1 & 2  => PFSense (WAN1 & WAN2) => Ubuntu Server (NIC 1)
                                                               => Private Internal Network (NIC 2)

    From the internal network I can connect to any FTP server on the net.
    I can also connect to my FTP server on the other NIC.

    What I cant do is connect from the outside to the FTP Server.

    I've tried everything, I've read billions of posts, I've tried all the how-to's, changed all the settings, re-done all the NAT rules over and over again, everyone keeps talking about the ftp-proxy which i can see is not present in the 2.0 version.

    Does anyone have a solution/idea on how to fix this before I loose my mind.

    Thank you,
    Alex.



  • You can try change debug pf ftpproxy to 0 and create rules on lan allowing access to your remote ftp servers.

    If you need ftp active mode on remote server you also have to create a rule on wan with src host = ftp server and src port 20  and dst host any or lan net.



  • Thank you for the reply.

    The FTP server is pureftpd and I have set the ForcePassiveIP to be the external IP address.
    Also I have set the PassivePortRange to a different smaller range.

    I have opened and forwarded the passive ports also the 21 port.
    Already have a rule that allows traffic through the server interface.

    So it should work but it doesn't.
    Active FTP doesn't work, passive connects but cant list files.

    In Total Commander:
    PORT 192,168,1,2,236,205
    500 I won't open a connection to 192.168.1.2 (only to 10.0.1.1)
    PORT Command failed.

    In FileZilla:
    Command: MLSD
    Error: Connection timed out
    Error: Failed to retrieve directory listing

    If I use the 1to1 everything works just fine, so its not a FTP Server issue, but i dont want to use 1to1 since it kinda defeats the purpose of having a firewall :).

    P.S.:
    I dont understand what you mean when you say:
    "create a rule on wan with src host = ftp server and src port 20  and dst host any or lan net"

    The field 'Destination port from' is required.
        The field 'Destination port to' is required.
        The field 'Redirect target IP' is required.

    Can you be more specific?

    Thank you.



  • If I use the 1to1 everything works just fine, so its not a FTP Server issue

    your ftp server are external or internal?

    I dont understand what you mean when you say:
    "create a rule on wan with src host = ftp server and src port 20  and dst host any or lan net"

    This rule is to accept data connections from an external ftp server on wan interface




  • The FTP Server is internal (i've attached a diagram)

    I can access the web/ftp server from anywhere on my 192.168.1.1/24 network using it's (the server's) internal IP (10.0.1.2).

    What I cant do is access the web/ftp server from my internal network using one of the external IP's (77.x.x.x).
    Also nobody on the internet can open a connection to the web/ftp server  (which i need to be accessible to the out side world).

    All other services on on the server are working, i've forwarded all necessary ports (HTTP/S, DNS, POP3/S, IMAP/S), everything works just fine except FTP.

    ![Network Diagram.PNG](/public/imported_attachments/1/Network Diagram.PNG)
    ![Network Diagram.PNG_thumb](/public/imported_attachments/1/Network Diagram.PNG_thumb)



  • Nat config and rules for internet1 and internet2 are ok?

    did you read this thread?

    http://forum.pfsense.org/index.php/topic,15811.0.html




  • yup.. the same i've tried it all to be honest thats why im writing here i thought perhaps there's something im missing




  • try this config with debug pf ftpproxy set to 0 and then set to 1

    Can you do a tcpdump via console on wan and other on ftp interface to see where it's not working?



  • i've tried with both 0 and 1

    also i've attached the tcpdump of the connection attempt

    tcpdump.txt



  • Your server does not respond when clients asks for data connection

    20:01:49.215184 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 940128 ecr 0], length 0
    20:01:52.230124 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 943128 ecr 0], length 0
    20:01:55.446110 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 946328 ecr 0], length 0
    20:01:58.662117 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,sackOK,eol], length 0
    20:02:01.878088 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,sackOK,eol], length 0
    20:02:05.094076 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,sackOK,eol], length 0
    20:02:11.325075 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,sackOK,eol], length 0
    
    [b]10.0.1.1[/b] means you are doing [b]outbound nat[/b] for your ftp server too, what makes server logging useless[/s][/s][/s][/s][/s][/s][/s]
    


  • Yes you are right there was an outbound nat rule created (but at the time of the tcpdump it was on automatic).

    Now i've deleted the rule and set it to manual and still i get the same behavior.




