Ftp server problem



  • Hi,

    I'm using PfSense beta2 (tried beta 1 and previous version too) and I've a problem with FTP server.

    My setup:

    Wan: 192.168.50.1/24 gw 192.168.50.11 VirtualIP xxx.xxx.xxx.148 / 149 / 150 / 151

    Lan: 192.168.10.0/24

    The lan is natted out with .148 virtual IP, one server (ftp one) is natted out with .149

    The problem is that I can access FTP server (IIS 6) only in active mode.

    If i try in passive mode I always get error, from both wan and lan.

    Here the log from ftp client from LAN:

    15:51:53] PASV
    [15:51:53] 227 Entering Passive Mode (192,168,10,2,8,21).
    [15:51:53] Opening data connection to 85.18.120.149 Port: 2069
    [15:51:53] LIST -aL
    [15:52:05] 425 Can't open data connection.

    here the log from outside:

    [15:55:23] TYPE A
    [15:55:24] 200 Type set to A.
    [15:55:24] PASV
    [15:55:26] Server closed connection

    I tried with both ftp helper enabled but nothing changed.

    Also if i enable ftp helper, when i try to connect from lan to any remote server it receive a wrong natted IP (the one that appear withou virtual IP set) so  my client are refused cause the IP is not matching the allowed one.

    The wrong natted IP appears only in FTP connection, for example http always report the right IP

    Hope that you can understand my english…..I'm from Italy!

    Thanks,

    Speck



  • that is because in active mode, the server initiates the data connection to the client on port 20.
    In passive mode, the client initiates the data connection to the server on a port that the server tells it is open, which in your case, is not open.
    Solution:
    look in your FTP server's docs, find out what ports it uses for passive mode, and forward them to that IP.

    For a more in-depth explaination of active vs passive ftp:
    http://slacksite.com/other/ftp.html



  • Thanks for your hint, I tried limiting port range from 6000 to 6030 and open that range on firewall but this doesn't help.

    In passive mode i don't think that I need to open other ports on firewall because the connection is always initiated by the server that open a link for the client.

    Anyone with this problem?

    Thanks



  • Sorry, but you are wrong.
    In passive mode, the data connection is client initiated.
    I have perfectly working passive FTP.
    NAT forward the passive ports to your ftp server.

    Also - your FTP server may be giving its NAT'd IP address to clients.
    post the logs.

    Passive connection works like so (basically):
    Client connects to server on port 21 (command).  Trys to download a file.
    Server responds with its IP address and passive port that it wants the client to use.
    client connects to that IP and port.

    Opening a range on the firewall does nothing without using nat forwarding.



  • When I opened the range of port on the firewall I also natted them….

    I'll do some more tests and then I'll post logs.

    Thanks



  • Well after mapping the range port I can connect from my LAN to my Ftp Server in passive mode using extrenal Ip address, here the log

    [14:12:44] REST 0
    [14:12:44] 350 Restarting at 0.
    [14:12:44] PWD
    [14:12:44] 257 "/" is current directory.
    [14:12:44] TYPE A
    [14:12:44] 200 Type set to A.
    [14:12:44] PASV
    [14:12:44] 227 Entering Passive Mode (192,168,10,2,23,117).
    [14:12:44] Opening data connection to xxx.xxx.xxx.149 Port: 6005
    [14:12:44] LIST -aL
    [14:12:44] 125 Data connection already open; Transfer starting.
    [14:12:44] 149 bytes transferred. (9,70 KB/s) (15 ms)
    [14:12:44] 226 Transfer complete.

    The problem is not solved from outside,

    [14:15:44] 257 "/" is current directory.
    [14:15:44] TYPE A
    [14:15:44] 200 Type set to A.
    [14:15:44] PASV
    [14:15:51] Connessione interrotta dal software del computer host.
    [14:15:51] Server closed connection

    I really can't understand what the problem is  >:(

    I'm starting to think that maybe something related with my ISP.

    Maybe the way they natted the subnet to my firewall is just wrong….although they say their setup is ok.

    Any hints?

    Thnaks Spack



  • What FTP client are you using. I have discovered some problems using the Filezilla client which is unfortunate because all in all it is a great client but doing some research I discovered a lot of people (my self included) had problems with it and NAT transveral (on my end not the server).



  • i just dealt with this issue again over the weekend. I would be quiet confident it is not a pfsense issue.
    make sure that ftp proxy is off on the wan interface.

    like explained above the most likely problem is the server is sending the local ip to the client.

    four things things

    (1) set the wan ip in the ftp server passiveip
    (2) try to lock the passive port range on the server
    (3) check your wan firewall rules. (but i guess you used the auto nat feature.
    (4) ensure ftp-proxy is disabled on wan

    we now run most of our ftp servers on filtered bridges or non natted networks now to stop this issue

    good luck use the filter logs and the state table to help you with this one.



  • @Speck:

    Well after mapping the range port I can connect from my LAN to my Ftp Server in passive mode using extrenal Ip address, here the log

    [14:12:44] REST 0
    [14:12:44] 350 Restarting at 0.
    [14:12:44] PWD
    [14:12:44] 257 "/" is current directory.
    [14:12:44] TYPE A
    [14:12:44] 200 Type set to A.
    [14:12:44] PASV
    [14:12:44] 227 Entering Passive Mode (192,168,10,2,23,117).
    [14:12:44] Opening data connection to xxx.xxx.xxx.149 Port: 6005
    [14:12:44] LIST -aL
    [14:12:44] 125 Data connection already open; Transfer starting.
    [14:12:44] 149 bytes transferred. (9,70 KB/s) (15 ms)
    [14:12:44] 226 Transfer complete.

