passive ftp clients behind the firewall

[nj44451]

Just last night I upgraded to OPNsense 18.1.2_2-amd64 and since the upgrade none of the computers that have FTP clients running on them can access an FTP server outside the firewall.

I never added any special rules to the firewall up to this point to get them to work. But the upgrade from 7.7 to 8.1 change something related to the FTP.


Right now I had to move those machines over to an internet connection that is routed through my old firewall to get things working again.  Anyone have any suggestion of something I can try to resolve the issue?



Thanks,

Trent

[elektroinside]

Read the firewall logs while trying to access the FTP server. Do you see FTP server related connections blocked?

[nj44451]

i will take a look at the logs but what I don't understand is everything was working normal until I upgraded to 8.1.
I am thinking to either reinstall 8.1 from scratch like I have seen in some post or go back and stay at 7.5

[monstermania]

Maybe the FTP proxy plugin is missing after update!? 

[hutiucip]

Maybe the FTP proxy plugin is missing after update!? 

Happened to me too, it's a possibility.

[franco]

Whoops, during a major upgrade?

[hutiucip]

Whoops, during a major upgrade?

I am not completely sure if it was during a major upgrade, I'd rather say not, but it happened a few months ago when ftp-proxy was moved from core to plugins. The update didn't check if ftp-proxy was installed before being a plugin, and didn't install it as a plugin during the update. If the major upgrade take place from an enough old (sub)version of OPNsense that is before the plugin being removed from core... I guess it might happen.

To me it happened because I have an FTP server on a different WAN/ LAN setup for some colleagues that insisted they need this dinosaur, and since it's on a different WAN, this means each and every connection is passing through 2 NAT GWs. I have setup ftp-proxy on both OPNsense machines so that it would be as easy as possible for clients to use whichever client they want, having whichever default connection type they have, active or passive. After the update I have started to get tickets stating FTP is down.

It wasn't, only that on the "away" OPNsense the plugin was missing, and the NAT rule pointed to OPNsense, not to the FTP server. Even if, it would have required clients to change from active to passive... etc. (The update wasn't simultaneous, not both OPNsense were upgraded at the same time, and when the other OPNsense was updated too, I knew where to check before any complaints).

[franco]

os-ftp-proxy was never in core, so it can't be missing from that. Maybe as a config import / reinstall? That's when it doesn't come back automatically:

https://github.com/opnsense/core/issues/1663


Cheers,
Franco

[hutiucip]

Might be!... It's quite a while since, so I might don't remember exactly what happened. 

Sorry if misleading!...

[nj44451]

After a fresh install not from upgrade, lots of reading and looking at log files I found the issue with the clients connecting to an ftp server in passive mode outside my network.

Because of the Round robin  or whatever you call it, since I have 2 virtual IP listed the program kept using different Public IP address for the various parts of the FTP connect and when I turned it off the FTP started making connection again. This same issue was causing issue in connection to certain Bank sites as their system detected the IP kept changing and blocked us out.