Undestand FTP - need help with solution



  • Hello - I undestand that FTP does not work properly with Proxy ARP.  So be it.

    However, I still need some advice what to do.  I have a web server and need to provide the owners FTP access. That web server is to a different IP than my firewall so I have to use Proxy ARP to allow web access - that is working fine.

    Setup:

    WAN:  xxx.xxxx.106.146/28
    LAN:  192.168.2.1/24
    DMZ (OPT1):  192.168.21.1/24

    ProxyARP:  xxx.xxx.106.152/32
    NAT 1:1 xxx.xxx.106.152/32 192.168.21.8/32

    Firewall: Rules
        WAN 
        Proto Source Port Destination Port Gateway Schedule Description   
      TCP  *  *  192.168.21.8  80 (HTTP)  *         
      TCP  *  *  192.168.21.8  21 (FTP)  *         
      TCP  *  *  192.168.21.8  1080 - 10805  *

    Proxy-FTP Helper is unchecked on ALL interfaces.

    I can logon fine but when I type DIR, nothing happens.  I am doing this command line and have not experimented with PORT/PASV mode.

    So the question is - assuming this won't work on a ProxyARP address, how do I provide my client with ftp access to their website?

    Thanks.



  • I have two different FTP server on my network.  One is internal that I use over VPN connections and the other is external.  I just have a single rule setup for the external FTP traffic, and point to the external FTP server.

    One thing that I have found with alot of test was that getting a good FTP server is hard to find.  I have had all sorts of issues with MS S 2000, MS S 2003, SCO, and many others.  They all have issues at the firewall.  Cerberus FTP has never failed me.  It works when nothing else will.  It is a great product and can be tied to the AD or use local accounts in the application.

    I now use the AD intergration and tie the accounts to the NT home directories.  It took some time and configuration to get working but it is highly stable now.
    RC



  • Thanks for the reply.  A few questions:

    1.  Is your external FTP one which uses a Virtual IP other than the WAN interface?
    2.  I will try ServU to see if that works. Currently, I am using MS 2003 server.  When yours "failed", what was the symptom?

    The issue for me is not one of authentication - it is in the directory listing - I'm not sure if that is the point it does a port change.



  • Your problem most likely is in your PSV FTP settings.  By default (I think) most servers use 1024-65535 randomly as the passive range, most clients default to passive mode as well (as most users are behind a firewall too).  So a FTP with 1000 max users with 5 max connections per IP will need 5000 ports forwarded for passive use (use a high range 50000 or above).

    im not sure why your forwarding this range, but it might also be causing you problems.
    "TCP  *  *  192.168.21.8  1080 - 10805  * "

    port forward
    21 (Regular FTP, SSL explicit)
    990 (SSL implicit)
    and your passive range (ie: 50000-55000)

    ftp server:
    match your passive range ports you've forwarded in your config.

    If your looking for a free FTP server check out FileZilla - http://filezilla-project.org/
    I do believe ioFTPD has become open source now too.
    I swear off IIS. Hope this helps.
    that is all. :)



  • I'm using Pure-ftpd as FTP server and encountered a similar problem way back, though it may be a little different from yours ( I used 1:1 NAT). Most likely your FTP server is using ACTIVE mode that is why when you list the contents of the directory nothing showed. Try changing from PASSIVE to ACTIVE and see if it works.

    HTH





  • and you can take a look also at this thread

    http://forum.pfsense.org/index.php/topic,7096.0.html
    Greetings
    Heiko


Locked