Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound and inbound FTP stopped working

    Scheduled Pinned Locked Moved NAT
    45 Posts 3 Posters 11.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kcpoole
      last edited by

      I have been using PfSense for about 2 years with great success until last week
      Once of my users advised that they cannot upload files to an FTP site.
      the run a batch job every week to upoload abotu 20 files and this now does not work.

      there have been no changes to the environment at all, but my server had a crash the wek before and last weekend woud have been the first time since the crash the process was attempted.

      using Command line FTP client on Windows ( multiple versions) and Linx client all fail to different FTP servers. ( i have tested several to check not a server issue).

      The FTP client connects and can log in, but try to do an ls or put results in an error.
      ftp> ls
      200 PORT command successful
      425 Unable to build data connection: Connection timed out

      I have tried to set PASV and still not working.

      I have tried multiple hosts and OS versions behind the firewall to get out and they are the same.
      Turned off FTP proxy and get port errors as described elsewhere.

      Using Automatic outbound NAT, and all other services and connection work fine.

      I host an FTP server inside the network and have port forwarding to it which has worked for years. This alos now exhibits the same issue from outside my network.

      How can I find out why PfSense is blocking FTP now?

      Thanks
      Ken

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Well the first thing in troubleshooting ftp is understanding what your actually using and what your clients are actually using - and are they behind nats, double nats? etc..

        Active and passive  determines which side make the data connection.  Making a control connection is normally quite easy - where it becomes a pain is data side.  And who is initiating the connection.  What is your server set for passive - what ports does it use?  ftp help is going to be on unless your actually forwarding the passive ports.  Did you ftp server change IPs when you said it crashed?

        Here is great write up on active vs passive.  http://slacksite.com/other/ftp.html

        What version of pfsense are you using - you say its been without issue for years, are you running a 2 year old version?

        C:>ftp ftp.microsoft.com
        Connected to ftp.microsoft.akadns.net.
        220 Microsoft FTP Service
        User (ftp.microsoft.akadns.net:(none)): anonymous
        331 Anonymous access allowed, send identity (e-mail name) as password.
        Password:
        230-Welcome to FTP.MICROSOFT.COM. Also visit http://www.microsoft.com/downloads.
        230 User logged in.
        ftp> ls
        200 PORT command successful.
        125 Data connection already open; Transfer starting.
        bussys
        deskapps
        developr
        KBHelp
        MISC

        switch to pasv and still works, even though there was an error at first

        ftp> quote pasv
        227 Entering Passive Mode (134,170,188,232,169,136).
        ftp> ls
        200 PORT command successful.
        150 Opening ASCII mode data connection.
        425 Cannot open data connection.
        ftp> ls
        200 PORT command successful.
        125 Data connection already open; Transfer starting.
        bussys
        deskapps
        developr
        KBHelp
        MISC
        MISC1

        Are you behind a double nat?  You clearly should be able to ftp outbound using the ftp helper in pfsense without any issue if current version 2.1.5

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • K
          kcpoole
          last edited by

          The version i was using last week was 2.1.4. Updated last night to 2.1.5 and no different
          I have been using Pfsense for 2 years and it has been updated continually as patches and updates are realesed

          no I am not behind Double natting and know quite initimately the FTP process and communications.
          The host I am trying to connect is not natted and does not have an issue.

          1 Reply Last reply Reply Quote 0
          • K
            kcpoole
            last edited by

            Posted before I could finish typing :-(
            the comments about pasv is to let anyone who sees this that I have tried different solutions to test where the issue might be.

            The remote host has no problem and my Pfsense wan side is on a public ip.
            outbound nat is auto.

            inbound NAT and firewalls rule to my own Ftp server is also affected in the same way.

            You clearly should be able to ftp outbound using the ftp helper in pfsense without any issue if current version 2.1.5

            I have been using the FTP helper since initially installed and still am. it was workign up until last week.

            Ken

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Well validate that it still is - simple enough to do a sniff on wan, connect to ftp server and validate that it changes your IP to your public so it can connect with active

              So you can see in the active connection, sniffing on the wan, my public IP is sent in the port command..  Even though client sends private.

              Then in the passive connection I get told what IP to connect to, and the syn is sent from my side - helper has nothing to do with this sort of connection.  When your the client behind pfsense, only if the server was behind pfsense and it sent private would helper have to change the port and open it for the syn.

