Passive FTP-problems with and without FTP helper



  • Hi forum!

    I have been reading dozens of messages about people having FTP-problems and I have yet another one without solution.

    I'm using Pfsense 2.0.2 (which I'm planning to upgrade soon to the latest version). I have couple of FTP-servers on my DMZ (which is bridged and has servers with public IP-addresses). As many other Pfsense users, I also have problems with FTP-transfers.

    I have opened port 21 and extra range (41000-42000) and set the range to the FTP-servers configs.

    Situation 1: FTP Proxy Helper Enabled

    If I have the FTP Proxy Helper enabled (the default setting) I can access my FTP-servers from the Internet and all other interfaces, but the connections stucks and hangs and disconnects randomly and transfering data is extra unreliable. I can access FTP-servers in the Internet just fine from LAN and VLAN's behind the pfsense.

    Situation 2: FTP Proxy Helper Disabled

    If I disable FTP Proxy Helped I can access my DMZ located FTP-servers reliable, fast and without connection problems. Great! But now I cannot access FTP-servers on the Internet outside my network from the LAN or VLAN's anymore, the connection is established but breaks at the moment when doing directory listing etc.

    The Situation 2 solves my initial unreliable transfer problems but causes another major issue. The situation 1 would be ideal if the unreliable connection problem would be solved.

    What should I do? Is there a reliable solution for either situation?

    Thanks in advance!


  • Banned

    @jeppunen:

    I'm using Pfsense 2.0.2

    That's your problem…



  • Hi!

    It has been a while I have had opportunity to investigate this problem further because of summer holidays and major hardware upgrade on our datacenter after holidays. The hardware upgrade is now ready and we also have latest Pfsense (2.1.5) installed. Sad to say but upgrading to the latest version did not solve the problem :(

    There has been changes to the server IP-addresses and now servers are using virtual ip:s (previously they were using public ip's) and are behind NAT with 10.0.100.x addresses. This breaks the FTP-transfers even further, now disabling the proxy-helper prevents transfers completely. I have also tried to add servers public ip to pure-ftp conf so the pureftp would answer using public ip but no help on that.

    Is the NAT/FTP-server combination completely hopeless to get to work or is there an solution?



  • Set up a plain port forward for port 21 and your custom passive range.

    On the servers set up the passive IP to be the same as the public IP. Don't forget to set the range too. Make sure that the server's firewall allows them through.

    Done.

    Are you using filezilla and getting the random timeout/disconnections?



  • I have it working fine for the past year using the same method that jflsakfja said.