Thanks Adam, Given the nature of this setup, I have just gone with the –P option on pureftp. It all appears to be OK at this stage.
Will do some testing as I facilitate the migration of data between a couple of servers. From: [email protected] [mailto:[email protected]] On Behalf Of Marcus Limosani Sent: Wednesday, 27 November 2013 12:15 PM To: pfSense support and discussion Subject: Re: [pfSense] FTP Behind pfSense Hi Adam, Thanks for the input. pfSense 2.1 doesn’t have a checkbox as such for the proxy helper app. It appears to be controlled by the NAT reflection (NAT + Proxy or Pure NAT) I have my IP’s set up as Proxy ARP. Not sure how to utilise the CARP style. Might need to look into it. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Adam Thompson Sent: Wednesday, 27 November 2013 11:28 AM To: pfSense support and discussion Subject: Re: [pfSense] FTP Behind pfSense On 13-11-26 06:13 PM, Marcus Limosani wrote: It is all working wonderfully, except for FTP. I can not establish a data connection to the server (The server is running a private IP 1:1 NAT – and the Private IP FTP is working fine, so I don’t believe it to be an issue with the server itself) [...] The other troubling thing about trying to debug this is that even though I have the firewall rule set to log, I NEVER see any traffic logs for the IP / Ports. Anyone have some FTP success out there? You need to run an FTP proxy; regardless of active or passive mode, *inbound* FTP does not understand how to traverse NAT. IIRC, pfSense has one built in. Read https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense for details on what to do. As noted at that page, there *is* an option for running a specified range of ports, but you also will then need to perform step 3 (on the Wiki, under Option 2) to convince your FTP server that it's own IP address isn't its "real" IP address. Doing this will likely break internal FTP clients... so there's downsides to both methods. Oh, and you can't mix the two methods :-). Short answer: inbound FTP and NAT (of any flavour) don't mix well. The typical answer here is - don't NAT an FTP server. Put it on a DMZ segment that isn't NAT'd. Or, if that's not possible, put it behind a transparent-mode firewall (pfSense can do this). In any event, avoid mixing (inbound) FTP and NAT as much as possible. If you're determined to do this anyway, note the '-P' option for pure-ftpd. From the readme: - '-P <ip address or host name>': Force the specified IP address in reply to a PASV/EPSV/SPSV command. If the server is behind a masquerading (NAT) box that doesn't properly handle stateful FTP masquerading, put the ip address of that box here. If you have a dynamic IP address, you can put the public host name of your gateway, that will be resolved every time a new client will connect. There are other firewalls that can do transparent FTP proxying that combines the best of both modes, but to the best of my knowledge, no pf-based firewall (including pfSense) can do this. Some iptables-based (i.e. Linux) firewalls can do this. Many commercial products can do this, but not all. -- -Adam Thompson [email protected]<mailto:[email protected]>
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
