FTP several internal LAN



  • Hi

    PfSense (2.1 release amd64) with 3 inf: WAN, LAN, OPT1
    FTP server in LAN, published to WAN and accessible from OPT1 too.
    Standard FW rule: allow from all to LAN port ftp (21)
    From WAN and LAN all works fine. But from OPT1 not. It appears to connect, i input login\password, server accept it and after all it:
    PORT 200 command successful
    LIST
    and connection is hung up
    Try both active\passive - result the same
    If i additionally open dynamic ports from OPT1 to LAN - connection fine.

    Seems like that: http://forum.pfsense.org/index.php/topic,31983.0.html

    Thx for your help.


  • LAYER 8 Global Moderator

    What are you rules on opt1?  And what are you rules on lan?

    Both of these rules can come into play since depending if your active or passive will determine which direction the data connection is started from.



  • Hi
    Thx for your answer!

    I use Floating rule (interfaces LAN, OPT1, "Apply the action immediately on match" is enabled):
    from InsideNets to InsideNets allow ftp(21)

    InsideNets is allias for both LAN and OPT1 networks:
    172.16.1.0/24
    192.168.1.0/24


  • LAYER 8 Global Moderator

    port 21 is CONTROL channel – what about the data connection..

    Now if your client is using active, it will tell the ftp server hey connect to me on port X, with a port command.  The ftp server will create a connection to the client from port 20 to some random port that the client told the server to connect to.

    In passive, the ftp server will say hey connect to me on port X with the pasv command.  The client will then connect from some random high port to whatever port the server said to use.

    So you need to understand that depending what your using the connection will start from 2 different directions and will use random ports.

    Your rule 21 is great for the control channel - but you need to allow for the data channel or your never going to actual move any files back and forth.

    I really suggest you read http://slacksite.com/other/ftp.html to understand how ftp works depending if your using active or passive.



  • Thx for your answer!
    Yes i know about FTP ports, active\passive modes etc
    But afaik pfsense has got ftp-helper in kernel and all i need - open ftp protocol and this helper will do all other work: open dynamic ports for data-channel for expl. Is it wrong!? (ftp-helper is very common feature in most of network devices\software like ISA, cisco etc)

    And there is one more: i have published ftp server to internet (WAN) over exactly the same manner.
    WAN inf rule:
    from any to FTPServer allow ftp(21)
    this works fine … why? (i havn't nat - pfsense is our internal router)


  • LAYER 8 Global Moderator

    Yes there is a helper but I dont believe it would run between lan segments?  Since your not doing nat, you want the helper to open your ports for you?

    Since your not using nat, I would just suggest you use active, and allow firewall rule from source port 20 into the interface your server is talking.

    Without seeing your rules between your interfaces I don't know what your you have that are wrong..

    So for example from my wlan segment to my lan segment.  If I open up 21 to my ftp server on the lan from wlan.. Since my lan rules are any any..  The ftp server would have no issues creating the connection to whatever port the client said to use.

    But with passive - server says hey client connect to me on port X.. Well there is no X open from wlan to lan so yes you would need a helper to open that, or you would have to create the rules that say wlan can create connections into lan ftp server IP on what ports your ftp server would use for passive connections.

    Again I find it unlikely that the ftp helper would run between lan segments - which is where your having issues.



  • @johnpoz:

    I dont believe it would run between lan segments?

    WAN, LAN, OPT1, OPT2 etc are the same networks segments in pfsense logic (and as the same in all other network device like cisco) The difference is only logical, you can split as many LAN\WAN\OPT as you device\software can handle.
    Or there is official note about ftp-helper that works only between WAN-LAN? I didn't see it.

    @johnpoz:

    Since your not doing nat, you want the helper to open your ports for you?

    Yes and it do it. As i said it do ot very well between my WAN and LAN when only ftp(21) is opened.

    @johnpoz:

    Since your not using nat, I would just suggest you use active, and allow firewall rule from source port 20 into the interface your server is talking.

    I use both modes but mostly is passive of cos. Clients work from NAT mostly and they can't use active ftp.

    @johnpoz:

    Without seeing your rules between your interfaces I don't know what your you have that are wrong..

    Try to do:
    from WAN to FTPserver allow ftp(21)
    from WAN to any deny all
    ftp server works fine (passive) - so ftp helper works too…!?

    So for example from my wlan segment to my lan segment.  If I open up 21 to my ftp server on the lan from wlan.. Since my lan rules are any any..  The ftp server would have no issues creating the connection to whatever port the client said to use.

    @johnpoz:

    Again I find it unlikely that the ftp helper would run between lan segments - which is where your having issues.

    Mb be of cos but what is a reason for this? There are no any difference for ftp-helper what connection translate: WAN\LAN or LAN\OPT … imho


  • LAYER 8 Global Moderator

    "WAN, LAN, OPT1, OPT2 etc are the same networks segments in pfsense logic"

    Not sure where you got that idea from?

    https://doc.pfsense.org/index.php/Outbound_NAT
    The default "Automatic" scenario is to have all traffic that enters from a LAN (or LAN type) interface to have NAT applied so it is translated to the WAN IP address before it leaves.