              If you are so clear on the active/passive ftp connectivity I would assume you would of already looked at simple sniff to see what is not working, what info is being sent or not sent, etc.

              I can tell you I have 2.1.5 running - and don't have any problem connecting to public ftp servers from behind pfsense.  And if I turn on a ftp server behind pfsense.. outside can connect to my ftp server active or passive.  All that is needed is simple forward to 21 of the server private ip.

              You can see in bottom 3 attachments, on the wan of pfsense passive is given as public IP, but server clearly sent its private..  So that is the helper at work changing that.  And the first attachments are client connecting to public IP outside pfsense where the helper changes port command for the active connection.

              active.png
              active.png_thumb
              clientactive.png
              clientactive.png_thumb
              passive.png
              passive.png_thumb
              outsideclient.png
              outsideclient.png_thumb
              outsidelisting.png
              outsidelisting.png_thumb
              serverpassivelanside.png
              serverpassivelanside.png_thumb

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • K
                kcpoole
                last edited by

                @johnpoz:

                Well validate that it still is - simple enough to do a sniff on wan, connect to ftp server and validate that it changes your IP to your public so it can connect with active

                So you can see in the active connection, sniffing on the wan, my public IP is sent in the port command..  Even though client sends private.

                Then in the passive connection I get told what IP to connect to, and the syn is sent from my side - helper has nothing to do with this sort of connection.  When your the client behind pfsense, only if the server was behind pfsense and it sent private would helper have to change the port and open it for the syn.

                If you are so clear on the active/passive ftp connectivity I would assume you would of already looked at simple sniff to see what is not working, what info is being sent or not sent, etc.

                I can tell you I have 2.1.5 running - and don't have any problem connecting to public ftp servers from behind pfsense.  And if I turn on a ftp server behind pfsense.. outside can connect to my ftp server active or passive.  All that is needed is simple forward to 21 of the server private ip.

                You can see in bottom 3 attachments, on the wan of pfsense passive is given as public IP, but server clearly sent its private..  So that is the helper at work changing that.  And the first attachments are client connecting to public IP outside pfsense where the helper changes port command for the active connection.

                Ok thanks. will try that and see what i can see. I do not have another host on the wan side of the firewall, (It is in a remote data centre),  so will have to set one up and sniff.
                That will also give me host outside the firewall to confirm that it is actually Pfsense causing the issue.

                Ken

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  pfsense under diag, packet capture can do all the packet capture you need to do..

                  If you need a host outside to confirm – just PM the info, happy to to do a test connection to it and tell you what I see active and passive what is being sent to the client, etc.

                  packetcapture.png
                  packetcapture.png_thumb

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • K
                    kcpoole
                    last edited by

                    @johnpoz:

                    pfsense under diag, packet capture can do all the packet capture you need to do..

                    If you need a host outside to confirm – just PM the info, happy to to do a test connection to it and tell you what I see active and passive what is being sent to the client, etc.

                    Ok thanks
                    Will let you know

                    Ken

                    1 Reply Last reply Reply Quote 0
                    • K
                      kcpoole
                      last edited by

                      @johnpoz:

                      pfsense under diag, packet capture can do all the packet capture you need to do..

                      If you need a host outside to confirm – just PM the info, happy to to do a test connection to it and tell you what I see active and passive what is being sent to the client, etc.

                      I Did some testing and the IP is being rewritten as it is supposed to.
                      Some of the Connection attempts i have made work for a moment or two but most just fail at the data connection and times out

                      ken

                      Screenshot.png
                      Screenshot.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • K
                        kejianshi
                        last edited by

                        I'm confused.  FTP is dirt simple.
                        So my first thought is what might you have changed that is breaking it?

                        1 Reply Last reply Reply Quote 0
                        • K
                          kcpoole
                          last edited by

                          @kejianshi:

                          I'm confused.  FTP is dirt simple.
                          So my first thought is what might you have changed that is breaking it?

                          As far as I can tell, Nothing has changed at my servers, The remote server, or the firewall. The Firewall was rebooted after power failure and then next time the users could not connect sucessfully and upload files:-(

                          just trying an inbound connection to my own FTP server while capture the traffic and this is the capture once already connected.

                          the 114 IP is my firewall wan address and 60.240 is my client here that I am trying to connect from.

