Outbound and inbound FTP stopped working

kcpoole

I have been using PfSense for about 2 years with great success until last week
Once of my users advised that they cannot upload files to an FTP site.
the run a batch job every week to upoload abotu 20 files and this now does not work.

there have been no changes to the environment at all, but my server had a crash the wek before and last weekend woud have been the first time since the crash the process was attempted.

using Command line FTP client on Windows ( multiple versions) and Linx client all fail to different FTP servers. ( i have tested several to check not a server issue).

The FTP client connects and can log in, but try to do an ls or put results in an error.
ftp> ls
200 PORT command successful
425 Unable to build data connection: Connection timed out

I have tried to set PASV and still not working.

I have tried multiple hosts and OS versions behind the firewall to get out and they are the same.
Turned off FTP proxy and get port errors as described elsewhere.

Using Automatic outbound NAT, and all other services and connection work fine.

I host an FTP server inside the network and have port forwarding to it which has worked for years. This alos now exhibits the same issue from outside my network.

How can I find out why PfSense is blocking FTP now?

Thanks
Ken

johnpoz

Well the first thing in troubleshooting ftp is understanding what your actually using and what your clients are actually using - and are they behind nats, double nats? etc..

Active and passive  determines which side make the data connection.  Making a control connection is normally quite easy - where it becomes a pain is data side.  And who is initiating the connection.  What is your server set for passive - what ports does it use?  ftp help is going to be on unless your actually forwarding the passive ports.  Did you ftp server change IPs when you said it crashed?

Here is great write up on active vs passive.  http://slacksite.com/other/ftp.html

What version of pfsense are you using - you say its been without issue for years, are you running a 2 year old version?

C:>ftp ftp.microsoft.com
Connected to ftp.microsoft.akadns.net.
220 Microsoft FTP Service
User (ftp.microsoft.akadns.net:(none)): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Welcome to FTP.MICROSOFT.COM. Also visit http://www.microsoft.com/downloads.
230 User logged in.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
bussys
deskapps
developr
KBHelp
MISC

switch to pasv and still works, even though there was an error at first

ftp> quote pasv
227 Entering Passive Mode (134,170,188,232,169,136).
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection.
425 Cannot open data connection.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
bussys
deskapps
developr
KBHelp
MISC
MISC1

Are you behind a double nat?  You clearly should be able to ftp outbound using the ftp helper in pfsense without any issue if current version 2.1.5

kcpoole

The version i was using last week was 2.1.4. Updated last night to 2.1.5 and no different
I have been using Pfsense for 2 years and it has been updated continually as patches and updates are realesed

no I am not behind Double natting and know quite initimately the FTP process and communications.
The host I am trying to connect is not natted and does not have an issue.

kcpoole

Posted before I could finish typing :-(
the comments about pasv is to let anyone who sees this that I have tried different solutions to test where the issue might be.

The remote host has no problem and my Pfsense wan side is on a public ip.
outbound nat is auto.

inbound NAT and firewalls rule to my own Ftp server is also affected in the same way.

You clearly should be able to ftp outbound using the ftp helper in pfsense without any issue if current version 2.1.5

I have been using the FTP helper since initially installed and still am. it was workign up until last week.

Ken

johnpoz

Well validate that it still is - simple enough to do a sniff on wan, connect to ftp server and validate that it changes your IP to your public so it can connect with active

So you can see in the active connection, sniffing on the wan, my public IP is sent in the port command..  Even though client sends private.

Then in the passive connection I get told what IP to connect to, and the syn is sent from my side - helper has nothing to do with this sort of connection.  When your the client behind pfsense, only if the server was behind pfsense and it sent private would helper have to change the port and open it for the syn.

If you are so clear on the active/passive ftp connectivity I would assume you would of already looked at simple sniff to see what is not working, what info is being sent or not sent, etc.

I can tell you I have 2.1.5 running - and don't have any problem connecting to public ftp servers from behind pfsense.  And if I turn on a ftp server behind pfsense.. outside can connect to my ftp server active or passive.  All that is needed is simple forward to 21 of the server private ip.

You can see in bottom 3 attachments, on the wan of pfsense passive is given as public IP, but server clearly sent its private..  So that is the helper at work changing that.  And the first attachments are client connecting to public IP outside pfsense where the helper changes port command for the active connection.

kcpoole

@johnpoz:

Well validate that it still is - simple enough to do a sniff on wan, connect to ftp server and validate that it changes your IP to your public so it can connect with active

So you can see in the active connection, sniffing on the wan, my public IP is sent in the port command..  Even though client sends private.

Then in the passive connection I get told what IP to connect to, and the syn is sent from my side - helper has nothing to do with this sort of connection.  When your the client behind pfsense, only if the server was behind pfsense and it sent private would helper have to change the port and open it for the syn.

If you are so clear on the active/passive ftp connectivity I would assume you would of already looked at simple sniff to see what is not working, what info is being sent or not sent, etc.

I can tell you I have 2.1.5 running - and don't have any problem connecting to public ftp servers from behind pfsense.  And if I turn on a ftp server behind pfsense.. outside can connect to my ftp server active or passive.  All that is needed is simple forward to 21 of the server private ip.

You can see in bottom 3 attachments, on the wan of pfsense passive is given as public IP, but server clearly sent its private..  So that is the helper at work changing that.  And the first attachments are client connecting to public IP outside pfsense where the helper changes port command for the active connection.