    For static IP configurations, an interface is considered a WAN by the presence of a gateway on the interface's settings, e.g. Interfaces > OPT1. Having a gateway defined under System > Routing is not enough, it must also be selected on the interface configuration, or it will not be considered a WAN for NAT or other purposes.

    Maybe its because I have been using pfsense for so many years?  But to pfsense there is a diff between wan and lan interfaces - it only applies NAT to interfaces it thinks are WAN type interfaces.  And AFIK it only runs the ftp helper on between lan and wan interfaces doing nat.

    So it makes no sense that it should run between lan interfaces.  Maybe someone can chime in that knows 100%  But that is my understanding of how pfsense works.

    Pfsense clearly makes a distinction between wan and lan interfaces that is given by just installing it.



  • Thx for your answer!

    Mb i'm wrong with network concept of PFSense but any way cannot find any official notes about ftp-helper …
    https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense
    afaik there was checkbox in earlier version of pf and it was able to enable ftp-helper on all interfaces? This checkbox now is not present as ftp-helper is in kernel ..? Strange...

    And this error is very similar with this tread:
    http://forum.pfsense.org/index.php/topic,31983.0.html
    In this tread there are no any mention that ftp-helper don't work between LAN segments ...


  • LAYER 8 Global Moderator

    Where in that thread was he going lan to lan - he was outside his wan from what I recall of that thread.  Clearly he did not understand how ftp works if he is forwarding port 20.

    As to sim - I agree, people see to have a issue with the basic concept of how ftp works ;)  And it back from 2011 – I would of hoped ftp would be dead by now.

    Why don't you just sftp ;)



  • Thx for your answers.

    @johnpoz:

    Where in that thread was he going lan to lan - he was outside his wan from what I recall of that thread.

    Hm.. yes, form WAn to OPT1 … I just was thinking thats there is no matter what interface to use as ftp-helper must works on all inf.
    Anyway are there any chances to get official answer about ftp-helper and how does it work on interfaces in 2.x versions of PFSense?

    @johnpoz:

    And it back from 2011 – I would of hoped ftp would be dead by now. Why don't you just sftp ;)

    Simple FTP is supported by mostly built-in file managers in OS (like Windows Explorer for expl) and mostly internet browsers. And there is not such simple to change it by another software on client side. This is the reason why mostly companies use both ftp and sftp\ftps.
    PS we use ftps as we have got here MS IIS ftp server.


  • LAYER 8 Global Moderator

    "PS we use ftps as we have got here MS IIS ftp server."

    Well doing so again will break any sort of FTP helper, since the info the helper would need is inside a encrypted session that it could not see..

    Its clear the ftp helper does not work between lan interfaces from your very issue ;)  If using ftps helper can not work even if wan to lan and helper is active.

    If normal ftp from wan to lan - helper can change your private ftp servers IP to the public IP and open up the ports required for passive connections.

    If lan to lan there is no nat an no need to change IP, yes you would need the correct rules to allow the traffic be it passive or active.  Create them and your issue is gone.

    ftps from wan to lan is going to be a problem because helper can not function because traffic is encrypted.  So you would need to make sure ftp server gives out its public IP if passive and create the rules needed for passive to work.  Or just use active.  Where you can run into issues with ftps and active connections is if the client is behind a nat.. Their helper can not change their private IP to the public - so the ftp server can not make the data connection back to them.



  • @johnpoz:

    "PS we use ftps as we have got here MS IIS ftp server."

    Well doing so again will break any sort of FTP helper, since the info the helper would need is inside a encrypted session that it could not see..

    Its clear the ftp helper does not work between lan interfaces from your very issue ;)  If using ftps helper can not work even if wan to lan and helper is active.

    If normal ftp from wan to lan - helper can change your private ftp servers IP to the public IP and open up the ports required for passive connections.

    If lan to lan there is no nat an no need to change IP, yes you would need the correct rules to allow the traffic be it passive or active.  Create them and your issue is gone.

    ftps from wan to lan is going to be a problem because helper can not function because traffic is encrypted.  So you would need to make sure ftp server gives out its public IP if passive and create the rules needed for passive to work.  Or just use active.  Where you can run into issues with ftps and active connections is if the client is behind a nat.. Their helper can not change their private IP to the public - so the ftp server can not make the data connection back to them.

    Thx for your answers.
    Yes, i know that ftp helper will not work with ftps cos encryption … But i have got additionally external static ip and will do 1:1 NAT for this purpose. The only one thing i'm confusing: how to publish both ftp and ftps protocol to the same server!? Afaik i will need to disable ftp helper for ftps ... but it will need for simple ftp ... (i cannot publish it over non standard ports)


  • LAYER 8 Global Moderator

    " But i have got additionally external static ip and will do 1:1 NAT for this purpose"

    How does 1:1 Nat solve your problem?  Other than just sending ALL unsolicited traffic to your ftp server - sounds like a REALLY bad idea to me ;)  This works for passive - but how would it work with active if your ftps client is sending private IPs because he is behind a NAT?

    If you want passive to work, no helper it is very simple.  You need your ftp server to hand out its public IP address..  See below example of this setting.  Along with using a specific port range that you forward to the ftp server.

    For active you just make sure that source port of 20 is allowed outbound to any port it wants.

    As to running both normal ftp and ftps – most ftp servers allow this, they are different ports and sure the server should be able to listen on both at the same time.



Log in to reply