Host attempting data connection is not same as server

itmanager

We've just setup a 2.0.1 firewall and it's working for about 99% of what we want to do - PFsense has been amazing, thank you so much for a great product!

I wish I could stop my post there, but alas, we have an issue….  the problem is we have an internal Linux host which uses FTP to pickup files from a Linux host in the DMZ (it's running vsftp) using a java based "home grown" process.  We use the same process for hundreds of different scenarios.  What's strange is that of the 30 or so that run on a daily basis we'll see 6-8 that fail with:

Transmission Error - error during FTP transfer: java.io.IOException: Host attempting data connection 192.168.3.1 is not same as server 10.20.0.20.

192.168.3.1 is the LAN address of the firewall and the 10.20.0.20 is the DMZ IP of the FTP server.

The host that it's connecting FROM is on the 192.168.0.x network and doesn't appear in the error.  The frustrating part is that I can't duplicate it using a standard FTP script.

Before you say "dump ftp, it sucks" - I know... I don't have that option...  I need to figure out why it's not working.

any thoughts?

johnpoz

So I would assume your doing an active connection.

Your linux box on your 192.168.3 network connect to ftp server at 10.20.0.20 using an active connection, this means that ftp server would open the data channel from source port 20 to the port your host told it too.

See here for great writeup between active and passive ftp.
http://slacksite.com/other/ftp.html

Are you doing nat between these 2 segments?  When the 10.20 box connection to the 192.168.3 linux box it would have to go through your 192.168.3 pfsense interface - so if you doing nat, it would see the connection coming from 192.168.3.1 would it not.

So are you doing nat between the segments, what firewall rules do you have setup between the segments?  Possible your using passive when you try it with your script?

marcelloc

I think it's related to pfsense built in ftp proxy.

Try to disable it on system -> advanced  and test again.

Without ftp proxy and/or nat your dmz server should reach internal server without any translation.

att,
Marcello Coutinho

itmanager

I don't see a ftp-proxy setting under system | advanced - this is a 2.0.1 box - could it be somewhere else?

itmanager

We have it setup for active or passive - this is a carryover configuration from a 1.2.3 box that is working fine.  However that was using a CARP interface and now it's setup as Proxy Arp.

The PFsense box is 192.168.3.1
The FTP server is 10.20.0.20
The LAN is 192.168.0.x

When connecting from a lan server to the FTP server using the java process, it comes back with Host attempting data connection 192.168.3.1 is not same as server 10.20.0.20.  So the FTP server is seeing the traffic coming from the LAN interface of the PFsense box.

We've setup a 1:1 NAT for the public to DMZ ip of the ftp server.

The firewall rules allow 20,21,22 & 35000:36000 from the WAN to the DMZ - in this case we are coming from the LAN to the DMZ though - when I run the script (passive or active) it works fine (inside or outside).

I think the problem is the java process trying to confirm the send/receiver and failing as a security precaution.  I guess I'm wondering if that makes sense now..??

johnpoz

When you say your pfsense box is 192.168.3.1 – what interface is that?  The Wan?

Why would you ever need 20 from the wan to the dmz -- do you have that set as a source port rule?  No traffic would ever hit your wan in any ftp setup as dest port.

A to the ftp proxy, odd that it would kick in with traffic between lan segments?  now sure where you disable or if you can with 2.01, but on 2.1 I show it listed under system tunables under advanced.

debug.pfftpproxy Disable the pf ftp proxy handler. default (0)

And how does it confirm?  Confused to what this pfsense box 192.168.3.1 address is on?  Are you behind a double nat?  Is your mask on your lan something other than /24?

itmanager

I didn't look under system tunables - I'm used to the check box on 1.2.3 > it's set to the default
debug.pfftpproxy Disable the pf ftp proxy handler. default (0)

I'm not clear on if that's on or off??

The 20 port was carried over from the old configuration - good to know that it's not needed - I'll take that out later.

3.1 is the LAN interface - the WAN is a 12. IP >> the lan interface connects to a cisco/vlan which is setup with vlans (such as the 0.x "lan" network).

I've confirmed with the application developer that because the traffic now appears to be coming from the 3.1 interface (the lan interface of the pfsense box) it's being 'rejected' as a security feature.  This can be removed/disabled and will likely fix the problem, I'm just sure why it changed from pfsense 1.2.3. to 2.0.1.

itmanager

I tried the
Disable the pf ftp proxy handler.
Setting it to 1 - it caused a 425 unable to connect error.

I'm back to working on the reason the java app seems to see the traffic coming from the lan interface of the pfsense box.  I did a packet capture of the process and the lan interface doesn't appear at all…

marcelloc

after disabling ftp proxy, you need firewall rules to allow traffic on ftp data connection(port 21 is jus for cmds).

johnpoz

Well if you disable the ftp proxy you would have to setup the manual stuff for access from outside, since outside users would not able to connect to your private IP in a active connection.  When they connect from source port 20 to the port your server tells them to connect to.  The ftp proxy opens this port and changes the IP from the private one to the public for you when the client connects.

If your not seeing it in a capture - could it be a name resolution thing?  How does your java app attempt to identify or verify this connection?