Ok thanks. will try that and see what i can see. I do not have another host on the wan side of the firewall, (It is in a remote data centre),  so will have to set one up and sniff.
That will also give me host outside the firewall to confirm that it is actually Pfsense causing the issue.

Ken

johnpoz

pfsense under diag, packet capture can do all the packet capture you need to do..

If you need a host outside to confirm – just PM the info, happy to to do a test connection to it and tell you what I see active and passive what is being sent to the client, etc.

kcpoole

@johnpoz:

pfsense under diag, packet capture can do all the packet capture you need to do..

If you need a host outside to confirm – just PM the info, happy to to do a test connection to it and tell you what I see active and passive what is being sent to the client, etc.

Ok thanks
Will let you know

Ken

kcpoole

@johnpoz:

pfsense under diag, packet capture can do all the packet capture you need to do..

If you need a host outside to confirm – just PM the info, happy to to do a test connection to it and tell you what I see active and passive what is being sent to the client, etc.

I Did some testing and the IP is being rewritten as it is supposed to.
Some of the Connection attempts i have made work for a moment or two but most just fail at the data connection and times out

ken

kejianshi

I'm confused.  FTP is dirt simple.
So my first thought is what might you have changed that is breaking it?

kcpoole

@kejianshi:

I'm confused.  FTP is dirt simple.
So my first thought is what might you have changed that is breaking it?

As far as I can tell, Nothing has changed at my servers, The remote server, or the firewall. The Firewall was rebooted after power failure and then next time the users could not connect sucessfully and upload files:-(

just trying an inbound connection to my own FTP server while capture the traffic and this is the capture once already connected.

the 114 IP is my firewall wan address and 60.240 is my client here that I am trying to connect from.

it does not matter it seems whether I am trying to connect into my ftp server or out to an external one, the ftp connection is setup correctly but once data is to be tranferred it fails.

Ken

kejianshi

Are you using a static public IP or dynamic one?  Do you use a dynamic dns updater?

I'm wondering if its as simple as your IP changed.

Also thinking if its not, wipe the pfsense and reinstall then restore your config.

johnpoz

I don't see any data attempts in your post..  And where are you sniffing, see send fin,ack and then retrans it twice - I assume that is your wan..  So what does pfsense have to do with not seeing a a response and sending retrans?  Not like the answer is seen at the wan at pfsense?

In the first looks like see the syn from 182 to 114, and then 114 sending back syn,ack - and then sending it 2 more times.. because no answer?  That is on your wan is in not - so what does pfsense have to do with no answer from 182?

can you post up the sniff, so we can look at the details?  To me looks like you have problem outside pfsense.  If these sniffs are taken on the pfsense wan?

kcpoole

@johnpoz:

I don't see any data attempts in your post..  And where are you sniffing, see send fin,ack and then retrans it twice - I assume that is your wan..  So what does pfsense have to do with not seeing a a response and sending retrans?  Not like the answer is seen at the wan at pfsense?

In the first looks like see the syn from 182 to 114, and then 114 sending back syn,ack - and then sending it 2 more times.. because no answer?  That is on your wan is in not - so what does pfsense have to do with no answer from 182?

can you post up the sniff, so we can look at the details?  To me looks like you have problem outside pfsense.  If these sniffs are taken on the pfsense wan?

Yes the sniffs are on the outside interface using pfsense to take them.
the last one posted was limited to a single IP and port 21 as there  is much other traffic to that host.

Happy to post the full sniff but how can i remove the password from it? i do nt really want to post the ftp details on the web

Ken

kcpoole

@johnpoz:

To me looks like you have problem outside pfsense.

I am wondering that myself. how can I prove or test that thought?
I am setting up another host on my network that is outside the pfsense and hope I can find the issue there.

Ken

kcpoole

Does anyone have an ftp server I can test uploading to?
The one my client is trying to send to does not work for me, I have my own that i use at my home and that works fine :-(

TIA
Ken

johnpoz

Valid point with the passwords - which is why there are anon tools for sniffs ;)

You could use http://www.tracewrangler.com/ to remove the passwords..

So see my first sniff where there billy password sent to ftp.microsoft – You add an anon task, set everything to passthrough except the text part.  You put in the original and what you want to replace it with.  See 1st attachment

You run the task, and then the new pcap it creates doesn't have your password in there ;)  But all the other info is in tact for looking at what could be wrong..

You can anon other stuff as well like IPs, etc.  Don't go all crazy on it, it can make it difficult to spot issues if too much manipulation is done.

kcpoole

Thanks John for the link to the anonymizer

I have rerun the capture and attached it below
Any help to work out why it is failing will be great.

note: I have appended .txt to the end of the file so i can upload.

Thanks
Ken

[Capture - FailFTP_anon.pcapng.txt](/public/imported_attachments/1/Capture - FailFTP_anon.pcapng.txt)

johnpoz

well clearly this is wrong.

So see the port command to IP 114 port 52030

Why is it trying to go to IP 170?

And where is this address coming from - see second image.

kcpoole

Ok i did not see them at all.
the Address 114 is my own server and the server on 182.50.153.244 is the host I am trying to get to
I have no idea what the other IP addresses are and what they are doing in the converstaion. thanks I will have to investigate where they fit inot it.

Ken