Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    FTP Client Proxy Package

    Cache/Proxy
    37
    69
    56453
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimp
      jimp Rebel Alliance Developer Netgate last edited by

      I made a basic FTP client proxy package using ftp-proxy(8), it is available for users on pfSense 2.2-RELEASE and later.

      https://github.com/pfsense/pfsense-packages/commit/a868b2522ef865f117c892a07ae3507686783ff3

      Feedback welcome. I don't expect every feature to work 100% yet, but it's worth knowing what does and does not work.

      N.B.: This is for clients and not servers. So local clients, remote servers.

      It should also help those with a strict LAN ruleset and passive outbound clients.


      Note for future posters to this thread:
      This thread is for general feedback about the package (commentary, GUI notes, etc) – Problem reports should go into separate threads so they can receive proper/full attention without taking over this thread. Dropping a note here saying it didn't work for you is OK so long as it contains a link to a separate problem thread for further discussion.

      Thanks!

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 2
      • S
        stefb last edited by

        Hello,

        First, thanks for this, it will help in some corporate environments where things move slowly and outgoing internet connection is limited.

        I have tried with ftp.free.fr on a dual wan setup with load balancing and it seems there is an issue with the outgoing ip :

        lftp 212.27.60.27:~> ls
        ---- Connexion à 212.27.60.27 (212.27.60.27) port 21
        <--- 220 Welcome to ProXad FTP server
        ---> FEAT
        <--- 211-Features:
        <---  EPRT
        <---  EPSV
        <---  MDTM
        <---  PASV
        <---  REST STREAM
        <---  SIZE
        <---  TVFS
        <---  UTF8
        <--- 211 End
        ---> OPTS UTF8 ON
        <--- 200 Always in UTF8 mode.
        ---> USER anonymous
        <--- 331 Please specify the password.
        ---> PASS lftp@
        <--- 230 Login successful.
        ---> PWD
        <--- 257 "/"
        ---> PASV
        <--- 227 Entering Passive Mode (212,27,60,27,237,91)
        ---- Connecting data socket (212.27.60.27) port 60763
        ---- Data connection established
        ---> LIST
        <--- 425 Security: Bad IP connecting.
        ---- Closing data socket
        
        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          Are you load balancing? It probably won't work with load balancing if the data connection leaves a different WAN. Not sure if there is a way around that one using this proxy.

          It works for me to that site, but I'm doing failover not load balancing.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • S
            stefb last edited by

            Yes, i'm load balancing,

            I could failover for the ftp connection if needed.

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              Problem with that is the outbound connection from the client will be on a high, unpredictable port.

              That's one case where with a proxy, active mode would work better.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • S
                stefb last edited by

                Yes I confirm that when using Active mode it works :

                stefb@host:~$ LANG=en_US.utf8 lftp 212.27.60.27
                lftp 212.27.60.27:~> set ftp:passive-mode no
                lftp 212.27.60.27:~> debug
                lftp 212.27.60.27:~> ls
                ---- Connecting to 212.27.60.27 (212.27.60.27) port 21
                <--- 220 Welcome to ProXad FTP server
                ---> FEAT
                <--- 211-Features:
                <---  EPRT
                <---  EPSV
                <---  MDTM
                <---  PASV
                <---  REST STREAM
                <---  SIZE
                <---  TVFS
                <---  UTF8
                <--- 211 End
                ---> OPTS UTF8 ON
                <--- 200 Always in UTF8 mode.
                ---> USER anonymous
                <--- 331 Please specify the password.
                ---> PASS lftp@
                <--- 230 Login successful.
                ---> PWD
                <--- 257 "/"
                ---> PORT 192,168,75,178,129,186
                <--- 200 PORT command successful. Consider using PASV.
                ---> LIST
                ---- Accepted data connection from (212.27.60.27) port 20
                <--- 150 Here comes the directory listing.
                ---- Got EOF on data connection
                ---- Closing data socket
                lrwxrwxrwx    1 ftp      ftp            28 Jun 14  2011 MPlayer -> mirrors/mplayerhq.hu/MPlayer
                drwxr-xr-x    2 ftp      ftp          4096 May 07  2008 awstats
                drwx------    2 ftp      ftp          4096 Mar 08  2006 lost+found
                drwxr-xr-x    3 ftp      ftp          4096 Aug 18  2014 mirrors
                drwxr-xr-x    2 ftp      ftp          4096 Dec 24  2008 nzb
                drwxr-xr-x    9 ftp      ftp          4096 Oct 23 13:41 pub
                drwxr-xr-x    2 ftp      ftp         69632 Mar 04 23:30 stats
                drwxr-xr-x    2 ftp      ftp          4096 Mar 05 11:40 tmp
                <--- 226 Directory send OK.
                lftp 212.27.60.27:/>
                
                
                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned last edited by

                  Just tested quickly, personally have no need for this.

