Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTP to IPv6 sites is not working

    Scheduled Pinned Locked Moved IPv6
    4 Posts 2 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mskufca
      last edited by

      Hi,

      I have pfSense 2.1 box in HA with CARP. Multiple LAN, single WAN. Dual stack IPv4 and IPv6. Native IPv6 internet connection. All working perfectly … but (There is always but :-) ).
      I have noticed that clients have problem connecting to FTPv6 public sites. This means client with dual stack IPv4 and IPv6 cannot connect to public IPv6 available FTP server. Client in this case prefers native IPv6 connection to FTP server.
      The same connection goes perfectly with IPv4 only client (or if you prefer IPv4 connectivity in dual stack client).
      There is nothing popping up in firewall logs. So I'm a bit stuck here.
      I did some playing around with ftpproxy setting, but change from default resolved in brake of IPv4 connectivity also rather that resolving this issue.

      Does someone has any suggestion or idea how to resolve this. Any help would be appreciated.

      Thanx
      m.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        So your saying a client on your network using a native IPv6 address can not connect to a public ftp server via ipv6?

        Are you trying active or passive connection?  Of the top I don't know of any public ipv6 enabled ftp servers - if you list one your trying to access I will attempt it using my ipv6 connection and see what I see might be your issue.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          mskufca
          last edited by

          Hi,

          I think deafult ftp access is passive mode.
          IPv6 ftp site : ftp.arnes.si
          this is exact site that I have noticed this error.
          I have checked with provider of this site and I have 100% assurance that is working on IPv6.

          I think that pfSense ftpproxy is not working with IPv6. But I do not have any logs to back my statement up. Or I don't know where to look.

          BR
          m.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "I think deafult ftp access is passive mode."

            Well that would depend on the client now wouldn't it - If I ftp from command line in windows defaults to active.  If I type ftp on my ubuntu server its active. Unless I use -P

            -p    Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents con‐
                      nections from the outside world back to the client machine. Requires that the ftp server support the
                      PASV command. This is the default if invoked as pftp.

            Why do you think ftp helper should be doing anything in pfsense on ipv6?  There is no nat in ip6 - so why would the helper be needed.

            How are you sure your hitting the ipv6 address?  That site resolves ipv4 as well

            ftp.arnes.si.          7200    IN      A      193.2.1.88

            What I can tell you is I can connect just fine to that server via IPv6 be it passive or active. Snipped a bit out for brevity

            –--
            05:49:25 Status: Connecting to [2001:1470:8000::88]:21…
            05:49:25 Status: Connection established, waiting for welcome message...
            05:49:25 Response: 220-
            05:49:25 Response: 220-  Hello!
            05:49:25 Response: 220-
            05:49:25 Response: 220-  Welcome to the ARNES archive,  Please login as `anonymous' with

            05:49:26 Response: 230 Login successful.

            05:49:26 Status: Connected
            05:49:26 Status: Retrieving directory listing...
            05:49:26 Command: PWD
            05:49:27 Response: 257 "/"
            05:49:27 Command: TYPE I
            05:49:27 Response: 200 Switching to Binary mode.
            05:49:27 Command: EPSV
            05:49:27 Response: 229 Entering Extended Passive Mode (|||24597|)
            05:49:27 Command: LIST
            05:49:27 Response: 150 Here comes the directory listing.
            05:49:27 Response: 226 Directory send OK.
            05:49:27 Status: Directory listing successful
            –-

            active with the right firewall rule to allow the traffic.


            05:53:22 Status: Connecting to [2001:1470:8000::88]:21…
            05:53:22 Status: Connection established, waiting for welcome message...
            05:53:23 Response: 220-
            05:53:23 Response: 220-  Hello!
            05:53:23 Response: 220-
            05:53:23 Response: 220-  Welcome to the ARNES archive,  Please login as `anonymous' with
            05:53:23 Response: 220-  your E-mail address as the password to access the archive.

            05:53:23 Response: 220
            05:53:23 Command: USER anonymous
            05:53:23 Response: 331 Please specify the password.
            05:53:23 Command: PASS **************
            05:53:23 Response: 230 Login successful.

            05:53:24 Status: Connected
            05:53:24 Status: Retrieving directory listing...
            05:53:24 Command: PWD
            05:53:24 Response: 257 "/"
            05:53:24 Command: TYPE I
            05:53:24 Response: 200 Switching to Binary mode.
            05:53:24 Command: EPRT |2|2001:xx:xx:xx::666|2309|
            05:53:24 Response: 200 EPRT command successful. Consider using EPSV.
            05:53:24 Command: LIST
            05:53:24 Response: 150 Here comes the directory listing.
            05:53:25 Response: 226 Directory send OK.
            05:53:25 Status: Directory listing successful
            05:53:29 Status: Retrieving directory listing…
            05:53:29 Command: CWD arnes
            05:53:29 Response: 250 Directory successfully changed.
            05:53:29 Command: PWD
            05:53:29 Response: 257 "/arnes"
            05:53:29 Command: EPRT |2|2001:xx:xx:xx::666|2310|
            05:53:29 Response: 200 EPRT command successful. Consider using EPSV.
            05:53:29 Command: LIST
            05:53:30 Response: 150 Here comes the directory listing.
            05:53:30 Response: 226 Directory send OK.
            05:53:30 Status: Directory listing successful
            –-

            If I don't allow the unsolicited traffic that would be coming from the ftp server in a active mode connection it would fail..  So added this rule real quick to open my ipv6 client up.

            Now what I noticed is that the source port for for the active connection to my ports that I sent in the EPRT (port command for ipv6 ftp) is not 20, not normally in ipv4 ftp in active source is 20..  But seems with this ftp server when I tell it hey come connect to me in an active connection his source port is random?  But if you allow the traffic for your ipv6 it works fine.

            You need to know if your doing active or passive, allow the rules if active.  And double check your own ipv6 connection.  I use he to tunnel since not real happy with comcast native as of yet and pfsense - and tracking seems to change ipv6 range you get all the time..  Guess could prob filter out one of their dhcp servers.. But anyway clearly you can see that site works fine with ipv6.  And pfsense allows it just fine - there would be no helper in IPv6 to change anything.  Look at your firewall log and see what is not working.

            ipv6rules.png
            ipv6rules.png_thumb
            logsofrules.png
            logsofrules.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.