Problems to open for FTP trafic through pfSense



  • Hi.

    First, thank you for a good firewall/router.
    I'm quote new to it, since I started to use it just a month ago or so.

    Just upgraded to 2.0.2

    But need some help. I cannot open the firewall for 21 (FTP) traffic.

    Have read many many threads in different forums on the internet, and understand this is an issue, but have still not succeed.
    I see alot about this FTP helper, but I do not think that exist in the version 2 or newer?

    Some info:

    FTP server: is actually a Netgear ReadyNAS, which I perfectly can access on port 21 internally on LAN: 192.168.10.21
    PFsense: 192.168.10.1

    I enclose printscreen of my current firewall/NAT status regards port 21.

    Appreciate your assistance/advice.

    Thank you.

    ![NAT_FW status.jpg](/public/imported_attachments/1/NAT_FW status.jpg)
    ![NAT_FW status.jpg_thumb](/public/imported_attachments/1/NAT_FW status.jpg_thumb)





  • proxy helper application is not available as an option in version 2+ BUT it is now a part of the kernel, however the PASV FTP problem seems to have no easy solution as of yet


  • LAYER 8 Global Moderator

    are you using active or passive connections to this server behind pfsense from the outside?

    Are you trying to use ftps or ftpes?  Helper will not work if the connection is encrypted - no way for the helper to see the ports requested to allow the data channel.

    If your forward is setup you should at min be able to make the control channel connection, only the data channel wold be where there could be issues.  So active passive comes into play only on the data channel not the control channel.

    You sure the ftp server doesn't have a firewall setup that prevents access from networks that are not local, that sort of thing?

    When troubleshooting any sort of connection be it ftp or not - run a sniff on pfsense for both the wan and lan connections - does the packet hit the wan, does the packet get sent out the lan to your dest IP.

    If being sent out lan interface - does the lan device get the packet?  What does it answer back?

    You sure your pfsense wan is just not behind a NAT?  This seems to be common problem when users can not get forwards to work - they are behind a nat at pfsense - and device infront is not forwarding the traffic.



  • Have tried both active and passive connection in vein. I can access locally by the FTP Server IP i.e. 192.168.1.3 BUT when I access it through my public IP from the same system within the same network, it doesn't let me connect.

    No I am not using ftps or ftpes.

    Yes you are absolutely right, I can connect and log-on to the FTP but as soon as I list directories the connection times out.

    There is no firewall on the server as of yet, I even have turned off the Windows firewall.

    My pfsense box is the main NAT which connects to my ISP's PPPOE server.

    Output from Cute FTP

    
    Welcome to Core FTP, release ver 2.2, build 1765 (U) -- © 2003-2012
    WinSock 2.0
    Mem -- 4,194,303 KB, Virt -- 2,097,024 KB
    Started on Thursday January 24, 2013 at 10:37:AM
    Resolving saymaad.dyndns.info...  
    Connect socket #984 to 13.110.155.188, port 21...
    220 Microsoft FTP Service  
    USER ftp-test  
    331 Password required  
    PASS **********  
    230 User logged in.  
    SYST  
    215 Windows_NT  
    Keep alive off...
    PWD  
    257 "/" is current directory.  
    PASV  
    227 Entering Passive Mode (13,110,155,188,212,128)  
    LIST  
    Connect socket #872 to 13.110.155.188, port 54400...
    timeout
    150 Opening ASCII mode data connection.  
    550 Data channel was closed by ABOR command from client.  
    226 ABOR command successful.  
    QUIT  
    221 Goodbye.  
    Resolving saymaad.dyndns.info...  
    Connect socket #964 to 13.110.155.188, port 21...
    220 Microsoft FTP Service  
    USER ftp-test  
    No response from server...  
    disconnected  
    Reconnect
    Retry #1, Connecting to saymaad.dyndns.info...
    Resolving saymaad.dyndns.info...  
    Connect socket #824 to 13.110.155.188, port 21...
    220 Microsoft FTP Service  
    USER ftp-test  
    331 Password required  
    PASS **********  
    230 User logged in.  
    SYST  
    215 Windows_NT  
    Keep alive off...
    Attemping Active mode transfer...
    PORT 192,168,1,125,65,219  
    501 Server cannot accept argument.  
    PORT command failed
    Error loading directory...
    disconnected  
    
