FTP-problem (LAN => DMZ)



  • I've running a 2.0.1 (amd64) CARP-config.
    When i'm trying to get a connection from my LAN to my DMZ with FTP is goes wrong. (HTTP(S) goes all OK (also to the FTP-server))
    FTP-server asks for username and password and receive also an OK back on the client.
    But when I want to do a 'dir', 'put' or 'get' command… it timed out.
    When I setup an FTP-connection from another server within the same DMZ to the FTP-server, all works fine.

    Packet Capture reveals that the server is also communicating back, but it apparently goes somewhere wrong so the FTP-client doesn't get the connection correct.
    I found several posts, but never found a right answer how to solve my problem.

    On LAN I've a any-to-any rule active also.

    Any ideas?



  • Check your firewall log for blocked ftp packets from the server. ftp is not firewall friendly. ftp passive mode works better across a firewall. See (for example) the discussion of passive mode in the FreeBSD ftp man page at http://www.freebsd.org/cgi/man.cgi?query=ftp&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE+and+Ports&arch=default&format=html

    Edit: Correct typos



  • Nothing is blocked by the firewall. (logs are checked)
    I've created also an any-to-any (with logging) rule for this server but also no ftp-connection working.



  • Have you tried ftp passive mode?



  • Yup…. also doesn't work
    [update]
    on some articles on google says that you need to add -A for Passive FTP.
    But the -A is actually logging on as Anonymous! (at least for me under Windows)



  • Have you tried a different ftp client? Even a different version of what you are already using?

    Can you ftp between that client and a server on LAN?

    @pfnewbe:

    Packet Capture reveals that the server is also communicating back,

    Packet capture on the server? Packet capture on pfSense OPTx interface? Packet capture on pfSense LAN interface?

    Packet captures at the different locations can be used to determine where the connection attempt is getting "lost".

    @pfnewbe:

    Nothing is blocked by the firewall. (logs are checked)
    I've created also an any-to-any (with logging) rule for this server but also no ftp-connection working.

    rule on what interface? What are your rules on the OPTx interface?

    In what way did passive mode not work? What was reported by the ftp client?



  • I've tried from different machines from LAN to DMZ. (FTP-client of Win XP, Vista and 7)
    On the server I've tried ProFTPD and vsFTPd.
    LAN-LAN and DMZ-DMZ FTP-connections all goes well.

    I did a packet-capture on the DMZ (OPTx) interface of the pfSense-box.
    Just tested on the LAN-interface of the pfSense-box…
    The communication on the LAN-interface looks also comming thru

    09:09:56.737775 IP 192.168.2.12.52820 > 192.168.3.13.21: tcp 27
    09:09:56.738208 IP 192.168.3.13.21 > 192.168.2.12.52820: tcp 0
    09:09:56.738441 IP 192.168.3.13.21 > 192.168.2.12.52820: tcp 51
    09:09:56.746785 IP 192.168.2.12.52820 > 192.168.3.13.21: tcp 6
    09:09:56.747982 IP 192.168.3.13.20 > 192.168.2.12.52938: tcp 0
    09:09:56.786254 IP 192.168.3.13.21 > 192.168.2.12.52820: tcp 0

    On the client…

    331 Please specify the password.
    Wachtwoord:
    230 Login successful.
    ftp> dir
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.

    You can wait, wait… wait... nothing seems to happen. (even waiting for more then 30 min.)

    any-2-any rules are made on LAN as well on the DMZ interface. (just to eliminate blocking issues)

    Hmmm... Just tried also to do an FTP from pfSense to the server...

    [2.0.1-RELEASE][admin@fw1.[i]<mydomain>.local]/root(1): ftp server
    Connected to server.<mydomain></mydomain>.local.
    220 (vsFTPd 2.2.2)
    Name (server:admin):<my_username></my_username>
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> dir
    229 Entering Extended Passive Mode (|||26882|).
    150 Here comes the directory listing.
    drwx–----    5 504      504          4096 Jan 21 17:40 Maildir
    drwxr-xr-x    2 504      504          4096 Jan 21 16:47 awstats
    drwxr-x---    2 504      504          4096 Jan 21 16:47 cgi-bin
    drwxr-xr-x    3 504      504          4096 Jan 21 16:47 etc
    drwxr-xr-x    2 504      504          4096 Jan 21 16:47 fcgi-bin
    drwxr-xr-x    2 504      504          4096 Jan 21 16:47 homes
    drwxr-x---    2 504      504          4096 Jan 21 16:47 logs
    drwxr-x---    6 504      504          4096 Jan 22 10:16 public_html
    drwxr-x---    2 504      504          4096 Jan 25 16:57 tmp
    -rw-r--r--    1 504      504            0 Jan 25 16:37 training.docx
    226 Directory send OK.
    ftp></mydomain>

    Just found another article on google… "The DOS box FTP in Windows does NOT do passive"  >:(
    (and I was trying, trying and trying with the DOS box FTP)

    I've downloaded the latest version of FileZilla and put it on my own PC… AND IT WORKS!!!


Log in to reply