Problems with FTP using WAN adress from LAN.



  • So, I have a problem with adressing my local FTP server with WAN adress like so many others.

    However, I have some wierd things going on here.

    I have the following NAT setup.

    NAT reflection is enabled

    And the FTP helper is enabled.

    When the setup is like this the following happens.

    -I can connect from internet with both passive and active connections.
    -I can connect from LAN with local adress (10.0.0.10) with both passive and active connections.
    -I can connect from LAN with dyndns adress (my.domain.com) with active, but NOT passive connections.

    Then i disabled the FTP helper (put it to 1) and the following happens.

    -I can connect from internet with active , but NOT passive connections.
    -I can connect from LAN with local adress (10.0.0.10) with both passive and active connections.
    -I can connect from LAN with dyndns adress (my.domain.com) with passive AND active connections.

    Is there something I have forgot here?
    Is there a way I can make this work?

    This is client code from the first scenario with WAN adress from LAN not connecting.

    Status:	Finner IP-adresse for my.domain.com
    Status:	Kobler til XX.XXX.XXX.141:21...
    Status:	Tilkoblet, venter på velkomstmelding...
    Respons:	220-FileZilla Server version 0.9.41 beta
    Respons:	220-written by Tim Kosse (Tim.Kosse@gmx.de)
    Respons:	220 Please visit http://sourceforge.net/projects/filezilla/
    Kommando:	USER zephyr
    Respons:	331 Password required for zephyr
    Kommando:	PASS *******
    Respons:	230 Logged on
    Kommando:	SYST
    Respons:	215 UNIX emulated by FileZilla
    Kommando:	FEAT
    Respons:	211-Features:
    Respons:	 MDTM
    Respons:	 REST STREAM
    Respons:	 SIZE
    Respons:	 MLST type*;size*;modify*;
    Respons:	 MLSD
    Respons:	 UTF8
    Respons:	 CLNT
    Respons:	 MFMT
    Respons:	211 End
    Status:	Tilkoblet
    Status:	Mottar mappeliste...
    Kommando:	PWD
    Respons:	257 "/" is current directory.
    Kommando:	TYPE I
    Respons:	200 Type set to I
    Kommando:	PASV
    Respons:	227 Entering Passive Mode (XX,XXX,XXX,141,195,124)
    Kommando:	MLSD
    Respons:	425 Can't open data connection.
    Feil:	Feil ved mottakelse av mappelisten
    

    And server side.

    (000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> Connected, sending welcome message...
    (000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> 220-FileZilla Server version 0.9.41 beta
    (000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
    (000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> 220 Please visit http://sourceforge.net/projects/filezilla/
    (000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> USER zephyr
    (000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> 331 Password required for zephyr
    (000209)28.03.2012 17:11:14 - (not logged in) (10.0.0.1)> PASS *******
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 230 Logged on
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> SYST
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 215 UNIX emulated by FileZilla
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> FEAT
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 211-Features:
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  MDTM
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  REST STREAM
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  SIZE
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  MLST type*;size*;modify*;
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  MLSD
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  UTF8
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  CLNT
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)>  MFMT
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 211 End
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> PWD
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 257 "/" is current directory.
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> TYPE I
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 200 Type set to I
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> PASV
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> 227 Entering Passive Mode (10,0,0,10,195,124)
    (000209)28.03.2012 17:11:14 - zephyr (10.0.0.1)> MLSD
    (000209)28.03.2012 17:11:25 - zephyr (10.0.0.1)> 425 Can't open data connection.
    (000209)28.03.2012 17:13:25 - zephyr (10.0.0.1)> 421 Connection timed out.
    (000209)28.03.2012 17:13:25 - zephyr (10.0.0.1)> disconnected.
    

  • LAYER 8 Global Moderator

    Not sure what your problem is.

    Seems like it working just fine when you had the helper enabled.  Just turn it back on..

    I don't understand the desire people have for nat reflection access in the first place.. Why do you feel you should connect to name that resolves to a public IP, when you are or the same local lan as the service you want to connect too.

    Just use the local IP, or local dns/host file to access its private IP.

    Or just use active to connect to it you want to use nat reflection.



  • I want NAT reflection so I dont have to set up different server accounts on every laptop and device i use.
    I want the same account (my.domain.com) to work from everywhere.

    I also use a backup program that uses FTP and I can only use one account so I would like it to work both from home and from other locations.

    This worked perfect with smoothwall so why should it be any harder with pfsense?


  • LAYER 8 Global Moderator

    Looked like it was working to me..
    -I can connect from LAN with dyndns adress (my.domain.com) with active, but NOT passive connections.
    -I can connect from LAN with dyndns adress (my.domain.com) with passive AND active connections.

    So now what your telling me its a requirement that you have to use passive from the internet and the lan both?

    Why not just leave the helper and set your profile to use active connection?  If you at some location that it does not work then change it to passive.

    Or why don't you just go back to smoothwall ;)

    If you would setup your local dns to resolve that fqdn to your private IP you would not have any issues.  You could still use the fqdn be it inside or outside.


Log in to reply