    

    I got the following results while sniffing pfsense packets:

    
    10:30:11.282025 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 37524, offset 0, flags [DF], proto TCP (6), length 60)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [s], cksum 0xddff (correct), seq 36906457, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 7128634 ecr 0], length 0
    10:30:11.282382 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 11124, offset 0, flags [DF], proto TCP (6), length 60)
        192.168.1.3.21 > 192.168.1.155.63612: Flags [S.], cksum 0x1719 (correct), seq 2690177767, ack 36906458, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 94971064 ecr 7128634], length 0
    10:30:11.282423 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 38252, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [.], cksum 0x63de (correct), seq 1, ack 1, win 520, options [nop,nop,TS val 7128634 ecr 94971064], length 0
    10:30:11.282731 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 128, id 11125, offset 0, flags [DF], proto TCP (6), length 79)
        192.168.1.3.21 > 192.168.1.155.63612: Flags [P.], cksum 0xc9d5 (correct), seq 1:28, ack 1, win 260, options [nop,nop,TS val 94971064 ecr 7128634], length 27
    10:30:11.282749 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 50994, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [.], cksum 0x63c2 (correct), seq 1, ack 28, win 520, options [nop,nop,TS val 7128635 ecr 94971064], length 0
    10:30:11.289941 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 29070, offset 0, flags [DF], proto TCP (6), length 83)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [P.], cksum 0x1027 (correct), seq 1:32, ack 28, win 520, options [nop,nop,TS val 7128635 ecr 94971064], length 31
    10:30:11.290154 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 89: (tos 0x0, ttl 128, id 11126, offset 0, flags [DF], proto TCP (6), length 75)
        192.168.1.3.21 > 192.168.1.155.63612: Flags [P.], cksum 0x76cc (correct), seq 28:51, ack 32, win 260, options [nop,nop,TS val 94971064 ecr 7128635], length 23
    10:30:11.290187 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 5372, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [.], cksum 0x638c (correct), seq 32, ack 51, win 520, options [nop,nop,TS val 7128635 ecr 94971064], length 0
    10:30:11.292190 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 64, id 54780, offset 0, flags [DF], proto TCP (6), length 66)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [P.], cksum 0x904c (correct), seq 32:46, ack 51, win 520, options [nop,nop,TS val 7128635 ecr 94971064], length 14
    10:30:11.292899 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 87: (tos 0x0, ttl 128, id 11127, offset 0, flags [DF], proto TCP (6), length 73)
        192.168.1.3.21 > 192.168.1.155.63612: Flags [P.], cksum 0x4a56 (correct), seq 51:72, ack 46, win 260, options [nop,nop,TS val 94971065 ecr 7128635], length 21
    10:30:11.292915 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 28555, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [.], cksum 0x6367 (correct), seq 46, ack 72, win 520, options [nop,nop,TS val 7128636 ecr 94971065], length 0
    10:30:11.303538 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 59761, offset 0, flags [DF], proto TCP (6), length 58)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [P.], cksum 0xafa0 (correct), seq 46:52, ack 72, win 520, options [nop,nop,TS val 7128637 ecr 94971065], length 6
    10:30:11.303849 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 128, id 11128, offset 0, flags [DF], proto TCP (6), length 68)
        192.168.1.3.21 > 192.168.1.155.63612: Flags [P.], cksum 0xf8f7 (correct), seq 72:88, ack 52, win 259, options [nop,nop,TS val 94971066 ecr 7128637], length 16
    10:30:11.303873 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 55171, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [.], cksum 0x634f (correct), seq 52, ack 88, win 520, options [nop,nop,TS val 7128637 ecr 94971066], length 0
    10:30:11.322284 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 46973, offset 0, flags [DF], proto TCP (6), length 58)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [P.], cksum 0xb29e (correct), seq 52:58, ack 88, win 520, options [nop,nop,TS val 7128638 ecr 94971066], length 6
    10:30:11.322685 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 116: (tos 0x0, ttl 128, id 11129, offset 0, flags [DF], proto TCP (6), length 102)
        192.168.1.3.21 > 192.168.1.155.63612: Flags [P.], cksum 0xee85 (correct), seq 88:138, ack 58, win 259, options [nop,nop,TS val 94971068 ecr 7128638], length 50
