Active ftp not working with server behind pfSense

nublaii

We have a simple setup:

• 2 pfsense boxes running with CARP
• Those 2 pfsense boxes are a single WAN interface and 3 virtual IP addresses like this
• We are running 2.0.1-RELEASE (amd64) so the FTP helper option is NOT available (at least nowhere I can find it)

WAN: XXX.XXX.XXX.242
VIP1: XXX.XXX.XXX.243
VIP2: XXX.XXX.XXX.244
VIP3: XXX.XXX.XXX.245

We have ftp servers running on VIP1, VIP2 and VIP3

We have a "Firewall: NAT > Port Forward" rule forwarding traffic from VIP3 (XXX.XXX.XXX.245) port 21 to our ftp server 10.0.0.160 on port 21.

And we have that rule created for all the other VIP.

We also have the automatically created rule "Firewall: Rules > WAN" allowing incoming traffic to the ftp server 10.0.0.160 on port 21 from the WAN interface.

From the outside we can connect using passive connection to XXX.XXX.XXX.245 and everything works as usual.

However, we have a couple of clients that can't/won't run on passive and can't connect properly (as in they can't do anything useful).

The login happens correctly, it's when you start doing anything that starts complaining and failing.

In fact, I tried connecting from an external host and this is the error I get after login in and trying to do a simple 'ls' or 'dir'

ncftp XXX.XXX.XXX.245
NcFTP 3.2.4 (Apr 07, 2010) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to XXX.XXX.XXX.245...                                                                                                                                                              
Bienvenido al servicio FTP
Logging in...                                                                                                                                                                                
Login successful.
Logged in to ftp.XXX.XXX.                                                                                                                                                          
Directory successfully changed.
Current remote directory is /BARCELONA.
ncftp /BARCELONA > cd
Directory successfully changed.
ncftp / > pass
passive                        on
ncftp / > pass
passive                        off
ncftp / > dir
Data connection from XXX:XXX:XXX.242:9043 did not originate from remote server XXX.XXX.XXX.245:21!
List failed.
ncftp / >

It seems the NATting process is somehow exposing the real WAN address instead of the VIP3 address and that confuses the client… is this supposed to happen this way?

I have been reading the forum and I've not been able to find an answer to my problem, any help will be greatly appreciated

cmb

Your outbound NAT configuration can't send the active connection out on a different IP than the ingress connection comes in on. Fix what IP the server goes out on and it'll work.

nublaii

So am I right to understand that unless we disable the automatic outbound nat rule creation and add a rule specifically for it by hand, any port-forwarding rule involving a virtual IP is NOT getting an outbound natting rule automatically created?

No harsh remark intended, I'm just tryin to make sure it works that way ;)

cmb

Yeah, will need either manual outbound, or 1:1, to ensure that server goes out on the correct IP.