FTP from on-site broken?



  • I have users that are trying to access our internal FTP site from on-site.  Bascially, they're in the office, and our FTP server is in here too, but they want to be able to connect to ftp.ourdomain.com.  In other words, they want to be able to go out our external interface of the firewall, and come back in to access the FTP site.  This doesn't work with pfSense in our configuration.  It used to work with our old firewall.  Any ideas on why this doesn't work?  Other things (HTTP, PPTP, etc.) do work outbound through the external pfSense interface, and then back-in.  Any suggestions on fixing this - or explaining this?

    As an aside, yes - I realize that they can just copy the files to the FTP share via UNC, but it's a problem for some reason.  No one trusts the FTP site because of this.
    Thanks,



  • Cannot be done, either setup an entry if you are using dns forwarder of pfsense or the ip directly



  • Can you provide any more info about why it can't be done - so I have a good explanation when people ask?

    I tried connecting via our external IP to FTP - it failed as well.

    Can you expand on the DNS forwarded statement? Right now DNS forwarders in pfSense are set as follows: Primary DNS: internal DNS server for internal IPs, Secondary DNS: Our ISP's DNS server.

    Thanks again for the help - I really do appreciate it!



  • Under the DNS forwarder server, you enter a record that overrides ftp.yourdomain.com with the actual private address of your ftp server. That way, everyone can still access the FTP site internally using the name and they wont know the difference.



  • So on my internal DNS server, create a Cname alias for ftp.mydomain.com?  If I create an alias (CName) for "ftp.mydomain.com", it does not respond.  However, if I create an alias for something like "FTPSITE", it does respond.

    As another data point - why does typing "http://mail.mydomain.com" from on-site take me to my mail server on-site, while typing "ftp://ftp.mydomain.com" does not?  There is no CName for "mail.mydomain.com" on my internal DNS server.



  • You need to do split dns. Queries coming from the inside should get the internal address for ftp.mydomain.com as the reply and queries coming from the outside should get the external address as the reply.



  • It is cause there is a ftp-proxy running on pfSense.
    If you do not care about outgoing ftp but just in-site ftp than click the disable ftp-proxy at the Interface->Lan config. Than nat-reflection will do the job.



  • If I disable ftp-proxy on pfSense what will be the result (I don't have pfSense in a lab-enviornment to test this with at the moment)?

    Will FTP outbound to other domains (e.g. ftp.microsoft.com) still work?  And will in-bound FTP to our site from a client's site still work (e.g. ourclient.com coming inbound to ftp.mydomain.com)?

    Thanks again for all of the help.


Log in to reply