                  • Totally broken when you tick the IPv6 checkbox, nothing works.
                  • This breaks any encrypted FTP connections when the proxy is enabled (which sucks big time.)
                  1 Reply Last reply Reply Quote 0
                  • B
                    brainloss last edited by

                    Upgraded from 2.1.5 to 2.2 and found the that a application that user FTP on the LAN could no longer talk correctly to the remote FTP server.
                    I have no control on the application or FTP server but the function it provides is critical to the business.
                    This package saved me last night and while I have not fully tested all options in the package, it did immediately solve my issue.

                    Proxy Enable - Tick
                    Local Interface - LAN and OPT1(Wifi)
                    IPv6 - no tick
                    Anonymous - no tick
                    Source - My WAN IP
                    Bind Port - 21
                    Max Sessions - Blank
                    Traffic Shaping - Blank
                    Rewrite Port 20 - no tick
                    Ide Timeout - Blank
                    Log Connection - ticked

                    JIMP - Huge thanks for the quick turn around on this package, I think you just convinced me to say thankyou with a gold subscription :-)

                    1 Reply Last reply Reply Quote 0
                    • jimp
                      jimp Rebel Alliance Developer Netgate last edited by

                      @doktornotor:

                      Just tested quickly, personally have no need for this.

                      Me either, but sadly it's so ingrained that it's hard to rip out.

                      @doktornotor:

                      • Totally broken when you tick the IPv6 checkbox, nothing works.

                      I suspected that might be the case. Proxying IPv6 seems like a bad idea anyow. I may rip that option out next rev.

                      @doktornotor:

                      • This breaks any encrypted FTP connections when the proxy is enabled (which sucks big time.)

                      Not sure anything can be done for that, and it does suck.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • jimp
                        jimp Rebel Alliance Developer Netgate last edited by

                        @brainloss:

                        Source - My WAN IP

                        If that's your only WAN IP, it can be left blank. That box is primarily for people who need it to exit a VIP or some other different IP, perhaps if your WAN is behind NAT.

                        @brainloss:

                        Bind Port - 21

                        Don't do that. Leave it blank.

                        @brainloss:

                        JIMP - Huge thanks for the quick turn around on this package, I think you just convinced me to say thankyou with a gold subscription :-)

                        You're welcome, glad it helped!

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • K
                          kejianshi last edited by

                          I suspect lots of people will use soon as they see it.

                          1 Reply Last reply Reply Quote 0
                          • -flo- 0
                            -flo- 0 last edited by

                            Thanks a lot!!

                            I only need ftp once every few years like when some provider has support files only available via anonymous ftp. So as bad as ftp may be not being able to use it is a real pain.

                            -flo-

                            1 Reply Last reply Reply Quote 0
                            • jimp
                              jimp Rebel Alliance Developer Netgate last edited by

                              I removed the broken IPv6 setting and I added fields for source bypass and destination bypass.

                              At least that way, if you have a secure FTP server you could add it to the bypass list so that the proxy won't break it.

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • P
                                pfsenseo last edited by

                                Thanks a lot for your package !!!

                                It save me many days of troubleshouting…

                                I also think that I am not the only one in this case.

                                Hope that pfSense team will quickly correct this bug.

                                Thanks again.

                                Yan

                                1 Reply Last reply Reply Quote 0
                                • M
                                  matsan last edited by

                                  Just want to chime in here - upgraded hardware and installed 2.2 and immediately got bitten by the lack of ftp-proxy.
                                  This package saved tons of time during the hectic upgrade.

                                  1 Reply Last reply Reply Quote 0
                                  • JeGr
                                    JeGr LAYER 8 Moderator last edited by

                                    I suspected that might be the case. Proxying IPv6 seems like a bad idea anyow. I may rip that option out next rev.

