FTP broken again after update to 2.2-RC



  • Hey guys!

    I'm having the known FTP conectivity after upgrade from 2.1.5 to 2.2_RC, snapshot from 23/11.

    There is any "new" procedure to normalize ftp access? The other ones I've tried didn't worked for me.

    Thanks in advance!


  • LAYER 8 Global Moderator

    Known issue with ftp?  what is known is many users don't understand how ftp works and like to blame pfsense ;)

    23/11??  Today is Jan 13, have you tried like a recent build?

    What are you having problem with client behind pfsense talking to ftp server?  Are you using active or passive?  Did you try the other?  This is issue is to multiple ftp servers?  Are you trying to forward inbound to ftp server behind pfsense?  Again is client using active or passive?

    What is error in the ftp client?

    esponse: 257 "/" is current directory.
    Command: TYPE I
    Response: 200 Type set to I.
    Command: PORT 192,168,1,100,214,222
    Response: 500 Illegal PORT command



  • Sorry about the few words, hehe…

    So, is exactly the error 500.

    • Windows FTP Client informs that the IP returned is different than expected (the public IP).

    • The internal client from our ERP returns the same error.

    But Filezilla works like expected. I've activated the pfsense FTP proxy and he could connect in active mode. Disabling it again makes the connection passive. But only filezilla is connecting.

    I'll update the snapshot and return the results here.



  • I'm not really sure why people have so many issues using FTP.  Honestly even less sure WHY they use it instead of sftp?


  • LAYER 8 Global Moderator

    well if you turn off the ftp helper..  It can not change your client port command to your public.

    You pretty much need the helper in active mode, since the server is going to connect back to you.  And pfsense has to open the port, and normally change the private the client gives to your public - unless your client reports public..  But pfsense would still have to open the port to your client from source 20 to whatever port your client said to use in the active connection.

    But using the current build
    2.2-RC (amd64)
    built on Mon Jan 12 21:47:35 CST 2015
    FreeBSD 10.1-RELEASE-p3

    It does seem like the helper/proxy is not working..

    Sniffing on the wan interface and doing a active connection to ftp.microsoft.com using filezilla client.. The port command is sending private, and pfsense is not changing it to public.

    If I set the client to send the public IP, looks like pfsense is not opening the port as I show it blocked in the firewall.

    So in this case yes it does seem to be broken on the current 2.2 build.  Using 2.1.5 it was working.  I have not test inbound from public to ftp server behind pfsense.  But currently from my quick test it does look its not on.  Even though debug.pfftpproxy  is 0 in tunables.

    Put passive is working just fine to public ftp servers from client behind pfsense - which makes sense since no changing or opening of ports is required in that configuration.  Server sends you port to connect too.



  • Its a case of a new ticket, i guess…



  • Passive FTPS broke for me some time ago for clients that aren't smart enough to figure out the correct IP but I thought it was just my setup.  The only reason I had to use it was because a certain web service would only work with passive FTPS and not SFTP to connect to my server.  I no longer use that web service and so no longer run any kind of FTP at all so I gave up on it.


  • LAYER 8 Global Moderator

    You do understand that using ftps - no helper/proxy on pfsense can do anything, since the info in the control channel is encrypted.

    If your server is behind pfsense, and client is on public internet..  If client is using passive, ftps would not allow pfsense helper/proxy to change the IP or see what port to allow into the server.

    If your going to want to allow passive ftp server behind pfsense using ftps, then you would have to set the ftp server to send the public IP, not its private - and you would have to setup forwards on pfsense to send the ports the server would send to to client for the passive connection.

    As I said in the beginning - most ftp issues have been user not understanding the protocol ;)  In this case it does seem to me that the ftp helper/proxy is not working.  When I get some more time I can do some better testing.  But in the test I did this morning - it was not working.

    edit: as you can see from the attached.  A sniff on pfsense wan when trying to make a active connection to ms ftp server, the port command has not been changed to pfsense public IP.  It is still the private, and clearly ms ftp server could not connect to that IP ;)



  • Banned

    @johnpoz:

    I have not test inbound from public to ftp server behind pfsense.

    Works just fine as long as the FTP server behind pfSense is set up to use the WAN IP address for passive FTP…

    @OP:

    • Active FTP across NATed firewalls is just a foolish idea and pure waste of time.
    • For passive FTPS, you MUST forward the entire passive port range used by the FTP server. The helper won't do a zilch there, cannot see the traffic at all since it's encrypted (duh!).

  • LAYER 8 Global Moderator

    "Works just fine as long as the FTP server behind pfSense is set up to use the WAN IP address for passive FTP… "

    So your saying the helper/proxy is opening the ports, but not changing the IP..  That wouldn't seem to be working to me ;)  Normally the helper/proxy does both it changes a private IP to the public in the command and forwards/allows the clients connection to port the server said to use.


  • Banned

    Frankly, unless you run some public FTP server behind pfSense, the helper is just a piece of nonsense. Noone sane will use unencrypted FTP sending credentials in plaintext.


  • LAYER 8 Global Moderator

    Preaching to the choir dude ;)  Just posting what I see..  Like I said I hadn't tested inbound.. But clearly the active outbound is not working as it should from my test.

    I don't get why anyone uses ftp or even ftps these days - sftp is much better solution, and no split connections with data and control.. Just 1 single port to use ;)



  • Guys I've opened a ticket for this, anyway.