    10:30:11.322718 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 52902, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [.], cksum 0x6314 (correct), seq 58, ack 138, win 519, options [nop,nop,TS val 7128639 ecr 94971068], length 0
    10:30:11.332894 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 56086, offset 0, flags [DF], proto TCP (6), length 58)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [P.], cksum 0xb65c (correct), seq 58:64, ack 138, win 520, options [nop,nop,TS val 7128640 ecr 94971068], length 6
    10:30:11.333364 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 128, id 11130, offset 0, flags [DF], proto TCP (6), length 93)
        192.168.1.3.21 > 192.168.1.155.63612: Flags [P.], cksum 0xa76b (correct), seq 138:179, ack 64, win 259, options [nop,nop,TS val 94971069 ecr 7128640], length 41
    10:30:11.333400 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 15319, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [.], cksum 0x62e2 (correct), seq 64, ack 179, win 520, options [nop,nop,TS val 7128640 ecr 94971069], length 0
    10:30:38.859712 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 95: (tos 0x0, ttl 128, id 11131, offset 0, flags [DF], proto TCP (6), length 81)
        192.168.1.3.21 > 192.168.1.155.30133: Flags [P.], cksum 0xbb6f (correct), seq 1193535899:1193535928, ack 2396311686, win 259, options [nop,nop,TS val 94973821 ecr 7127761], length 29
    10:30:38.859741 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 44731, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.1.155.30133 > 192.168.1.3.21: Flags [R], cksum 0x56cc (correct), seq 2396311686, win 0, length 0
    10:30:38.859744 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 11132, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.3.21 > 192.168.1.155.30133: Flags [F.], cksum 0xf364 (correct), seq 29, ack 1, win 259, options [nop,nop,TS val 94973821 ecr 7127761], length 0
    10:30:42.334413 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 48414, offset 0, flags [DF], proto TCP (6), length 58)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [P.], cksum 0xb919 (correct), seq 64:70, ack 179, win 520, options [nop,nop,TS val 7131740 ecr 94971069], length 6
    10:30:42.334904 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 124: (tos 0x0, ttl 128, id 11133, offset 0, flags [DF], proto TCP (6), length 110)
        192.168.1.3.21 > 192.168.1.155.63612: Flags [P.], cksum 0xf383 (correct), seq 179:237, ack 70, win 259, options [nop,nop,TS val 94974169 ecr 7131740], length 58
    10:30:42.334924 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 49392, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [.], cksum 0x4a6b (correct), seq 70, ack 237, win 519, options [nop,nop,TS val 7131740 ecr 94974169], length 0
    10:30:42.334926 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 96: (tos 0x0, ttl 128, id 11134, offset 0, flags [DF], proto TCP (6), length 82)
        192.168.1.3.21 > 192.168.1.155.63612: Flags [P.], cksum 0x9a6e (correct), seq 237:267, ack 70, win 259, options [nop,nop,TS val 94974169 ecr 7131740], length 30
    10:30:42.334940 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 37933, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [.], cksum 0x4a4c (correct), seq 70, ack 267, win 520, options [nop,nop,TS val 7131740 ecr 94974169], length 0
    10:30:44.710380 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 55392, offset 0, flags [DF], proto TCP (6), length 58)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [P.], cksum 0xa19d (correct), seq 70:76, ack 267, win 520, options [nop,nop,TS val 7131977 ecr 94974169], length 6
    10:30:44.710710 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 128, id 11135, offset 0, flags [DF], proto TCP (6), length 66)
        192.168.1.3.21 > 192.168.1.155.63612: Flags [P.], cksum 0x5a83 (correct), seq 267:281, ack 76, win 259, options [nop,nop,TS val 94974406 ecr 7131977], length 14
    10:30:44.710749 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 24731, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [.], cksum 0x485e (correct), seq 76, ack 281, win 520, options [nop,nop,TS val 7131977 ecr 94974406], length 0
    10:30:44.710753 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 11136, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.3.21 > 192.168.1.155.63612: Flags [F.], cksum 0x4962 (correct), seq 281, ack 76, win 259, options [nop,nop,TS val 94974406 ecr 7131977], length 0