                                    In environments, where users are trying to build a new IPv6 only network, that option may be very well received (for proxying IPv6 clients to IPv4 only servers). If that is possible, it would be nice to be included. Of course not needing FTP at all would be quite better… ;)

                                    Greets

                                    Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                    1 Reply Last reply Reply Quote 0
                                    • jimp
                                      jimp Rebel Alliance Developer Netgate last edited by

                                      It wasn't a 6-to-4 style proxy or anything that interesting, it was for v6 to v6 only, which is pretty useless except maybe in the presence of strict outbound firewall rules that the proxy could help with.

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        digidax last edited by

                                        How can I install this package?
                                        Was going back to 2.1.5 and want now try to update to 2.2.1 with working FTP outgoing from LAN.

                                        best regards
                                        Frank

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          doktornotor Banned last edited by

                                          @digidax:

                                          Was going back to 2.1.5 and want now try to update to 2.2.1 with working FTP outgoing from LAN.

                                          Like any other package. System - Packages.

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            digidax last edited by

                                            There is no package "ftpproxy".
                                            "freeradius2" is the last, then "gwled" is the next one.
                                            Will it be visible after I have done the update?

                                            1 Reply Last reply Reply Quote 0
                                            • D
                                              doktornotor Banned last edited by

                                              The package is for 2.2.x only…

                                              1 Reply Last reply Reply Quote 0
                                              • jimp
                                                jimp Rebel Alliance Developer Netgate last edited by

                                                Note for future posters to this thread:
                                                This thread is for general feedback about the package (commentary, GUI notes, etc) – Problem reports should go into separate threads so they can receive proper/full attention without taking over this thread. Dropping a note here saying it didn't work for you is OK so long as it contains a link to a separate problem thread for further discussion.

                                                Thanks!

                                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                Need help fast? Netgate Global Support!

                                                Do not Chat/PM for help!

                                                1 Reply Last reply Reply Quote 0
                                                • K
                                                  kawaider last edited by

                                                  Hi! Sorry for my bad English.
                                                  I use FTP server on port 1221. In PFsense 2.1 I configure ftphelper with option debug.pfftpports. But in PFsense 2.2 I can't confirure packet "FTP client proxy" for work with port differing from 21. Help, please!

                                                  1 Reply Last reply Reply Quote 0
                                                  • jimp
                                                    jimp Rebel Alliance Developer Netgate last edited by

                                                    The ftp-proxy(8) daemon seems to only work properly with a server on port 21, so there does not appear be a way to accommodate that scenario at this time.

                                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                    Need help fast? Netgate Global Support!

                                                    Do not Chat/PM for help!

                                                    1 Reply Last reply Reply Quote 0
                                                    • K
                                                      kejianshi last edited by

                                                      Whatever you do, don't use a vpn.  That would be too easy…

                                                      1 Reply Last reply Reply Quote 0
                                                      • C
                                                        corotte last edited by

                                                        Thank you very much for this package !!  ;D

                                                        that should do the trick for some of my customers who are stuck with application that use "archaic" FTP Active client to update :)

                                                        Will try it in next maintenance  8)

                                                        1 Reply Last reply Reply Quote 0
                                                        • L
                                                          lpandolfini last edited by

                                                          Thank you very much for this package!

                                                          I have a little problem with one WAN and multiple LAN, with different VIPs used for outgoing traffic (one per LAN), the post is this:
                                                          https://forum.pfsense.org/index.php?topic=91638.0

                                                          Thanks.
                                                          Luca

                                                          1 Reply Last reply Reply Quote 0
                                                          • M
                                                            Marlenio last edited by

                                                            Hi,
                                                            is it possible to add more than one ip on bypass list?

                                                            Marlenio

                                                            1 Reply Last reply Reply Quote 0
                                                            • jimp
                                                              jimp Rebel Alliance Developer Netgate last edited by

                                                              @Marlenio:

                                                              is it possible to add more than one ip on bypass list?

                                                              Make an alias and put the alias name there.

                                                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                              Need help fast? Netgate Global Support!

                                                              Do not Chat/PM for help!

                                                              1 Reply Last reply Reply Quote 0
                                                              • M
                                                                Marlenio last edited by

                                                                @jimp:

                                                                Make an alias and put the alias name there.

                                                                Thanks in advance. :) :)

                                                                Marlenio

                                                                1 Reply Last reply Reply Quote 0
                                                                • M
                                                                  Marlenio last edited by

                                                                  @Marlenio:

                                                                  @jimp:

                                                                  Make an alias and put the alias name there.

