Problems with FTP using WAN adress from LAN.

zephyr22

So, I have a problem with adressing my local FTP server with WAN adress like so many others.

However, I have some wierd things going on here.

I have the following NAT setup.

NAT reflection is enabled

And the FTP helper is enabled.

When the setup is like this the following happens.

-I can connect from internet with both passive and active connections.
-I can connect from LAN with local adress (10.0.0.10) with both passive and active connections.
-I can connect from LAN with dyndns adress (my.domain.com) with active, but NOT passive connections.

Then i disabled the FTP helper (put it to 1) and the following happens.

-I can connect from internet with active , but NOT passive connections.
-I can connect from LAN with local adress (10.0.0.10) with both passive and active connections.
-I can connect from LAN with dyndns adress (my.domain.com) with passive AND active connections.

Is there something I have forgot here?
Is there a way I can make this work?

This is client code from the first scenario with WAN adress from LAN not connecting.

Status:	Finner IP-adresse for my.domain.com
Status:	Kobler til XX.XXX.XXX.141:21...
Status:	Tilkoblet, venter på velkomstmelding...
Respons:	220-FileZilla Server version 0.9.41 beta
Respons:	220-written by Tim Kosse (Tim.Kosse@gmx.de)
Respons:	220 Please visit http://sourceforge.net/projects/filezilla/
Kommando:	USER zephyr
Respons:	331 Password required for zephyr
Kommando:	PASS *******
Respons:	230 Logged on
Kommando:	SYST
Respons:	215 UNIX emulated by FileZilla
Kommando:	FEAT
Respons:	211-Features:
Respons:	 MDTM
Respons:	 REST STREAM
Respons:	 SIZE
Respons:	 MLST type*;size*;modify*;
Respons:	 MLSD
Respons:	 UTF8
Respons:	 CLNT
Respons:	 MFMT
Respons:	211 End
Status:	Tilkoblet
Status:	Mottar mappeliste...
Kommando:	PWD
Respons:	257 "/" is current directory.
Kommando:	TYPE I
Respons:	200 Type set to I
Kommando:	PASV
Respons:	227 Entering Passive Mode (XX,XXX,XXX,141,195,124)
Kommando:	MLSD
Respons:	425 Can't open data connection.
Feil:	Feil ved mottakelse av mappelisten

And server side.

(000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> Connected, sending welcome message...
(000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> 220-FileZilla Server version 0.9.41 beta
(000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> USER zephyr
(000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> 331 Password required for zephyr
(000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> PASS *******
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 230 Logged on
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> SYST
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 215 UNIX emulated by FileZilla
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> FEAT
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 211-Features:
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  MDTM
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  REST STREAM
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  SIZE
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  MLST type*;size*;modify*;
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  MLSD
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  UTF8
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  CLNT
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  MFMT
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 211 End
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> PWD
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 257 "/" is current directory.
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> TYPE I
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 200 Type set to I
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> PASV
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 227 Entering Passive Mode (10,0,0,10,195,124)
(000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> MLSD
(000209)28.03.2012 17:11:25 - zephyr (10.0.0.1)> 425 Can't open data connection.
(000209)28.03.2012 17:13:25 - zephyr (10.0.0.1)> 421 Connection timed out.
(000209)28.03.2012 17:13:25 - zephyr (10.0.0.1)> disconnected.

johnpoz

Not sure what your problem is.

Seems like it working just fine when you had the helper enabled.  Just turn it back on..

I don't understand the desire people have for nat reflection access in the first place.. Why do you feel you should connect to name that resolves to a public IP, when you are or the same local lan as the service you want to connect too.

Just use the local IP, or local dns/host file to access its private IP.

Or just use active to connect to it you want to use nat reflection.

zephyr22

I want NAT reflection so I dont have to set up different server accounts on every laptop and device i use.
I want the same account (my.domain.com) to work from everywhere.

I also use a backup program that uses FTP and I can only use one account so I would like it to work both from home and from other locations.

This worked perfect with smoothwall so why should it be any harder with pfsense?

johnpoz

Looked like it was working to me..
-I can connect from LAN with dyndns adress (my.domain.com) with active, but NOT passive connections.
-I can connect from LAN with dyndns adress (my.domain.com) with passive AND active connections.

So now what your telling me its a requirement that you have to use passive from the internet and the lan both?

Why not just leave the helper and set your profile to use active connection?  If you at some location that it does not work then change it to passive.

Or why don't you just go back to smoothwall ;)

If you would setup your local dns to resolve that fqdn to your private IP you would not have any issues.  You could still use the fqdn be it inside or outside.