    10:30:44.710780 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 30584, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [.], cksum 0x485d (correct), seq 76, ack 282, win 520, options [nop,nop,TS val 7131977 ecr 94974406], length 0
    10:30:44.710800 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 18175, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.63612 > 192.168.1.3.21: Flags [F.], cksum 0x485c (correct), seq 76, ack 282, win 520, options [nop,nop,TS val 7131977 ecr 94974406], length 0
    10:30:44.711033 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 11137, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.3.21 > 192.168.1.155.63612: Flags [.], cksum 0x4960 (correct), seq 282, ack 77, win 259, options [nop,nop,TS val 94974407 ecr 7131977], length 0
    10:30:44.724758 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 29522, offset 0, flags [DF], proto TCP (6), length 60)
        192.168.1.155.31258 > 192.168.1.3.21: Flags [s], cksum 0x5621 (correct), seq 2259262098, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 7131979 ecr 0], length 0
    10:30:44.725153 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 11138, offset 0, flags [DF], proto TCP (6), length 60)
        192.168.1.3.21 > 192.168.1.155.31258: Flags [S.], cksum 0xba10 (correct), seq 4143271012, ack 2259262099, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 94974408 ecr 7131979], length 0
    10:30:44.725197 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 56059, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.31258 > 192.168.1.3.21: Flags [.], cksum 0x06d6 (correct), seq 1, ack 1, win 520, options [nop,nop,TS val 7131979 ecr 94974408], length 0
    10:30:44.725641 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 128, id 11139, offset 0, flags [DF], proto TCP (6), length 79)
        192.168.1.3.21 > 192.168.1.155.31258: Flags [P.], cksum 0x6ccd (correct), seq 1:28, ack 1, win 260, options [nop,nop,TS val 94974408 ecr 7131979], length 27
    10:30:44.725675 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 12619, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.31258 > 192.168.1.3.21: Flags [.], cksum 0x06bb (correct), seq 1, ack 28, win 520, options [nop,nop,TS val 7131979 ecr 94974408], length 0
    10:30:44.728365 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 65275, offset 0, flags [DF], proto TCP (6), length 83)
        192.168.1.155.31258 > 192.168.1.3.21: Flags [P.], cksum 0xb31f (correct), seq 1:32, ack 28, win 520, options [nop,nop,TS val 7131979 ecr 94974408], length 31
    10:30:44.728726 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 89: (tos 0x0, ttl 128, id 11140, offset 0, flags [DF], proto TCP (6), length 75)
        192.168.1.3.21 > 192.168.1.155.31258: Flags [P.], cksum 0x19c5 (correct), seq 28:51, ack 32, win 260, options [nop,nop,TS val 94974408 ecr 7131979], length 23
    10:30:44.728762 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 45548, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.31258 > 192.168.1.3.21: Flags [.], cksum 0x0685 (correct), seq 32, ack 51, win 520, options [nop,nop,TS val 7131979 ecr 94974408], length 0
    10:30:44.741288 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 47854, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.31258 > 192.168.1.3.21: Flags [F.], cksum 0x0683 (correct), seq 32, ack 51, win 520, options [nop,nop,TS val 7131980 ecr 94974408], length 0
    10:30:44.741591 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 11141, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.3.21 > 192.168.1.155.31258: Flags [.], cksum 0x0785 (correct), seq 51, ack 33, win 260, options [nop,nop,TS val 94974410 ecr 7131980], length 0
    10:30:44.741601 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 11142, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.3.21 > 192.168.1.155.31258: Flags [F.], cksum 0x0784 (correct), seq 51, ack 33, win 260, options [nop,nop,TS val 94974410 ecr 7131980], length 0
    10:30:44.741611 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 29860, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.31258 > 192.168.1.3.21: Flags [.], cksum 0x067f (correct), seq 33, ack 52, win 520, options [nop,nop,TS val 7131981 ecr 94974410], length 0
    10:30:45.249259 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 37561, offset 0, flags [DF], proto TCP (6), length 60)
        192.168.1.155.13245 > 192.168.1.3.21: Flags [s], cksum 0xb324 (correct), seq 2501801283, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 7132031 ecr 0], length 0
    10:30:45.249582 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 11143, offset 0, flags [DF], proto TCP (6), length 60)