    Just to remember, we're talking here about FTP Clients behind PFSense. For server I think the question is much easier to solve in this case.
    Unsecured FTP must be wiped from internet 8) but at least here in Brazil there is a LOT of public servers using it yet…

    With wireshark I can reproduce the situation noted by the dude here...Private IP instead of Public IP, so I can confirm that ftp helper isn't working. Tested on snapshots from 23/11 and today.



  • I don't get why anyone uses ftp or even ftps these days - sftp is much better solution…

    Do you deal with end-users?  :) You don't deal with end-users, do you?  ;) Specifically, you don't deal with end-users who, 99 times out of 100, have barely heard of FTP, do you?  :D Good luck helping them to download a large file from your company with SFTP.  ;D

    More to the point, I would happily embrace SFTP if Windows Explorer and Internet Explorer understood those protocols, because that's what I'm forced to deal with most of the time with end-users.



  • Ahhhh…  WinSCP.

    But no - Not serving up files FTP to a million people.

    For that I use HTTPS file server.



  • I've just upgraded to 2.2 and my ftp connection has gone down also. The DDNS is resolving to my WAN ip ok but it's getting a "connection timed out, could not connect to server" error. The rules haven't changed so I'm figuring this is a bug?



  • For that I use HTTPS file server.

    I also have to deal with clients and partners that need to upload files, sometimes many Gigabytes.  Nope, I'm stuck with dumb old FTP for the foreseeable future.


  • LAYER 8 Global Moderator

    Well from comment on bug you submitted looks like going to be a bit before fixed..
    https://redmine.pfsense.org/issues/4210

    So looks like just have to make it work old school ;)

    So if you want to use active from client behind pfsense to server outside pfsense, have to have the client present your public IP.. And use specific ports that you have setup a forward for in pfsense.  Filezilla can do this no problem.  Other clients might not be able to do this.  Or just use passive connections, then nothing needs to be done.

    As to servers behind pfsense - if the clients use active you wouldn't have issues because server would be connecting to them from source 20.  If you want your clients to be able to use passive.  Then on your server you need to make sure it presents your public IP, and uses specific ports that you have forward.  Again filezilla ftp server does this for sure - others maybe not?



  • @KOM:

    I don't get why anyone uses ftp or even ftps these days - sftp is much better solution…

    Do you deal with end-users?  :) You don't deal with end-users, do you?  ;) Specifically, you don't deal with end-users who, 99 times out of 100, have barely heard of FTP, do you?  :D Good luck helping them to download a large file from your company with SFTP.  ;D

    More to the point, I would happily embrace SFTP if Windows Explorer and Internet Explorer understood those protocols, because that's what I'm forced to deal with most of the time with end-users.

    The last time I had to deal with this sort of nonsense I packaged up Filezilla into an msi with a config already in it and a little video showing what to do that came up on the first run of FZ.  I also sent instructions on how to get it out via group policy.

    The killer bit was telling them that Filezilla was able to make the transfer go faster.

    A small white lie and convenience got around 1500 odd people using SFTP through OpenSSH to a Linux box with Samba wired up to AD for the internal connections rather than a Win 2003 server with FTP on it that could finally be laid to rest.

    It can be done but it takes a bit of time and effort.  Don't even think of trying to pull the "it's insecure" argument against FTP.  The people who use it - almost by definition - either don't care or can even understand the argument in the first place.



  • I'm not sure if your lie is all that little or fast…

    When I do "many gigabytes" of file transfers from denmark to maryland, I use filezilla.  Its fairly freakin fast.

    And simple.

    I like your idea.  People might be motivated with the "its fast" argument.

    Another thing I like about winscp is it can be set to aggressively reconnect forever and never give up.

    A great thing to have if the ISP sucks.



  • Well…in my case, for now i've returned to 2.1.5. Ftp connectvity is importante here, our legacy ERP uses standard ftp to update itself...if you're thinking about +- 50 workstations...



  • from https://redmine.pfsense.org/issues/4210
    "…not something we're looking into for 2.2 at this point.."

    Does it means that 2.2 will be released with ftp proxy broken?  :o

    Can somebody test jftpgw or frox port via pkg add to see if it's an workaround until native ftp proxy get fixed?



  • 2.2 has no FTP proxy and will be released without one. It only helped with active mode clients behind NAT anyway, and only with a simple single public IP setup. Passive mode clients, what essentially everything does by default in recent years (minus the Windows command line FTP client) doesn't need a proxy. Servers can be configured easily in a means that doesn't require a proxy. You have to do so with FTPS anyway, which is the only FTP anything you should be using at this point.

    Time to move on from FTP, folks.


  • LAYER 8 Global Moderator

    @cmb:

    Time to move on from FTP, folks.

    Exactly!!!! ;)



  • Thanks Chris.  I do not recomend ftp also, but you know that many sites still use it. :)


  • LAYER 8 Global Moderator

    To the sites that still use it – you would hope atleast it was ftps, which breaks the helper anyway.  The helper is need it 2 setups.. Where your wanting your client behind pfsense to use a active connection to public server.  Or your running server behind pfsense and you want to allow passive clients.

    If client use passive no helper needed, if your running server you would hope you were running ftps anyway which would of required the manual firewall rules anyway because helper could not see the traffic to fix up.  So I don't really see this as  loss of anything of real function..  And you really shouldn't be using ftp anyway ;)


Log in to reply