Help - FTP Clients Behind Pfsense 2.0 unable to connect to filezilla FTP server

firephlux

yup.. the same i've tried it all to be honest thats why im writing here i thought perhaps there's something im missing

Capture.png_thumb

marcelloc

try this config with debug pf ftpproxy set to 0 and then set to 1

Can you do a tcpdump via console on wan and other on ftp interface to see where it's not working?

firephlux

i've tried with both 0 and 1

also i've attached the tcpdump of the connection attempt

tcpdump.txt

marcelloc

Your server does not respond when clients asks for data connection

20:01:49.215184 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 940128 ecr 0], length 0
20:01:52.230124 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 943128 ecr 0], length 0
20:01:55.446110 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 946328 ecr 0], length 0
20:01:58.662117 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,sackOK,eol], length 0
20:02:01.878088 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,sackOK,eol], length 0
20:02:05.094076 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,sackOK,eol], length 0
20:02:11.325075 IP 10.0.1.1.59107 > 10.0.1.2.8030: Flags [s], seq 3043207109, win 65228, options [mss 1460,sackOK,eol], length 0

[b]10.0.1.1[/b] means you are doing [b]outbound nat[/b] for your ftp server too, what makes server logging useless[/s][/s][/s][/s][/s][/s][/s]

firephlux

Yes you are right there was an outbound nat rule created (but at the time of the tcpdump it was on automatic).

Now i've deleted the rule and set it to manual and still i get the same behavior.

Capture2.PNG_thumb

marcelloc

Check why your server does not respond data connection

chpalmer

Is it possible your modems(s) are catching the ftp connection attempts themselves? Are they in bridge mode or are you using DMZ, or other?

firephlux

@marcelloc
That's the thing the server has no errors it logs a successful connection the client cannot retrieve the directory list. (The user connect ok but cannot see any files, and since the client waits for the initial list to be retrieved it times out since nothing is returned).

@chpalmer
The main line (WAN1) is a direct 100mbit UTP link so there is no modem.
The second line is a VDSL back-up line which is not used in this setup (at the moment).

If I remove the PFSense box and link the main straight to the webserver everything works fine.

I honestly dont understand what's going on.
It's like PFSense choke's/block's/does not send the packets to the IP the requested them.

Since it look's like all the packets are returned to PFSense's IP some pass through (since the client can connect) while others stop when reaching the PFSense NIC.

P.S.: Happy new year everyone, i wish you all a great year.

marcelloc

Alex,

tcpdump again on ftp server interface to see if server sends back an S ack response to any S win on data ports.

And happy new year for you too :D

firephlux

Sorry it took so long…

Here's a screen from wireshark..

From what i see it does respond.

Later Edit:

Ok, I've done some progress somewhat (still not working, but progress nonetheless).

It seems its all about outbound nat.
I've removed the rule yesterday and found out that the server was unable to send any data to the cloud.
So i've added it back and now it work just like before.
Thought to give it a try and added another one using a different interface for the rule.

Now total commander has a unsuccessful PORT command and falls into passive mode next it has a long pause for MLSD just like filezilla, and then it registers a successful connection (it's not successful but it thinks it is).

So I'll keep trying to find out which rule is to blame for all this and I'll post my result here if successful, perhaps it'll help somebody else.

Later edit2:

Bummer, i'm getting nowhere, still stuck at:

Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing

Capture.png_thumb

marcelloc

why you are still translating client address to 10.0.1.1?

who is 10.0.1.1? firewall interface address?

where in wireshark log you sent I can found server port requested by client?

firephlux

That's a very good question. I had no rules to translate client addresses, actually only ftp was/is doing that. I've tested HTTP and smtp to see if it has the same behavior, but its not happening the server receives the requests from the clients public IP address.

For FTP on the other hand all requests are translated to the PFSense NIC the links the server (in this case: the server has 10.0.1.2 and the PFSense 10.0.1.1).

And there's more, the weirdest thing happened yesterday.
I removed PureFTPD's ForcePassiveIP line from the config, so now the server does not report the external IP address to the clients.. and now everything works :|
I really dont understand why it has the behavior. It reports back to the client the internal IP address (A.I.: 10.0.1.2) but the client automatically switches to the external IP address,
so now everything works from with in the LAN network and from the Internet.

I would have loved that the ftp server wouldn't report back to the client the internal network address, but at least it's working now.

Anywho thank you for the help and fast responses marcelloc and anyone else who replied.

Cheers,
Alex.

marcelloc

@Alex:

I had no rules to translate client addresses, actually only ftp was/is doing that.

That's the ftp helper/proxy from pfsense.

Kevon

I ran into the same issue using PFSense 2.0 and FileZilla server 0.9.4

On the FTP server, limit the Passive Ports to a restricted range. eg. 35100-35152
Now add NAT for the External FTP IP for ports 35100-35152 to the Internal FTP server address

marcelloc

Did you created nat for port 21 too?

ftp server is configured for active and passive data transfers?

Kevon

@marcelloc:

Did you created nat for port 21 too?

ftp server is configured for active and passive data transfers?

Yes, the passive port range NAT is in addition to the standard FTP NAT.
In my case I set implicit TLS and NAT'd port 990 instead of 21.

pfnewbe

I've the same problem. Currently also with 2.0.1
Do you have it solved already? (and how)
For me also when I do it from my LAN to DMZ doesn't work. Within the DMZ from machine A to B… No problem.

LoZio

@pfnewbe:

I've the same problem. Currently also with 2.0.1
Do you have it solved already? (and how)
For me also when I do it from my LAN to DMZ doesn't work. Within the DMZ from machine A to B… No problem.

Same problem here with 2.0 and 2.0.1. Clients cannot connect from inside to outside.
Also tried debug.pfftpproxy=1 with no result.
Only first SYN packet is passed.