[pfSense] FTP Behind pfSense

Discussion:

Marcus Limosani

2013-11-27 00:13:46 UTC

Hi,

I have just finished setup of a Cloud Linux / cPanel WHM system.
It is all working wonderfully, except for FTP.
I can not establish a data connection to the server
(The server is running a private IP 1:1 NAT - and the Private IP FTP is working fine, so I don't believe it to be an issue with the server itself)

I have port 21 and 49153-64134 (passive ports as configured in pure-ftpd) accepted.

I am not sure what else to try.

The other troubling thing about trying to debug this is that even though I have the firewall rule set to log, I NEVER see any traffic logs for the IP / Ports.

Anyone have some FTP success out there?

Adam Thompson

2013-11-27 00:28:01 UTC

Permalink

Post by Marcus Limosani
It is all working wonderfully, except for FTP.
I can not establish a data connection to the server
(The server is running a private IP 1:1 NAT â and the Private IP FTP
is working fine, so I donât believe it to be an issue with the server
itself)
[...]
The other troubling thing about trying to debug this is that even
though I have the firewall rule set to log, I NEVER see any traffic
logs for the IP / Ports.
Anyone have some FTP success out there?

You need to run an FTP proxy; regardless of active or passive mode,
*inbound* FTP does not understand how to traverse NAT. IIRC, pfSense has
one built in.

Read
https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense
for details on what to do.

As noted at that page, there *is* an option for running a specified
range of ports, but you also will then need to perform step 3 (on the
Wiki, under Option 2) to convince your FTP server that it's own IP
address isn't its "real" IP address. Doing this will likely break
internal FTP clients... so there's downsides to both methods. Oh, and
you can't mix the two methods :-).

Short answer: inbound FTP and NAT (of any flavour) don't mix well.

The typical answer here is - don't NAT an FTP server. Put it on a DMZ
segment that isn't NAT'd. Or, if that's not possible, put it behind a
transparent-mode firewall (pfSense can do this). In any event, avoid
mixing (inbound) FTP and NAT as much as possible.

If you're determined to do this anyway, note the '-P' option for

Marcus Limosani

2013-11-27 01:15:04 UTC

Permalink

Hi Adam,

Thanks for the input.

pfSense 2.1 doesnât have a checkbox as such for the proxy helper app.
It appears to be controlled by the NAT reflection (NAT + Proxy or Pure NAT)

I have my IPâs set up as Proxy ARP.

Not sure how to utilise the CARP style. Might need to look into it.

From: list-***@lists.pfsense.org [mailto:list-***@lists.pfsense.org] On Behalf Of Adam Thompson
Sent: Wednesday, 27 November 2013 11:28 AM
To: pfSense support and discussion
Subject: Re: [pfSense] FTP Behind pfSense

On 13-11-26 06:13 PM, Marcus Limosani wrote:
It is all working wonderfully, except for FTP.
I can not establish a data connection to the server
(The server is running a private IP 1:1 NAT â and the Private IP FTP is working fine, so I donât believe it to be an issue with the server itself)
[...]
The other troubling thing about trying to debug this is that even though I have the firewall rule set to log, I NEVER see any traffic logs for the IP / Ports.
Anyone have some FTP success out there?

You need to run an FTP proxy; regardless of active or passive mode, *inbound* FTP does not understand how to traverse NAT. IIRC, pfSense has one built in.

Read https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense for details on what to do.

As noted at that page, there *is* an option for running a specified range of ports, but you also will then need to perform step 3 (on the Wiki, under Option 2) to convince your FTP server that it's own IP address isn't its "real" IP address. Doing this will likely break internal FTP clients... so there's downsides to both methods. Oh, and you can't mix the two methods :-).

Short answer: inbound FTP and NAT (of any flavour) don't mix well.

The typical answer here is - don't NAT an FTP server. Put it on a DMZ segment that isn't NAT'd. Or, if that's not possible, put it behind a transparent-mode firewall (pfSense can do this). In any event, avoid mixing (inbound) FTP and NAT as much as possible.

If you're determined to do this anyway, note the '-P' option for pure-ftpd. From the readme:

- '-P <ip address or host name>': Force the specified IP address in reply to

a PASV/EPSV/SPSV command. If the server is behind a masquerading (NAT) box

that doesn't properly handle stateful FTP masquerading, put the ip address

of that box here. If you have a dynamic IP address, you can put the public

host name of your gateway, that will be resolved every time a new client will

connect.

There are other firewalls that can do transparent FTP proxying that combines the best of both modes, but to the best of my knowledge, no pf-based firewall (including pfSense) can do this. Some iptables-based (i.e. Linux) firewalls can do this. Many commercial products can do this, but not all.