                                                                  Thanks in advance. :) :)

                                                                  I try. I made an alias with two Ip and put the name in "Proxy Bypass: Destination", restart service, but it doesn't works.

                                                                  EDIT: alias works if declare IPs like a "/32" network, but not like single host. :)

                                                                  Marlenio

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • luckman212
                                                                    luckman212 LAYER 8 last edited by

                                                                    jimp-

                                                                    Just wanted to thank you wholeheartedly for this package. I know FTP is 'discouraged' but sadly we can't always force these decisions on users when legacy systems are in place and working. This package has saved us a lot of headache.

                                                                    bravo sir

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • H
                                                                      h.kling last edited by

                                                                      Dear Jimp,

                                                                      thank you VERY MUCH for this great package!

                                                                      Is it possible to modify package and GUI to realize an explicit proxy environment?

                                                                      Best wishes

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • T
                                                                        tmc last edited by

                                                                        Have an issue with 2 in-series PFSense boxes… the 2nd one is on a LAN (Opt1 on PFSense #1 / all traffic in-and-out for that LAN on WAN Virtual IP and NAT'd through to 2nd pfSense) and needs to get out to WAN for Active FTP Session.  If I set the 2nd pfSense FTP Client Proxy to WAN external address it won't connect at all, but if I set it to default (WAN - which is actually LAN going to Opt1 in first pfSense), it connects but will not open data port.

                                                                        Hope this make sense - any ideas?

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • jimp
                                                                          jimp Rebel Alliance Developer Netgate last edited by

                                                                          @klingone:

                                                                          Is it possible to modify package and GUI to realize an explicit proxy environment?

                                                                          Not that I'm aware of. If you need an explicit proxy, I believe that squid can handle that.

                                                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                                          Need help fast? Netgate Global Support!

                                                                          Do not Chat/PM for help!

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • jimp
                                                                            jimp Rebel Alliance Developer Netgate last edited by

                                                                            @tmc:

                                                                            Have an issue with 2 in-series PFSense boxes… the 2nd one is on a LAN (Opt1 on PFSense #1 / all traffic in-and-out for that LAN on WAN Virtual IP and NAT'd through to 2nd pfSense) and needs to get out to WAN for Active FTP Session.  If I set the 2nd pfSense FTP Client Proxy to WAN external address it won't connect at all, but if I set it to default (WAN - which is actually LAN going to Opt1 in first pfSense), it connects but will not open data port.

                                                                            I use it here with multiple boxes in series and it's OK but I don't use VIPs or send it out an alternate WAN (just the default WAN at my edge, not my second WAN).

                                                                            When using load balancing or multi-wan, the FTP traffic (including high data ports) would have to exit the default WAN or the proxy won't work correctly.

                                                                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                                            Need help fast? Netgate Global Support!

                                                                            Do not Chat/PM for help!

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • R
                                                                              rougement last edited by

                                                                              I've been banging my head against a brick wall trying to get an old FTP client to work properly. Thank you so much for your work, I appreciate it.

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • S
                                                                                stavros last edited by

                                                                                Hi, i need some help on configuring FTP Client Proxy Package in order to give ftp access on my network. I have 2 wan (WAN1 & WAN2) and one LAN interface.

                                                                                Local Interface: I select only LAN ?
                                                                                Anonymous Only: Not checked
                                                                                Source Address: I put one of the two public WAN ip address?
                                                                                Proxy Bypass Source: None
                                                                                Proxy Bypass Dest: None
                                                                                Bind Port: None
                                                                                Maximum Sessions (Default: 100): None
                                                                                Traffic Shaping Queue: None
                                                                                Rewrite Source to Port 20 : Not checked
                                                                                Idle Timeout (Default: 86400) : None
                                                                                Log Connections : Not Checked

                                                                                Do i need any other configuration? I use filezilla ftp server.

                                                                                sorry but my knowledge is very basic on this staff.

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • D
                                                                                  doktornotor Banned last edited by

                                                                                  @stavros:

                                                                                  Do i need any other configuration? I use filezilla ftp server.

                                                                                  This package is for FTP clients using active mode behind pfSense.

                                                                                  https://doc.pfsense.org/index.php/FTP_without_a_Proxy

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • S
                                                                                    svenruben last edited by

                                                                                    Many thanks for building this package, install, enable, assign client interfaces ALL DONE. You safed my day! thanks a lot. sven

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post