Update to 2.2 and the FTP is gone
-
Hello!
I've got a problem. I updated today at morning the pfsense to 2.2 version and the ftp won't works anymore. :/
On the old version i didn't setup anything only i open the port 21 and works fine but now no. :/ Anyone can tell me why? Or what can i do if i didn't want to set passive port range?
Thanks! -
No information here. "ftp won't works anymore" any more is useless. If you are running FTP server behind pfSense, then port-forward the passive port range to the server (and set up the FTP server to respond with the public IP). Already discussed before here.
-
I just noticed a difference in behavior relating to ftp between pfsense 2.1.5 and 2.2. Not sure how/if this relates to what the OP is seeing.
In my case I have some IP cameras on one vlan and an ftp server on another vlan. The ftp server is for internal network use only, mainly to save images from the IP cameras. I have firewall rules preventing the vlans from talking to each other, but in 2.1.5 opened port 21 on the firewall on the camera vlan from the camera's IP addresses to the ftp server. This allowed the cameras to save images on the ftp server. While this worked in 2.1.5 I just noticed that images weren't being saved since moving to 2.2. When I checked the rules I noticed that pfsense was blocking the ftp server's port 20 on the ftp server's vlan. Creating a rule on the ftp server's vlan to allow port 20 traffic back to the cameras fixed the problem.
I'm not sure if 2.1.5 was allowing traffic it shouldn't have, or if 2.2 isn't allowing traffic it should, but there seems to be a difference in behavior. No other changes to the firewall rules were made during the move from 2.1.5 to 2.2.
-
2.1.5 had a ftp helper/proxy enabled.. 2.2 has no ftp helper/proxy.. So be it nat or non nat rules, etc.. IF pfsense saw ftp out to 21 active connection it would allow the return traffic to the port from source 20. This is the function of the helper and that was what was allowing your traffic without having to create the rule.
2.2 has no helper, and from comment I saw on the bug and forum - it may be in 2.2.1 or .2, .3 etc.. or it may not ;) In a nutshell there was a comment ftp is dead, time to move on people ;) heheheeh
-
I updated today from 2.1.X to 2.2 and had an issue with FTP too.
There are 2 Internet connections, and while users use the first one, FTP (port 21) was redirected to the 2nd one.
This worked well with the FTP helper.It does not anymore. Probably because of this helper changes (not sure it has been removed according to what I read here).
I fixed the problem by removing this rule.
This is not the ideal solution, but using FTP neither. :) -
https://doc.pfsense.org/index.php/FTP_without_a_Proxy
-
You know - I don't keep up with what some of the guys I'm working with are using. Although I try very hard to steer my partners towards open source solutions they often insist on windows and often get burned. So, one of mine has customers using windows server and apparently they are married to FTP and apparently the clients are too.
So, I had him issue openvpn clients to them to hit that server and FTP works. Headache solved.
Why people are so inflexible is beyond me. The winscp client I was using support several perfectly good protocols that wouldn't have required the vpn!
So is FTP helper gone forever or will it make its way into 2.2.1 to shut people up?
-
Hope it will be back !
Here in Quebec, there is a major corporate software used for construction company.
It update via ATIV FTP at each startup. I've contacted the support of the software and they don't plan to change this in short or long term even if newer router don't support it !
We know that ftp is unsecure and outdated but there is still software that require it.
Have to get some customer back to 2.1.5
Maybe put ftp helper optional in a package to use at our own risk ?
-
I don't understand how this is an issue.. Ok your customer uses ftp, then create the correct firewall rules to allow ftp.. Its not difficult..
https://doc.pfsense.org/index.php/FTP_without_a_Proxy
-
Active mode FTP through NAT will not function as that relies on a proxy or similar mechanism. Use Passive mode instead.
The app is active ftp client, not server.
Also the server is manage by the support of the software and they don't plan to chnage the ftp mode soon … :/
Our customers are "forced" to use the software for their sector of activity.
-
So server is on the public internet some where, and your client behind pfsense is active only? Or is the server behind your pfsense and the active client is on the internet?
If the public server on the internet will not support passive connections then they have a broken setup with todays nats.. They can not expect their clients firewall connections to have helpers for ftp. That is a very unrealistic view.
The fact that they are using ftp with a client of theirs? Why don't they just use sftp? Find a different application/vendor whatever - they seems like they are completely out of touch.
-
So server is on the public internet some where, and your client behind pfsense is active only? Or is the server behind your pfsense and the active client is on the internet?
server is on public internet and software (aka client) use only active ftp for updates at startup. Worst, no manual update available … :-[
[quote author=johnpoz link=topic=87461.msg493121#msg493121 date=1424469197]
If the public server on the internet will not support passive connections then they have a broken setup with todays nats.. They can not expect their clients firewall connections to have helpers for ftp. That is a very unrealistic view.that's what i said to the software support guy and he was like " just open port/port forward on your firewall to each user client software (!?! wtf) ….. we do not support any other way to do update with that software and i don't know if there is any plan so change that ... " :o
if it was a server software, i would completely agree to open port but there is about 6 users in here using client software in activ ftp so opening port/port forward is completely useless with that protocol
The fact that they are using ftp with a client of theirs? Why don't they just use sftp? Find a different application/vendor whatever - they seems like they are completely out of touch.