                          it does not matter it seems whether I am trying to connect into my ftp server or out to an external one, the ftp connection is setup correctly but once data is to be tranferred it fails.

                          Ken

                          Screenshot-1.png
                          Screenshot-1.png_thumb

                          1 Reply Last reply Reply Quote 0
                          • K
                            kejianshi
                            last edited by

                            Are you using a static public IP or dynamic one?  Do you use a dynamic dns updater?

                            I'm wondering if its as simple as your IP changed.

                            Also thinking if its not, wipe the pfsense and reinstall then restore your config.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              I don't see any data attempts in your post..  And where are you sniffing, see send fin,ack and then retrans it twice - I assume that is your wan..  So what does pfsense have to do with not seeing a a response and sending retrans?  Not like the answer is seen at the wan at pfsense?

                              In the first looks like see the syn from 182 to 114, and then 114 sending back syn,ack - and then sending it 2 more times.. because no answer?  That is on your wan is in not - so what does pfsense have to do with no answer from 182?

                              can you post up the sniff, so we can look at the details?  To me looks like you have problem outside pfsense.  If these sniffs are taken on the pfsense wan?

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • K
                                kcpoole
                                last edited by

                                @johnpoz:

                                I don't see any data attempts in your post..  And where are you sniffing, see send fin,ack and then retrans it twice - I assume that is your wan..  So what does pfsense have to do with not seeing a a response and sending retrans?  Not like the answer is seen at the wan at pfsense?

                                In the first looks like see the syn from 182 to 114, and then 114 sending back syn,ack - and then sending it 2 more times.. because no answer?  That is on your wan is in not - so what does pfsense have to do with no answer from 182?

                                can you post up the sniff, so we can look at the details?  To me looks like you have problem outside pfsense.  If these sniffs are taken on the pfsense wan?

                                Yes the sniffs are on the outside interface using pfsense to take them.
                                the last one posted was limited to a single IP and port 21 as there  is much other traffic to that host.

                                Happy to post the full sniff but how can i remove the password from it? i do nt really want to post the ftp details on the web

                                Ken

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kcpoole
                                  last edited by

                                  @johnpoz:

                                  To me looks like you have problem outside pfsense.

                                  I am wondering that myself. how can I prove or test that thought?
                                  I am setting up another host on my network that is outside the pfsense and hope I can find the issue there.

                                  Ken

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kcpoole
                                    last edited by

                                    Does anyone have an ftp server I can test uploading to?
                                    The one my client is trying to send to does not work for me, I have my own that i use at my home and that works fine :-(

                                    TIA
                                    Ken

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      Valid point with the passwords - which is why there are anon tools for sniffs ;)

                                      You could use http://www.tracewrangler.com/ to remove the passwords..

                                      So see my first sniff where there billy password sent to ftp.microsoft – You add an anon task, set everything to passthrough except the text part.  You put in the original and what you want to replace it with.  See 1st attachment

                                      You run the task, and then the new pcap it creates doesn't have your password in there ;)  But all the other info is in tact for looking at what could be wrong..

                                      You can anon other stuff as well like IPs, etc.  Don't go all crazy on it, it can make it difficult to spot issues if too much manipulation is done.

                                      replacedcopy.png_thumb
                                      replacedcopy.png
                                      anonpasswordsout.png
                                      anonpasswordsout.png_thumb

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • K
                                        kcpoole
                                        last edited by

                                        Thanks John for the link to the anonymizer

                                        I have rerun the capture and attached it below
                                        Any help to work out why it is failing will be great.

                                        note: I have appended .txt to the end of the file so i can upload.

                                        Thanks
                                        Ken

                                        [Capture - FailFTP_anon.pcapng.txt](/public/imported_attachments/1/Capture - FailFTP_anon.pcapng.txt)

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          well clearly this is wrong.

                                          So see the port command to IP 114 port 52030

                                          Why is it trying to go to IP 170?

                                          And where is this address coming from - see second image.

                                          wrongip.png
                                          wrongip.png_thumb
                                          wrongaddress.png
                                          wrongaddress.png_thumb

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • K
                                            kcpoole
                                            last edited by

                                            Ok i did not see them at all.
                                            the Address 114 is my own server and the server on 182.50.153.244 is the host I am trying to get to
                                            I have no idea what the other IP addresses are and what they are doing in the converstaion. thanks I will have to investigate where they fit inot it.

                                            Ken

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.