FTP and VIP's and getting it to work



  • Hi guys,

    Thanks goes out to all the guys that helped with the development of PFSense. Nice job!

    Just one small thing…I never knew that getting inbound FTP working could be so hard! Active or passive!  :o

    I'm using PFSense-1.0.1  and have a few questions relating to FTP, NAT, Virtual IPs and the userland FTP-Proxy.
    OK. So where do I start?

    My setup:

    5 public IPs mapped to 5 private IPs by a router at the edge of my network. All ports are forwarded from the public to the private IPs.

    1. xxx.xxx.xxx.x38 -> 192.168.100.2
    2. xxx.xxx.xxx.x39 -> 192.168.100.3
    3. xxx.xxx.xxx.x40 -> 192.168.100.4
    4. xxx.xxx.xxx.x41 -> 192.168.100.5
    5. xxx.xxx.xxx.x42 -> 192.168.100.6

    The 1st IP is assigned to the WAN interface of PFSense. The others are setup as virtual IPs (CARP) not ARP-Proxy (From posts I have read this seems to be a better option?). A server will be assigned to each IP. At the moment I'm using two servers and I'm using NAT to port forward various ports to each internal address.

    The internal addresses are 192.168.102.2 and 192.168.102.3 (PFSense is 192.168.102.1 on the OPT1 interface) Port forwarding for everything (except FTP) works GREAT! ;D Even when I'm using the Virtual IPs. It might be worth mentioning that all these servers are attached to the OPT1 interface but some servers will later be attached to the LAN interface too. After completion I will have 2 servers running FTP.

    The problem comes in with FTP. When I port forwarded 21 to 192.168.102.2 using "any" as the external address Active FTP works ok for the 1st public IP xxx.xxx.xxx.x38 only. The virtual IPs don't work. If I change the external address to one of the VIPs FTP still doesn't work for the virtual IPs but also stops working on the 1st IP too.

    Here is as far as I get: (from my FTP client)

    Status: Connecting to [IP removed] …
    Status: Connected with [IP removed]. Waiting for welcome message…
    Response: 220-Microsoft FTP Service
    Response: 220 Company name FTP
    Command: USER ftp-client
    Response: 331 Password required for ftp-user.
    Command: PASS *********
    Response: 230-Welcome to the Company name FTP Server
    Response: 230 User ftp-user logged in.
    Command: SYST
    Response: 215 Windows_NT
    Command: FEAT
    Response: 211-FEAT
    Response:     SIZE
    Response:     MDTM
    Response: 211 END
    Status: Connected
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/ftp-client" is current directory.
    Command: TYPE A
    Response: 200 Type set to A.
    Command: PORT 192,168,77,16,193,68
    Response: 200 PORT command successful.
    Command: LIST
    Response: 150 Opening ASCII mode data connection for /bin/ls.

    At this point it just stops. It just doesn't seem to get the directory listing and I'm guessing that is has something to do with the port 20 connecting back.

    I don't know what I'm doing wrong though. This setup should work just fine???

    I haven't even starting try to get passive FTP working...

    I noticed that there is the "userland FTP-Proxy" option for each interface. I have disabled it on all interfaces cause when it is enabled I can't even open a connection to port 21. What does userland FTP-Proxy do? and could it help me with my problem? If so where should I enable it? On my WAN or OPT1 interface?

    Thanks in advance!,
    H ???



  • This is an old post but for Search reasons, I thought I would reply.

    ProxyARP and 1 to 1 NAT do not appear to work for FTP in this case.  There are several articles on the forums and on the net about the issues with Ftp -helper.

    1.  Configure the VIP and then create CARP NAT.  Don't worry that you aren't doing true failover - it can work with 1 IP.
    2.  Configure Port Forwarding and forward FTP to internal server.
    3.  Configure rules on WAN interface to internal server.

    Worked like a charm for me.


Locked