i completely agree with your statement but the fact is that this is a kind of gov/corporate software that any "master electrician" must register to … no way to get around that, no possible vpn solution to bypass the NAT, no joy at all :(
in a desperate attempt to find a solution before going in the forum, i put a dirt cheap router with DD-WRT to test and updates work perfectly ... (i guess they probably also put a kind of ftp helper to their NAT or it is not a "pure" NAT ...)
so, my customer is stuck with a software that he can't change, that use a outdated protocol for updates, with a firewal that he can't update because it will "break" updates of the software and that they don't want to change because of all the services they get from it
i completely understand the reasons why the PfSense team did not put ftp helper anymore but despite that, some user still use it because they are forced to (unfortunately).
-
How did the OP solve this issue?
I'm having the exact same problem with 2.1.5
I keep reading about a ftp-helper-proxy but I cannot find it anywhere either on pfsense or in packages
tahnks
-
I don't know how the OP made out they never came back. As to your problem - well your still on 2.1.5?? That is a problem for sure. But it had the ftp helper/proxy built in.
What is your issue, other than being on a EOL version of pfsense that is no longer supported as a really big one!!
Once they removed the helper/proxy - a package was added to allow for outbound active connections to ftp servers. This has nothing to do with running passive ftp behind pfsense that clients from the internet connect too.
-
People keep saying that to me, but really, what is working on 2.3 that wasn't on 2.1.5 ? Every feature I need (carp, traffic shape, 32 vlan, multi-wan, proxy-server, proxy-filter, proxy-report, sarg, anti-virus, dhcp, Lagg, Nat, Limiters, Floating fw rules, deep layer) is working really well which was something I couldn't say about 2.2.2.
this isn't like a computer bios at home. Its a big big office, If there are known security risks with 2.1.5 or once the newer versions add enough to justify it, I'll setup an office to test it for a few months and deploy it.
edit: but yes, connection to active ftp do not work at least on this version even with the ftp helper.
-
Your proxy server is outdated, and your OS is outdated do we really need to list the number of security features since 2.1.5? Let alone any of your packages that might have issues that are no longer being updated.
Your freebsd version is 8.3 is no longer supported either it went EOL April 30, 2014, 2.3 is running on 10.3 - how many security features/enhancements are involved in that change?
The big thing thing here is - your no longer supported, not from a pfsense sense or even the under freebsd.. I fully understand not jumping on every single beta that comes out.. But you got to stay CURRENT on your software.. Especially security type stuff..
You still have stuff running XP and win 95 in your setup, cuz hey why update it is working ;)
-
What drives this neediness to have forum posters upgrade their production environments to the latest and greatest on solely the basis of what you just said?
The fact your support completely jumps ship every new novel release, only means you will always be desynchronized with production environments, who simply do not work that way, as opposed to the likes of canonical or redhat which understand the need of having LTS to conquer businesses.
I'll repeat, and this is only if you have any interest on what your users do: These upgrades you are referring to, are not to be made lightly. Like I said in my previous post, test benches/office simulations must be setup and trialed for months on any new software release for implementing in actual production, where reliability + uptime are what dictates success, and not some number version of the software you are running. For example, the version 2.2.2 - the latest and greatest of not so long ago - failed spectacularly on our trials at the time, compared to the 2.1.5. I would have been fired on the spot for implementing it, I dont think you understand the consequences of what you are asking us to blindly do.
thanks again for the help
cheers -
Pfsense did not jump ship on support, it is based on freebsd, the version of bsd it was running on is no longer supported.
Who said anything about blindly.. JFC there are thousands of if not 10 of thousands of production sites that have moved to 2.3.2 without issues..
You still on 2.1.5 because you need pptp?? There is no legit reason to stay on outdated not supported - security software to boot..
As to your ftp still not working.. Again is it ftps or ftpes - that will not work even with the helper. You would have to allow that traffic inbound on a active connection. If your behind a double nat not going to work unless there is multiple helpers, etc.
Where is the log/sniff of the connection and we can figure out why its not working. Simple sniff on the wan side of pfsense will show you for sure if the helper changed the IP of the clients rfc1918 to your public, etc. Multiple wan connections can cause issue for example. The current version of pfsense with the ftp package allows you to edit what wan interface, etc. etc..
-
In 2015 when 2.1.5 was trialed selected and deployed against the "then" most current version 2.2.2, the latter was scrapped because:
- Carp + Lagg was broken. It only worked in LACP or Failover.
- LACP was broken. All communication between interfaces failed. Firewall rules were ignored.
- Hence, Carp + lagg + failover was the only working combination, providing very little bandwidth for the required needs.
- Limiters didn't work
- Deep packet inspection didn't work.
If, at the time I followed everybody recommendation to migrate from 2.1.5 to 2.2.2 under the presumption that tens of thousands already did it, I would not be here today. Pfsense would have stopped communicating entirely with the switches, all firewall rules would have stopped working. The company would have stop.
Next year I will trial new versions with due process (lab testing).
Ftp connections are active but are not ftps or ftpes. Problem was (luckily) quickly solved at the application level. Thanks for the support though.