[SOLVED] What is the *correct* workaround to get FTP servers/clients working?



  • I have just set up a dual wan system.  I have an FTP server on the LAN, and when clients try to connect through WAN1, they get stuck at listing the directory.  I understand that there is supposed to be a workaround for this, but I can't seem to find it in the docs anywhere!

    Also, from internally on the LAN, we cannot connect to external FTP sites!  Is there something obvious I'm missing here?  Do I want the FTP helper enabled or not, and do I want sticky connections enabled or not?  I keep reading conflicting info on both of these things.

    Thank you very much for any help!

    –See last post for my solution



  • http://forum.pfsense.org/index.php?PHPSESSID=b903a7605f9b25a4857f00532af54edb&topic=6938.0

    Read that thread. It will at least help you with the getting external ftp working.

    I recommend you reinstall it. I did that 3 or 4 times to ensure everything was a clean environment after all my tinker.

    dpc



  • Thank you very much!  I was missing the step where I can specifically tell IIS (cough) which ports to open, so after doing that, and forwarding that range to the internal server, all seems to be right with the world again.



  • Hmm
    I may have screamed about my success too early.  I'm not positive that it is working yet.



  • Ok, I really need some more help here.  If anyone has any ideas, please let me know!
    As far as I can tell, I've set the rules and NAT options in the firewall without issue.  Trying to have ports 50000 - 50100 used for PASV FTP.  In IIS, the Passive Port Range is set to use these ports.

    When I look in my pfSense log, after trying to log onto an FTP site, I see that the client is trying to use a port other than 50000-50100.  Where is my problem likely to lie?

    Dec 4 14:07:20  	WAN  	70.68.x.x:56644  	192.168.10.100:21  	TCP
    

    I've also tried lower port ranges, but it really seems to make no difference.



  • Interestingly, it looks like it works perfectly when using firefox as an ftp client.  Unfortunately, firefox does not have an interface which allows uploading.  Can anyone think of what setting this might be in a normal ftp client?  It doesn't seem to matter whether or not I have passive mode enabled or disabled when IE6 is the ftp client.

    It also seems to work in PASV mode with CuteFTP as the client, however WinSCP and IE6 both don't work!  I have many people who rely on IE6 working with FTP, so any pointers would be greatly appreciated



  • Ok, I found an interesting thing out today.  I opened up port 20 so that I could get active mode working, and that seems to work fine, but I figured out how to get PASV mode to work with some clients.  gFTP has an option called 'Ignore PASV address', which according to their explanation '
    the remote FTP server's PASV IP address field will be ignored and the host's IP address will be used instead.  This is often needed for routers giving their internal rather than their external IP address in a PASV reply.'

    This sounds like something I should be able to fix in pfSense!  But I don't know where to begin looking…



  • Ok, so my fix for this problem was as follows:

    1: restrict PASV ports in IIS to 5500-5700
    2: ENABLE the FTP Helper app on pfSense for the WAN connection used
    3: Create a Rule on the LAN to allow 5500-5700 though, as well as 20 & 21
    4: Create a NAT rule to forward requests through 21 and 20 to the FTP server

    **Passing port 20 though will allow client machines to use Active Mode on their FTP clients, which seems to still be needed for some specific FTP Clients.  For the most part, PASV mode will work with this setup.

    For me, I am only using WAN1 for FTP, not WAN2.  If you are also using WAN2, you should be able to duplicate the rules just created for that interface.


Log in to reply