    The problem is not solved from outside,

    [14:15:44] 257 "/" is current directory.
    [14:15:44] TYPE A
    [14:15:44] 200 Type set to A.
    [14:15:44] PASV
    [14:15:51] Connessione interrotta dal software del computer host.
    [14:15:51] Server closed connection

    I really can't understand what the problem is  >:(

    I'm starting to think that maybe something related with my ISP.

    Maybe the way they natted the subnet to my firewall is just wrong….although they say their setup is ok.

    Any hints?

    Thnaks Spack

    sorry to take forever to respond.
    Look at your log:
    Your FTP server is responding with its IP and ports for the client to use on this line:
    [14:12:44] 227 Entering Passive Mode (192,168,10,2,23,117).

    Now, look at that and tell me why it won't work from outside your network!
    Your ftp server is giving its IP as the nat'd private IP 192.168.10.2 - which cannot be accessed from outside your lan.  Remember, passive FTP works this way - the server tells the client which IP and port to connect to for data transfer…if your server is giving out its NAT'd address....it will never work outside your lan.
    What FTP server software are you using?  If i know, i can probably help you configure it properly, to give clients your external IP.

    It has nothing to do with the client.
    this is why i wanted you to post some logs.



  • I'm using Microsoft Ftp Sever (iis 6 Win2k3)

    Anyway I think that it report internal address since i'm connecting using Nat Reflection and the server "see" the internal client IP.

    I've tried to set external IP address but on Ms site is reported that the server will automatically use the right ip address (using nat service).

    Today if I have time i'll try to setup BulletProof Ftp Server and see what happens….

    Thanks for your reply,

    Speck



  • Just tried Bulletproof ftp server and all works  :-\

    So i guess the problem is with IIS 6 Ftp service….

    anyone know how to set external IP address on this kind of server?

    Thanks to all for your help  ;D

    Speck



  • Hi all,

    I'm having the exact same problem as OP, but what I don't understand is why IIS works fine behind other NAT firewalls(firebox,ipcop,linksys,netgear). What is pfSense doing different? I run a number of IIS ftp sites behind three different firewalls and ALL of them show the external NAT address (from the passive scenario above).

    thanks for the help

    edit.. using Beta3



  • try to turn on static nat, or enable the ftp proxy.



  • I've tried both of these and the results are the same.

    Question: Is pftpx (the FTP proxy) supposed to rewrite the address returned for PASV and also take care of the port mapping?



  • Yes it does, and the only known problem currently has to do with FTP brdiging.  So this should be working.



  • Ok. So should I see a pftpx process running associated with the WAN interface?

    Regardless of FTP proxy settings for either the LAN or WAN interface, there is only one pftpx process ever running and it's always associated with the LAN interface. (and I do reboot after changing this setting)



  • Yes you should, make sure the helper is enabled on WAN interface.



  • I've confirmed the FTP helper is enabled on the WAN and LAN interfaces and I've rebooted the machine. There is only one process listed:```
    /usr/local/sbin/pftpx -c 8021 -g 8021 10.10.101.2

    
    If it failed on startup whould it be logged anywhere?


  • It will only fail on startup if you have a really old version.

    If this is a full install run cvs_sync.sh releng_1 from a shell.



  • Just to be certain, I've done fresh install's of Beta 2, Beta 3 and Beta 3 + cvs update.. and on ALL of them, there is ALWAYS only one pftpx process (LAN interface) running when I enable the FTP helper on the WAN interface. For all of these tests, I configured the interfaces, enabled the WAN FTP helper and rebooted and made no other changes. From what I can tell, the WAN interface FTP helper never starts regardless of the setting in the webConfig.

    Edit: Have now found an error message:

    May 8 11:45:32 pftpx[8480]: listening on x.x.x.x port 21
    May 8 11:45:32 pftpx[8480]: event_dispatch error: Operation not supported by device
    May 8 11:45:32 pftpx[8480]: pftpx exiting on signal 0



  • When the sysem boot i see only this in the system log:

    May 23 14:46:15 pftpx[816]: listening on 127.0.0.1 port 8021
    May 23 14:46:15 pftpx[816]: listening on 127.0.0.1 port 8021

    How can i check if pftpx process is running?

    when i try to connect with both wan and lan Ftp helper enabled i get this

    May 23 14:48:15 pftpx[816]: #1 server timeout
    May 23 14:48:15 pftpx[816]: #1 server timeout

    and i can't connect!

    tried now ps -aux the only line with pftpx is

    proxy  816  0.0  0.2  656  492  ??  Ss    2:46PM  0:00.02 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.10.11

    Thanks



  • I can add some info for this problem.

    My WAN is configured this way:

    IP 192.168.x.x GW 192.168.x.x Mask 255.255.255.0

    All my external IP are configured as Virtual IP ProxyARP.

    Maybe this configuration (wan with private IP and all pARP public IP) can "confuse" Ftp helper? maybe I need some special settings?

    Thanks in advance!
    Speck



  • Only if you are blocking private networks in Interfaces -> WAN.



  • No, I'm not blocking private networks! (box is unchecked)

    I really can't understand what's wrong with my config!

    Thanks anyway!

    Speck



  • Also make sure you are not blocking bogons.

    Finally check out http://faq.pfsense.com/index.php?sid=64164&lang=en&action=search


Log in to reply