Hi all! I do know of that problem since RC1 (possibly the first version I tried it). It hasn't been fixed in 1.0-SNAPSHOT-09-27-06. Since there are some tweaks with it I wanted to discuss about it before writing a bug report.
The main problem is, that it seems, that the FTP-Helper for the WAN interface is never started. The second one, that it isn't possible to give the FTP-Helper another source IP-address than that of the interface it's enabled for. The FTP-Helper (pftpx) is started from system_start_ftp_helpers() in config.inc line 1363ff. It first builds an array to work with. That array contains only the LAN and the OPT interfaces, not WAN interfaces. In a loop over that array ($iflist) the FTP-Helper is started if $disableftpproxy isn't set for the interface. If no IP-Adress is bound to the interface, ftsesame is used. Correct me if I'm wrong, but that can only happen, if the interface is the WAN interface. To sum up: In system_start_ftp_helpers() the FTP-Helper isn't started for the WAN interface. I searched further and found some code in filter_nat_rules_generate(), in filter.inc, line 529ff. Here, the nat-anchor is defined firstly, then the anchor for redirects. Next the same as above: An array is build to work with (w/o an entry for the WAN interface) and in a loop the redirection rules for the FTP-Helper are created (line 713ff). In 818ff the FTP-Helper is started for interfaces with port-forwarding which don't have $disableftpproxy set. If the FTP-server isn't configured with port forwarding on the WAN interface (because it has a routable address), the FTP-Helper isn't started for it. Now my question: is this correct? How am I able to connect to my public routable FTP-server in the DMZ and do FTP data connections to it? The second item is a problem with our (bad) network design: Between the internet router and the FW there is a private transfer net (10.0.0.0/24). Therefor out FW has a private external (WAN) IP address. The hosts in the DMZ are fully routable and do have a public IP address, so the pfsense box has one too. Internal IP addresses are private ones. To make ftp work from inside to outside, I have to start the FTP-helper with a public reachable IP address as source IP, but pfsense launches the FTP-Helper with the WAN IP address as source. What I want to do is launching the FTP-Helper with my own proxy source IP (that from the DMZ interface in my case). pftpx gives me the following option for that: -p address Proxy source address. The proxy will use this as the source address to connect to servers. So is it possible to configure another source IP for pftpx anywhere in pfsense? A hidden option for that seldom case (maybe it's also an advantage in case of virtual IPs - carp for example) would be fine. BR, PIT --------------------------------------------------------------------------- copyleft(c) by | _-_ "Never make any mistaeks." (Anonymous, in a Peter Allgeyer | 0(o_o)0 mail discussion about to a kernel bug report.) ---------------oOO--(_)--OOo-----------------------------------------------