        192.168.1.3.21 > 192.168.1.155.13245: Flags [S.], cksum 0x1c05 (correct), seq 1177745410, ack 2501801284, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 94974460 ecr 7132031], length 0
    10:30:45.249612 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 27224, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.13245 > 192.168.1.3.21: Flags [.], cksum 0x68ca (correct), seq 1, ack 1, win 520, options [nop,nop,TS val 7132031 ecr 94974460], length 0
    10:30:45.249963 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 128, id 11144, offset 0, flags [DF], proto TCP (6), length 79)
        192.168.1.3.21 > 192.168.1.155.13245: Flags [P.], cksum 0xcec1 (correct), seq 1:28, ack 1, win 260, options [nop,nop,TS val 94974460 ecr 7132031], length 27
    10:30:45.249999 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 28, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.13245 > 192.168.1.3.21: Flags [.], cksum 0x68af (correct), seq 1, ack 28, win 520, options [nop,nop,TS val 7132031 ecr 94974460], length 0
    10:30:45.252725 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 60141, offset 0, flags [DF], proto TCP (6), length 83)
        192.168.1.155.13245 > 192.168.1.3.21: Flags [P.], cksum 0x1513 (correct), seq 1:32, ack 28, win 520, options [nop,nop,TS val 7132032 ecr 94974460], length 31
    10:30:45.252912 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 89: (tos 0x0, ttl 128, id 11145, offset 0, flags [DF], proto TCP (6), length 75)
        192.168.1.3.21 > 192.168.1.155.13245: Flags [P.], cksum 0x7bb7 (correct), seq 28:51, ack 32, win 260, options [nop,nop,TS val 94974461 ecr 7132032], length 23
    10:30:45.252934 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 2975, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.13245 > 192.168.1.3.21: Flags [.], cksum 0x6877 (correct), seq 32, ack 51, win 520, options [nop,nop,TS val 7132032 ecr 94974461], length 0
    10:30:45.264271 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 64, id 33284, offset 0, flags [DF], proto TCP (6), length 66)
        192.168.1.155.13245 > 192.168.1.3.21: Flags [P.], cksum 0x9536 (correct), seq 32:46, ack 51, win 520, options [nop,nop,TS val 7132033 ecr 94974461], length 14
    10:30:45.264816 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 87: (tos 0x0, ttl 128, id 11146, offset 0, flags [DF], proto TCP (6), length 73)
        192.168.1.3.21 > 192.168.1.155.13245: Flags [P.], cksum 0x4f40 (correct), seq 51:72, ack 46, win 260, options [nop,nop,TS val 94974462 ecr 7132033], length 21
    10:30:45.264851 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 41482, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.13245 > 192.168.1.3.21: Flags [.], cksum 0x6852 (correct), seq 46, ack 72, win 520, options [nop,nop,TS val 7132033 ecr 94974462], length 0
    10:30:45.270095 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 72: (tos 0x0, ttl 64, id 38526, offset 0, flags [DF], proto TCP (6), length 58)
        192.168.1.155.13245 > 192.168.1.3.21: Flags [P.], cksum 0xb48c (correct), seq 46:52, ack 72, win 520, options [nop,nop,TS val 7132033 ecr 94974462], length 6
    10:30:45.270385 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 128, id 11147, offset 0, flags [DF], proto TCP (6), length 68)
        192.168.1.3.21 > 192.168.1.155.13245: Flags [P.], cksum 0xfde4 (correct), seq 72:88, ack 52, win 259, options [nop,nop,TS val 94974462 ecr 7132033], length 16
    10:30:45.270403 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 2033, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.13245 > 192.168.1.3.21: Flags [.], cksum 0x683c (correct), seq 52, ack 88, win 520, options [nop,nop,TS val 7132033 ecr 94974462], length 0
    10:30:45.293480 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 93: (tos 0x0, ttl 64, id 45101, offset 0, flags [DF], proto TCP (6), length 79)
        192.168.1.155.13245 > 192.168.1.3.21: Flags [P.], cksum 0xb06c (correct), seq 52:79, ack 88, win 520, options [nop,nop,TS val 7132036 ecr 94974462], length 27
    10:30:45.293873 00:0c:29:04:a1:6b > 00:0c:29:8d:5d:09, ethertype IPv4 (0x0800), length 102: (tos 0x0, ttl 128, id 11148, offset 0, flags [DF], proto TCP (6), length 88)
        192.168.1.3.21 > 192.168.1.155.13245: Flags [P.], cksum 0x4eda (correct), seq 88:124, ack 79, win 259, options [nop,nop,TS val 94974465 ecr 7132036], length 36
    10:30:45.293920 00:0c:29:8d:5d:09 > 00:0c:29:04:a1:6b, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 27510, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.155.13245 > 192.168.1.3.21: Flags [.], cksum 0x67f7 (correct), seq 79, ack 124, win 520, options [nop,nop,TS val 7132036 ecr 94974465], length 0
    