  • Check why your server does not respond data connection



  • Is it possible your modems(s) are catching the ftp connection attempts themselves?  Are they in bridge mode or are you using DMZ, or other?



  • @marcelloc
    That's the thing the server has no errors it logs a successful connection the client cannot retrieve the directory list. (The user connect ok but cannot see any files, and since the client waits for the initial list to be retrieved it times out since nothing is returned).

    @chpalmer
    The main line (WAN1) is a direct 100mbit UTP link so there is no modem.
    The second line is a VDSL back-up line which is not used in this setup (at the moment).

    If I remove the PFSense box and link the main straight to the webserver everything works fine.

    I honestly dont understand what's going on.
    It's like PFSense choke's/block's/does not send the packets to the IP the requested them.

    Since it look's like all the packets are returned to PFSense's IP some pass through (since the client can connect) while others stop when reaching the PFSense NIC.

    P.S.: Happy new year everyone, i wish you all a great year.



  • Alex,

    tcpdump again on ftp server interface to see if server sends back an S ack response to any S win on data ports.

    And happy new year for you too  :D



  • Sorry it took so long…

    Here's a screen from wireshark..

    From what i see it does respond.

    Later Edit:

    Ok, I've done some progress somewhat (still not working, but progress nonetheless).

    It seems its all about outbound nat.
    I've removed the rule yesterday and found out that the server was unable to send any data to the cloud.
    So i've added it back and now it work just like before.
    Thought to give it a try and added another one using a different interface for the rule.

    Now total commander has a unsuccessful PORT command and falls into passive mode next it has a long pause for MLSD just like filezilla, and then it registers a successful connection (it's not successful but it thinks it is).

    So I'll keep trying to find out which rule is to blame for all this and I'll post my result here if successful, perhaps it'll help somebody else.

    Later edit2:

    Bummer, i'm getting nowhere, still stuck at:

    Command: MLSD
    Error: Connection timed out
    Error: Failed to retrieve directory listing




  • why you are still translating client address to 10.0.1.1?

    who is 10.0.1.1? firewall interface address?

    where in wireshark log you sent I can found server port requested by client?



  • That's a very good question. I had no rules to translate client addresses, actually only ftp was/is doing that. I've tested HTTP and smtp to see if it has the same behavior, but its not happening the server receives the requests from the clients public IP address.

    For FTP on the other hand all requests are translated to the PFSense NIC the links the server (in this case: the server has 10.0.1.2 and the PFSense 10.0.1.1).

    And there's more, the weirdest thing happened yesterday.
    I removed PureFTPD's ForcePassiveIP line from the config, so now the server does not report the external IP address to the clients.. and now everything works :|
    I really dont understand why it has the behavior. It reports back to the client the internal IP address (A.I.: 10.0.1.2) but the client automatically switches to the external IP address,
    so now everything works from with in the LAN network and from the Internet.

    I would have loved that the ftp server wouldn't report back to the client the internal network address, but at least it's working now.

    Anywho thank you for the help and fast responses marcelloc and anyone else who replied.

    Cheers,
    Alex.



  • @Alex:

    I had no rules to translate client addresses, actually only ftp was/is doing that.

    That's the ftp helper/proxy from pfsense.



  • I ran into the same issue using PFSense 2.0 and FileZilla server 0.9.4

    On the FTP server, limit the Passive Ports to a restricted range. eg. 35100-35152
    Now add NAT for the External FTP IP for ports 35100-35152 to the Internal FTP server address



  • Did you created nat for port 21 too?

    ftp server is configured for active and passive data transfers?



  • @marcelloc:

    Did you created nat for port 21 too?

    ftp server is configured for active and passive data transfers?

    Yes, the passive port range NAT is in addition to the standard FTP NAT.
    In my case I set implicit TLS and NAT'd port 990 instead of 21.



  • I've the same problem. Currently also with 2.0.1
    Do you have it solved already? (and how)
    For me also when I do it from my LAN to DMZ doesn't work. Within the DMZ from machine A to B… No problem.



  • @pfnewbe:

    I've the same problem. Currently also with 2.0.1
    Do you have it solved already? (and how)
    For me also when I do it from my LAN to DMZ doesn't work. Within the DMZ from machine A to B… No problem.

    Same problem here with 2.0 and 2.0.1. Clients cannot connect from inside to outside.
    Also tried debug.pfftpproxy=1 with no result.
    Only first SYN packet is passed.


Log in to reply