Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTP helper failing with NAT redirection

    Scheduled Pinned Locked Moved NAT
    9 Posts 3 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fogogg
      last edited by

      Please forgive me if this has been covered, I searched for some time before posting.

      I am running a 1.2 Release firewall with 2 WANs at this time. Everything is working great including NAT reflection on our websites, and all services work properly from outside the network. However, when trying to connect to the FTP site from within the network using the public IP address, the connection always fails and this message appears in my system logs:

      Mar 25 08:15:47 pftpx[471]: #138 proxy cannot connect to server xxx.xxx.xxx.50: Operation not permitted

      The NAT reflection never worked for me on the FTP, but when I changed the VIP to a CARP type as suggested in another post, the error changed to the above. Previously the message was ":Can not bind to the address" or something similar.

      I have disabled AON. I had outbound FTP traffic routing through my secondary WAN, but changed it back to the default. That made no change.

      If there is any other information I need to provide please let me know.

      Also, if I may add a couple more questions in here, these two errors show up frequently in my logs. Could the first one be related to the above problem and are either of them something I need to worry about?

      Mar 25 08:14:52 php: : Not installing nat reflection rules. Maximum 1,000 reached.

      Mar 25 08:15:21 miniupnpd[1054]: sendto(udp_notify): No buffer space available

      1 Reply Last reply Reply Quote 0
      • P
        Perry
        last edited by

        http://devwiki.pfsense.org/FTPTroubleShooting

        Outgoing FTP (LAN -> Internet) UPDATED PORTS, please check!

        1. Ensure that the FTP helper is not disabled on Interfaces, LAN
        2. If you have a restrictive ruleset or are utilizing policy based routing for multiple-wans then ensure that you have permitted traffic to 127.0.0.1 / ports 8000-8030. IE: allow LAN subnet to 127.0.0.1 8000-8030. This rule should be on top of all other LAN rules that utilize policy based routing.
        3. If you are running windows try turning off the windows firewall

        a good test site is ftp://ftp4.freebsd.org/pub/FreeBSD

        /Perry
        doc.pfsense.org

        1 Reply Last reply Reply Quote 0
        • F
          fogogg
          last edited by

          Thanks for that, but my problem is not all outbound FTP, external sites can be accessed just fine.

          I cannot access my own FTP site from inside using NAT reflection. Does this feature not work for FTP?

          1 Reply Last reply Reply Quote 0
          • P
            Perry
            last edited by

            Ups Sorry…

            Can you connect with the private ip?

            /Perry
            doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • F
              fogogg
              last edited by

              Yes, I can connect with the private IP, but prefer to keep the DMZ segregated from the internal network.

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                I don't think natreflection will work for ftp. At interface LAN the ftp port is already redirected to the ftphelper so it can't be forwarded at the same time to do natreflection. Only scenario that might work for this is to disable the ftphelper completely and forward all ftp ports (including the ports for passive transfer) to the server at LAN. That would eliminate the ftphelper redirects and nat reflection could work again. This however might cause other issues (only passive ftp to servers at WAN and so on…).

                1 Reply Last reply Reply Quote 0
                • F
                  fogogg
                  last edited by

                  Thanks very much, Hoba and Perry. I guess I will just have to create a connection form LAN > DMZ for internal FTP transfers.

                  Is there a way to schedule rules to only be in effect for certain periods of time?

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    Yes, see firewall>schedules. Please not that when using schedules an inactive pass rule turns into a block. Besides that it's pretty selfexplaining.

                    1 Reply Last reply Reply Quote 0
                    • F
                      fogogg
                      last edited by

                      Great, thanks so much.

                      ;D

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.