FTP to IPv6 sites is not working

mskufca

Hi,

I have pfSense 2.1 box in HA with CARP. Multiple LAN, single WAN. Dual stack IPv4 and IPv6. Native IPv6 internet connection. All working perfectly … but (There is always but :-) ).
I have noticed that clients have problem connecting to FTPv6 public sites. This means client with dual stack IPv4 and IPv6 cannot connect to public IPv6 available FTP server. Client in this case prefers native IPv6 connection to FTP server.
The same connection goes perfectly with IPv4 only client (or if you prefer IPv4 connectivity in dual stack client).
There is nothing popping up in firewall logs. So I'm a bit stuck here.
I did some playing around with ftpproxy setting, but change from default resolved in brake of IPv4 connectivity also rather that resolving this issue.

Does someone has any suggestion or idea how to resolve this. Any help would be appreciated.

Thanx
m.

johnpoz

So your saying a client on your network using a native IPv6 address can not connect to a public ftp server via ipv6?

Are you trying active or passive connection?  Of the top I don't know of any public ipv6 enabled ftp servers - if you list one your trying to access I will attempt it using my ipv6 connection and see what I see might be your issue.

mskufca

Hi,

I think deafult ftp access is passive mode.
IPv6 ftp site : ftp.arnes.si
this is exact site that I have noticed this error.
I have checked with provider of this site and I have 100% assurance that is working on IPv6.

I think that pfSense ftpproxy is not working with IPv6. But I do not have any logs to back my statement up. Or I don't know where to look.

BR
m.

johnpoz

"I think deafult ftp access is passive mode."

Well that would depend on the client now wouldn't it - If I ftp from command line in windows defaults to active.  If I type ftp on my ubuntu server its active. Unless I use -P

-p    Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents con‐
          nections from the outside world back to the client machine. Requires that the ftp server support the
          PASV command. This is the default if invoked as pftp.

Why do you think ftp helper should be doing anything in pfsense on ipv6?  There is no nat in ip6 - so why would the helper be needed.

How are you sure your hitting the ipv6 address?  That site resolves ipv4 as well

ftp.arnes.si.          7200    IN      A      193.2.1.88

What I can tell you is I can connect just fine to that server via IPv6 be it passive or active. Snipped a bit out for brevity

–--
05:49:25 Status: Connecting to [2001:1470:8000::88]:21…
05:49:25 Status: Connection established, waiting for welcome message...
05:49:25 Response: 220-
05:49:25 Response: 220-  Hello!
05:49:25 Response: 220-
05:49:25 Response: 220-  Welcome to the ARNES archive,  Please login as `anonymous' with

05:49:26 Response: 230 Login successful.

05:49:26 Status: Connected
05:49:26 Status: Retrieving directory listing...
05:49:26 Command: PWD
05:49:27 Response: 257 "/"
05:49:27 Command: TYPE I
05:49:27 Response: 200 Switching to Binary mode.
05:49:27 Command: EPSV
05:49:27 Response: 229 Entering Extended Passive Mode (|||24597|)
05:49:27 Command: LIST
05:49:27 Response: 150 Here comes the directory listing.
05:49:27 Response: 226 Directory send OK.
05:49:27 Status: Directory listing successful
–-

active with the right firewall rule to allow the traffic.

---

05:53:22 Status: Connecting to [2001:1470:8000::88]:21…
05:53:22 Status: Connection established, waiting for welcome message...
05:53:23 Response: 220-
05:53:23 Response: 220-  Hello!
05:53:23 Response: 220-
05:53:23 Response: 220-  Welcome to the ARNES archive,  Please login as `anonymous' with
05:53:23 Response: 220-  your E-mail address as the password to access the archive.

05:53:23 Response: 220
05:53:23 Command: USER anonymous
05:53:23 Response: 331 Please specify the password.
05:53:23 Command: PASS **************
05:53:23 Response: 230 Login successful.

05:53:24 Status: Connected
05:53:24 Status: Retrieving directory listing...
05:53:24 Command: PWD
05:53:24 Response: 257 "/"
05:53:24 Command: TYPE I
05:53:24 Response: 200 Switching to Binary mode.
05:53:24 Command: EPRT |2|2001:xx:xx:xx::666|2309|
05:53:24 Response: 200 EPRT command successful. Consider using EPSV.
05:53:24 Command: LIST
05:53:24 Response: 150 Here comes the directory listing.
05:53:25 Response: 226 Directory send OK.
05:53:25 Status: Directory listing successful
05:53:29 Status: Retrieving directory listing…
05:53:29 Command: CWD arnes
05:53:29 Response: 250 Directory successfully changed.
05:53:29 Command: PWD
05:53:29 Response: 257 "/arnes"
05:53:29 Command: EPRT |2|2001:xx:xx:xx::666|2310|
05:53:29 Response: 200 EPRT command successful. Consider using EPSV.
05:53:29 Command: LIST
05:53:30 Response: 150 Here comes the directory listing.
05:53:30 Response: 226 Directory send OK.
05:53:30 Status: Directory listing successful
–-

If I don't allow the unsolicited traffic that would be coming from the ftp server in a active mode connection it would fail..  So added this rule real quick to open my ipv6 client up.

Now what I noticed is that the source port for for the active connection to my ports that I sent in the EPRT (port command for ipv6 ftp) is not 20, not normally in ipv4 ftp in active source is 20..  But seems with this ftp server when I tell it hey come connect to me in an active connection his source port is random?  But if you allow the traffic for your ipv6 it works fine.

You need to know if your doing active or passive, allow the rules if active.  And double check your own ipv6 connection.  I use he to tunnel since not real happy with comcast native as of yet and pfsense - and tracking seems to change ipv6 range you get all the time..  Guess could prob filter out one of their dhcp servers.. But anyway clearly you can see that site works fine with ipv6.  And pfsense allows it just fine - there would be no helper in IPv6 to change anything.  Look at your firewall log and see what is not working.