• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Active ftp not working with server behind pfSense

Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
4 Posts 2 Posters 5.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N Offline
    nublaii
    last edited by May 11, 2012, 4:07 PM

    We have a simple setup:

    • 2 pfsense boxes running with CARP
    • Those 2 pfsense boxes are a single WAN interface and 3 virtual IP addresses like this
    • We are running 2.0.1-RELEASE (amd64) so the FTP helper option is NOT available (at least nowhere I can find it)

    WAN: XXX.XXX.XXX.242
    VIP1: XXX.XXX.XXX.243
    VIP2: XXX.XXX.XXX.244
    VIP3: XXX.XXX.XXX.245

    We have ftp servers running on VIP1, VIP2 and VIP3

    We have a "Firewall: NAT > Port Forward" rule forwarding traffic from VIP3 (XXX.XXX.XXX.245) port 21 to our ftp server 10.0.0.160 on port 21.

    And we have that rule created for all the other VIP.

    We also have the automatically created rule "Firewall: Rules > WAN" allowing incoming traffic to the ftp server 10.0.0.160 on port 21 from the WAN interface.

    From the outside we can connect using passive connection to XXX.XXX.XXX.245 and everything works as usual.

    However, we have a couple of clients that can't/won't run on passive and can't connect properly (as in they can't do anything useful).

    The login happens correctly, it's when you start doing anything that starts complaining and failing.

    In fact, I tried connecting from an external host and this is the error I get after login in and trying to do a simple 'ls' or 'dir'

    
    ncftp XXX.XXX.XXX.245
    NcFTP 3.2.4 (Apr 07, 2010) by Mike Gleason (http://www.NcFTP.com/contact/).
    Connecting to XXX.XXX.XXX.245...                                                                                                                                                              
    Bienvenido al servicio FTP
    Logging in...                                                                                                                                                                                
    Login successful.
    Logged in to ftp.XXX.XXX.                                                                                                                                                          
    Directory successfully changed.
    Current remote directory is /BARCELONA.
    ncftp /BARCELONA > cd
    Directory successfully changed.
    ncftp / > pass
    passive                        on
    ncftp / > pass
    passive                        off
    ncftp / > dir
    Data connection from XXX:XXX:XXX.242:9043 did not originate from remote server XXX.XXX.XXX.245:21!
    List failed.
    ncftp / >
    
    

    It seems the NATting process is somehow exposing the real WAN address instead of the VIP3 address and that confuses the client… is this supposed to happen this way?

    I have been reading the forum and I've not been able to find an answer to my problem, any help will be greatly appreciated

    1 Reply Last reply Reply Quote 0
    • C Offline
      cmb
      last edited by May 12, 2012, 6:27 PM

      Your outbound NAT configuration can't send the active connection out on a different IP than the ingress connection comes in on. Fix what IP the server goes out on and it'll work.

      1 Reply Last reply Reply Quote 0
      • N Offline
        nublaii
        last edited by May 15, 2012, 10:13 PM

        So am I right to understand that unless we disable the automatic outbound nat rule creation and add a rule specifically for it by hand, any port-forwarding rule involving a virtual IP is NOT getting an outbound natting rule automatically created?

        No harsh remark intended, I'm just tryin to make sure it works that way ;)

        1 Reply Last reply Reply Quote 0
        • C Offline
          cmb
          last edited by May 15, 2012, 11:11 PM

          Yeah, will need either manual outbound, or 1:1, to ensure that server goes out on the correct IP.

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received