FTP problems



  • Hey guys

    I'm newish to pfSense and we went from a single connection box to using the LB. Ever since then i can't connect via FTP.

    We have 2 ADSL connections which are connected via 2 modems that are using NAT and we have two WAN interfaces ("WAN" and "TPG") with local IPs (10.10.20.1, 10.10.30.1)

    I've tried creating rules to force FTP traffic (Ports 20 & 21) and any traffic between ports 1024:65535 through a specific interface.

    I've also turned the FTP proxy thing in Interfaces menu on and off for all the interfaces

    When i ftp out , the client netstat table just shows SYN_SENT on port 21.

    At the moment, our TPG connection is temperamental so we have disabled the LB. FTP is still not working.

    Some of my rules have been omitted from these lists, if you think they might be relevant please let me know.

    Here is my WAN rule table:
    TCP/UDP  *  *  10.10.10.10  873  *      NAT RSYNC -> NAS 
    TCP * * 10.10.10.253 25 (SMTP) *   NAT Mail -> Proxy 
    TCP * * 10.10.10.6 22 (SSH) *   NAT iiNET SSH -> Tintin 
    TCP * * 10.10.10.9 3389 (MS RDP) *   NAT iiNET RDP -> XP
    TCP * 80 (HTTP) 10.10.10.6 80 (HTTP) *   NAT iiNet Web -> Tintin

    Here is my TPG rule table:

    TCP * * 10.10.10.253 22 (SSH) *   NAT iiNET SSH -> Proxy 
    TCP/UDP * * 10.10.10.10 873 *   NAT RSYNC -> NAS

    Here is my LAN rule table:

    UDP * * * 27000 - 27020 iiNet   STEAM (UDP) -> iiNet 
    TCP * * 208.113.148.18 * iiNet   Dreamhost -> iiNet 
    TCP * * 203.59.27.133 * iiNet   ftp.iinet.net.au -> iiNet 
    TCP * * * 21 (FTP) iiNet   FTP -> iiNet 
    TCP * * * 1024 - 65535 iiNet   Everything -> iiNet 
    TCP * * * 20 iiNet   FTP data -> iiNet 
    TCP * * 203.59.27.13 * iiNet   games.iinet.net.au -> iiNet 
    TCP * * * 25 (SMTP) iiNet   Mail -> iiNet 
    ICMP * * * * iiNet   ICMP 
    ICMP * * * * TPG   ICMP 
    TCP * * * 443 (HTTPS) iiNet   LAN -> HTTPS -> iiNet

    • LAN net * 10.10.20.0/24 * iiNet   LAN -> iiNet ADSL Modem
    • LAN net * 10.10.30.0/24 * TPG   LAN -> TPG ADSL Modem 
      TCP LAN net * * * iiNet   iiNet/TPG LoadBalancer 
      TCP/UDP 10.10.10.253 * * 161 (SNMP) *   Nagios -> SNMP

    Here is my NAT table:

    TPG  TCP/UDP  873  10.10.10.10(ext.: 10.10.30.1) 873  RSYNC -> NAS 
    WAN TCP/UDP 873  10.10.10.10(ext.: 10.10.20.1) 873  RSYNC -> NAS 
    WAN TCP 25 (SMTP) 10.10.10.253(ext.: 10.10.20.1) 25 (SMTP) Mail -> Proxy 
    WAN TCP 22 (SSH) 10.10.10.6(ext.: 10.10.20.1) 22 (SSH) iiNET SSH -> Tintin 
    TPG TCP 22 (SSH) 10.10.10.253(ext.: 10.10.30.1) 22 (SSH) TPG SSH -> Proxy 
    WAN TCP/UDP 80 (HTTP) 10.10.10.9(ext.: 10.10.20.1) 80 (HTTP) Web -> Tintin



  • When using multiwan ftp will only work if you add a firewall rule at lan to send all traffic to destination 127.0.0.1 to the default gateway and enable the ftphelper at lan. ftp-traffic will only work on the original wan interface then.



  • For ftp port? When u said default GW, do you mean the gateway item "Default", or "LB"??

    So would the rule look like this? :

    TCP    * *    *    21 (FTP) *        FTP



  • please reread more closely  ;)
    at firewall>rules, lan, very top of the rules: any protocol, any source, destination 127.0.0.1, gateway "default"

    save, apply, maybe reset states if it does not work immediately.



  • I read your post, i just didn't fully understand what to do.

    I've done that, when u say enable the ftp helper on the Lan interface, do you mean make sure this thing is unticked?:

    FTP Helper Disable the userland FTP-Proxy application



  • right, the logic is reversed. it should be running on lan so don't disable it  ;)



  • OK -it works thx very much :)

    Is this ftp helper anything like the iptables conntrack_ftp module ?



  • ftp uses more than one port. the proxy is dynamically openening ports by listening what ports the client and the server request/assign. if the proxy is not in use it's most likely that the different ports that belong to the same session are getting balanced which will break stuff as the source IPs for the same session are different. as the proxy is living on 127.0.0.1 you have to make sure with that rule that the ftp traffic reaches the proxy and is not sent out directly to one of the wans.



  • Thanks for that- very helpful

    While i got you here, quick question - is there any way to we can get Nagios to monitor pfSense? I've looked around but the SNMP stuff seems mostly performance & stats related

    Thanks


Log in to reply