--
-Adam Thompson

***@athompso.net<mailto:***@athompso.net>

Marcus Limosani

2013-11-27 01:22:36 UTC

Permalink

Thanks Adam,

Given the nature of this setup, I have just gone with the âP option on pureftp.
It all appears to be OK at this stage.

Will do some testing as I facilitate the migration of data between a couple of servers.

From: list-***@lists.pfsense.org [mailto:list-***@lists.pfsense.org] On Behalf Of Marcus Limosani
Sent: Wednesday, 27 November 2013 12:15 PM
To: pfSense support and discussion
Subject: Re: [pfSense] FTP Behind pfSense

Hi Adam,

Thanks for the input.

pfSense 2.1 doesnât have a checkbox as such for the proxy helper app.
It appears to be controlled by the NAT reflection (NAT + Proxy or Pure NAT)

I have my IPâs set up as Proxy ARP.

Not sure how to utilise the CARP style. Might need to look into it.

From: list-***@lists.pfsense.org<mailto:list-***@lists.pfsense.org> [mailto:list-***@lists.pfsense.org] On Behalf Of Adam Thompson
Sent: Wednesday, 27 November 2013 11:28 AM
To: pfSense support and discussion
Subject: Re: [pfSense] FTP Behind pfSense

On 13-11-26 06:13 PM, Marcus Limosani wrote:
It is all working wonderfully, except for FTP.
I can not establish a data connection to the server
(The server is running a private IP 1:1 NAT â and the Private IP FTP is working fine, so I donât believe it to be an issue with the server itself)
[...]
The other troubling thing about trying to debug this is that even though I have the firewall rule set to log, I NEVER see any traffic logs for the IP / Ports.
Anyone have some FTP success out there?

You need to run an FTP proxy; regardless of active or passive mode, *inbound* FTP does not understand how to traverse NAT. IIRC, pfSense has one built in.

Read https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense for details on what to do.

As noted at that page, there *is* an option for running a specified range of ports, but you also will then need to perform step 3 (on the Wiki, under Option 2) to convince your FTP server that it's own IP address isn't its "real" IP address. Doing this will likely break internal FTP clients... so there's downsides to both methods. Oh, and you can't mix the two methods :-).

Short answer: inbound FTP and NAT (of any flavour) don't mix well.

The typical answer here is - don't NAT an FTP server. Put it on a DMZ segment that isn't NAT'd. Or, if that's not possible, put it behind a transparent-mode firewall (pfSense can do this). In any event, avoid mixing (inbound) FTP and NAT as much as possible.

If you're determined to do this anyway, note the '-P' option for pure-ftpd. From the readme:

- '-P <ip address or host name>': Force the specified IP address in reply to

a PASV/EPSV/SPSV command. If the server is behind a masquerading (NAT) box

that doesn't properly handle stateful FTP masquerading, put the ip address

of that box here. If you have a dynamic IP address, you can put the public

host name of your gateway, that will be resolved every time a new client will

connect.

There are other firewalls that can do transparent FTP proxying that combines the best of both modes, but to the best of my knowledge, no pf-based firewall (including pfSense) can do this. Some iptables-based (i.e. Linux) firewalls can do this. Many commercial products can do this, but not all.

--
-Adam Thompson

***@athompso.net<mailto:***@athompso.net>

info

2013-11-27 20:01:08 UTC

Permalink

Hi Marcus,

I had the same problem and moved to sftp using certificates. It does the
job and provides security as a plus. I don't know if this is your case,
but if you could, do that. Install the certificate in Filezilla and my
bytes flow as in a river....

Regards

Jag

Post by Marcus Limosani
Hi,
I have just finished setup of a Cloud Linux / cPanel WHM system.
It is all working wonderfully, except for FTP.
I can not establish a data connection to the server
(The server is running a private IP 1:1 NAT -- and the Private IP FTP
is working fine, so I don't believe it to be an issue with the server
itself)
I have port 21 and 49153-64134 (passive ports as configured in
pure-ftpd) accepted.
I am not sure what else to try.
The other troubling thing about trying to debug this is that even
though I have the firewall rule set to log, I NEVER see any traffic
logs for the IP / Ports.
Anyone have some FTP success out there?
_______________________________________________
List mailing list
http://lists.pfsense.org/mailman/listinfo/list

Continue reading on narkive:

Search results for '[pfSense] FTP Behind pfSense' (Questions and Answers)

replies

what is firewall?

started 2007-02-05 22:32:48 UTC

computer networking