Open port for ftp
-
There is FTP helper that handles this sort of thing – once you create the nat for the control channel, then pfsense should handle the rest of it for the data channels.
Where is the ftp helper?
In portuguese forum there are many people with ftp issues, this simple nat did not worked for them.
Without no tftp enabled interfaces and without any wan rule to passive mode, I have no idea how it's working.
As I don't publish ftp server, I cant try it here. but I still what to help them to solve these publication problem.
-
The ftp helper is part of pfsense/freebsd
It changes the IP to reflect your public IP even though the server on the private will send its private IP
So here is sniff of ftp from on server interface, and then on the wan side of the of pfsense box
Notice that the IP was changed to reflect public IP vs the private IP the server sent.
In active mode, your normal lan rule is any any – atleast this is default, so server has no issue making the connection from source port 20 to whatever IP and port the client sent.
So here are the 2 sniffs, so my public IP is 24.13.x.x and private is 192.168.1.4 -- so this is first one is what I captured right the servers interface -- see it says to connect to port 5004 on a private IP, which the client would never be able to do.. But the ftp helper in pfsense/freebsd changes that to the correct public IP. And allows the traffic since its part of the ftp session. There is no rule saying that port 5004 (which is going to change all the time) should be sent to the ftp servers private IP. The ftp helper portion handles this.
edit: If I had to guess to why they are having probems, I would guess they are trying to create rules that don't need to be created. Or they are having issues with nats on both sides and something is broke, or double nats – have seen lots of setups with double nats, and yeah that can break all kinds of shit where helper of pfsense changes it to its wan IP, which is still private because pfense is behind a nat. and then router after pfsense might not have helper or sessions get confused.
To help would really need to know if they are wanting to use active or passive -- how are they testing it? Your prob going to have issues trying to hit your public IP from your private lan -- you really need to be actually outside the pfsense lan network to test if your forward is working correctly. What ftp server are they using, quite a few of them can be set to do their own thing to try and help with behind a nat, using static passive ports, changing the ip sent out - maybe this is mis configured, etc. etc..
ftp can be fun like I said -- and yes in this day of nats on both ends and users not understanding the protocol it can be even more fun ;)
-
You may be having trouble with the pfsense ftp "helper." Check this out:
http://doc.pfsense.org/index.php/FTP_Troubleshooting
-
Yeah that is not longer valid – where do you turn the ftp helper on or off? Like I mentioned early I don't believe there is a way to disable the helper??
-
@tomdlgns:
Tom, i got the same problem but i followed your screenshoot tutorial and it works like a charm now
many thanks
pf sense is not for newbies… that come from the home router boxes like dlink and linksys
this is serious stuff
Thanks man
Rolo. -
If you feel that 20 needs to be forwarded - you clearly do not understand how ftp works.
There is NO situation in ftp where you would need to forward port 20.. There just isn't
I would suggest you take a look at http://slacksite.com/other/ftp.html
Its a great easy to understand writeup on how ftp works both in active and passive mode. After you look at it, in what scenario would you need to allow unsolicited traffic to be sent to your ftp server behind your firewall on port 20?
Nutshell:
In active server makes the data connection to some client port, client told server to connect to from a source port of 20 – this is outbound traffic so no forward!In passive, client makes some connection to data port (not 20) that server tells client to connect to, which helper would open or you would have to manually configure on your firewall and setup on your ftp server to use.
As to pfsense being complicated - I would agree that much more can be done with it then your typical soho, etc. But in general operation I don't see it any more complicated than any other web based ui to any soho router out there.
