FTP helper failing with NAT redirection

  • Please forgive me if this has been covered, I searched for some time before posting.

    I am running a 1.2 Release firewall with 2 WANs at this time. Everything is working great including NAT reflection on our websites, and all services work properly from outside the network. However, when trying to connect to the FTP site from within the network using the public IP address, the connection always fails and this message appears in my system logs:

    Mar 25 08:15:47 pftpx[471]: #138 proxy cannot connect to server xxx.xxx.xxx.50: Operation not permitted

    The NAT reflection never worked for me on the FTP, but when I changed the VIP to a CARP type as suggested in another post, the error changed to the above. Previously the message was ":Can not bind to the address" or something similar.

    I have disabled AON. I had outbound FTP traffic routing through my secondary WAN, but changed it back to the default. That made no change.

    If there is any other information I need to provide please let me know.

    Also, if I may add a couple more questions in here, these two errors show up frequently in my logs. Could the first one be related to the above problem and are either of them something I need to worry about?

    Mar 25 08:14:52 php: : Not installing nat reflection rules. Maximum 1,000 reached.

    Mar 25 08:15:21 miniupnpd[1054]: sendto(udp_notify): No buffer space available

  • http://devwiki.pfsense.org/FTPTroubleShooting

    Outgoing FTP (LAN -> Internet) UPDATED PORTS, please check!

    1. Ensure that the FTP helper is not disabled on Interfaces, LAN
    2. If you have a restrictive ruleset or are utilizing policy based routing for multiple-wans then ensure that you have permitted traffic to / ports 8000-8030. IE: allow LAN subnet to 8000-8030. This rule should be on top of all other LAN rules that utilize policy based routing.
    3. If you are running windows try turning off the windows firewall

    a good test site is ftp://ftp4.freebsd.org/pub/FreeBSD

  • Thanks for that, but my problem is not all outbound FTP, external sites can be accessed just fine.

    I cannot access my own FTP site from inside using NAT reflection. Does this feature not work for FTP?

  • Ups Sorry…

    Can you connect with the private ip?

  • Yes, I can connect with the private IP, but prefer to keep the DMZ segregated from the internal network.

  • I don't think natreflection will work for ftp. At interface LAN the ftp port is already redirected to the ftphelper so it can't be forwarded at the same time to do natreflection. Only scenario that might work for this is to disable the ftphelper completely and forward all ftp ports (including the ports for passive transfer) to the server at LAN. That would eliminate the ftphelper redirects and nat reflection could work again. This however might cause other issues (only passive ftp to servers at WAN and so on…).

  • Thanks very much, Hoba and Perry. I guess I will just have to create a connection form LAN > DMZ for internal FTP transfers.

    Is there a way to schedule rules to only be in effect for certain periods of time?

  • Yes, see firewall>schedules. Please not that when using schedules an inactive pass rule turns into a block. Besides that it's pretty selfexplaining.

  • Great, thanks so much.


Log in to reply