    [/s][/s][/s]
    

  • LAYER 8 Global Moderator

    "public IP from the same system within the same network, it doesn't let me connect."

    Yeah that is NOT a good test, that is nat reflection (loopback forward) your going to confuse the hell out of the helper ;)  Do you have nat reflection enabled?

    Actually do a TEST from OUTSIDE your network - PM me info and be happy to test connection for you.


    Look at your connection info here
    227 Entering Passive Mode (13,110,xx,xx,212,128)  
    LIST  
    Connect socket #872 to 13.110.xx.xx, port 54400...

    BTW you might want to remove your public IPs? 13.11.x.x, anyway so trying to connect passive would again be another nat reflection which I have not tested with ftp..  From what your doing it doesn't work ;)

    maybe you did? 
    CIDR:          13.0.0.0/8
    OrgName:        Xerox Corporation

    In the active connection your telling your server to connect to your private IP - what the helper would do with that if anything not sure?

    You would have to actually look at the sniffs you captured to get the details.  But test from OUTSIDE!!! your network..



  • I did already hid the public IP and credential ;)

    thank-you for offering your help, I have sent you the details… check your PM and kindly do the tests


  • LAYER 8 Global Moderator

    Yup worked just great, sent testftp.txt file up without any issues - saw the mp3 in the dir, etc..

    Status: Connecting to xx.xx.xx.188:21…
    Status: Connection established, waiting for welcome message...
    Response: 220 Microsoft FTP Service
    Command: USER johnpoz@snipped
    Response: 331 Password required
    Command: PASS ********
    Response: 230 User logged in.
    Command: SYST
    Response: 215 Windows_NT
    Command: FEAT
    snipped
    Status: Connected
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is current directory.
    Command: TYPE I
    Response: 200 Type set to I.
    Command: PORT 192,168,1,100,78,38
    Response: 200 PORT command successful.
    Command: LIST
    Response: 125 Data connection already open; Transfer starting.
    Response: 226 Transfer complete.
    Status: Directory listing successful
    Status: Retrieving directory listing...
    Command: CWD Test
    Response: 250 CWD command successful.
    Command: PWD
    Response: 257 "/Test" is current directory.
    Command: PORT 192,168,1,100,78,39
    Response: 200 PORT command successful.
    Command: LIST
    Response: 125 Data connection already open; Transfer starting.
    Response: 226 Transfer complete.

    I can try a pasv connection if you want - but looks to be working to me.

    Helper would change the PORT commands to be my public IP vs the private one client sent.

    edit: yup pasv works just fine too

    Response: 227 Entering Passive Mode (xx,xx,xx,188,212,232)
    Command: LIST
    Response: 150 Opening BINARY mode data connection.
    Response: 226 Transfer complete.
    Status: Directory listing successful
    Status: Retrieving directory listing…



  • Thanks for testing the FTP, I had already enabled "NAT Reflection for port forwards" and "NAT Reflection for 1:1 NAT".

    Sorry I was lazy enough to actually go outside and check the FTP from somewhere other than my own place :(

    I have tested forwarding the same port from CISCO Routers, and they seem to work locally too… any possible solution on making it work with in the same IP range?



  • I have simillar problem. FTP server is behind pfSense NAT in LAN. I have already tried turn on and off TFTP proxy helper for LAN/WAN but still no success. For now I have NAT rule x.x.x.x:47020 -> 192.168.2.80:21. I can connect control channel but can't connect passive ports. WAN IP is dynamically assigned so no resolve_passive_ip or simillar possible(?).


Log in to reply