FTPS cannot get through

jsun9

FTPS does not seem to get through when the ftp-helper is enabled. I get as far as the USER command then it stops.

Status: Resolving IP-Address for mycomputer.gotdns.com
Status: Connecting to MyIP:21…
Status: Connection established, waiting for welcome message...
Response: 220 This is a private FTP server. Unauthorized use is prohibited. All sessions
Command: AUTH TLS
Response: 234 Using authentication type TLS
Status: Initializing TLS...
Command: USER Administrator
Error: Connection timed out
Error: Could not connect to server

If I add a rule to allow all ports & protocols for my IP and set the gateway as WAN then I cannot use FTP at all (when the ftp-proxy is enabled).

Status: Resolving IP-Address for mycomputer.gotdns.com
Status: Connecting to myip:21...
Status: Connection established, waiting for welcome message...

But, if I disable the ftp helper and leave the "Allow All" rule for me, then I can connect just fine. However, this breaks regular FTP for everyone else.

Finally, if I simply allow just port 21 & 20 through and disable FTP proxy then I get this:
Status: Resolving IP-Address for MyServer
Status: Connecting to MyServer:21...
Status: Connection established, waiting for welcome message...
Response: 220 This is a private FTP server. Unauthorized use is prohibited. All sessions
Command: AUTH TLS
Response: 234 Using authentication type TLS
Status: Initializing TLS...
Command: USER Administrator
Status: Verifying certificate...
Status: TLS/SSL connection established.
Response: 331 Password required for Administrator
Command: PASS **********
Response: 230 Logged on
Command: SYST
Response: 215 UNIX emulated by FileZilla
Command: FEAT
Response: 211-Features:
Response: MDTM
Response: REST STREAM
Response: SIZE
Response: MLST type*;size*;modify*;
Response: MLSD
Response: AUTH SSL
Response: AUTH TLS
Response: UTF8
Response: CLNT
Response: MFMT
Response: 211 End
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 200 Protection level set to P
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (MyServer,191,105)
Command: LIST
Response: 425 Can't open data connection.

I am sure this has been asked a million times, but I did a search for "FTPS" and I got a list of crap like "ftpserver", etc. Is there a way to search and return literally "FTPS"?

GruensFroeschli

Use the search:

http://devwiki.pfsense.org/FTPTroubleShooting

jsun9

I tried using search (as I mentioned) but how would I find that article? Typing just FTPS into the search box does not work well. What would you recommend using to search?

Thanks for the article, I will post my results.

GruensFroeschli

Well ftps is not sftp.
So anything that applies to ftp should also apply to ftps.

If you just look at the communication it shouldnt look different than a normal ftp connection.
Just the data channel is encoded.

jsun9

There are some serious issues with how pfSense handles FTP traffic (of all types). You're right in that FTP & FTPS should operate the same, but they don't. I can only get FTP & SFTP or just FTPS to work at any given time.

I've tried just about everything.

Can you confirm yourself that you've gotten FTP, FTPS (explicit) and SFTP to work all at the same time without using an "Allow All" rule
(i.e. *  LAN_Subnet  *  *  *  WAN2)?

Thanks

jsun9

I know pfSense is nothing like ISA…but one thing ISA does have that may be nice for pfSense is to have is secondary connections (or outbound port triggering?). That's how they get around this issue. You simply allow outbound port 20 & 21, then once they're established, ISA allows whatever ports specified (in most cases the whole range) as secondary connections to the same server.

Whatever it is...the "Disable the userland FTP-Proxy application" seems to have some issues.

GruensFroeschli

Well… Dont disable the ftp proxy.
What you describe is exactly what the ftp proxy does.

It just doesnt do it for SFTP since it isnt listening on port 22.

But i can confirm that normal FTP and FTPS works.

jsun9

Why not just make it an option for all rules rather than just FTP?

jsun9

Do you know some possible things to look for that would interfere with this working?

We have dual wan.
We have multiple FTP servers tied to different virtual ips.