Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTP support needs work

    NAT
    1
    3
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      I've spent hours reading through these forums and other sites, trying to get inbound passive FTP working.  Nothing works.

      I'm going to resort to trying to define the passive port range on the servers (all kinds of operating systems and FTP servers, this should be fun to figure out), and then open those ports on the firewall.    Even then I don't know if it will work, because when my FTP servers receive the PASV command, they respond with their own internal IP address.  Yes I could change this (on the linux servers anyway, I don't see anyway to do it in windows 2000 IIS), but anyway this breaks internal FTP!

      I think there needs to be some large type warnings that come along with pfsense, alerting potential users that FTP does not always work.

      Reading through these forums, I can see I'm not alone on this.

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        Ok, I tried my plan, setting the passive ports on one of the linux servers, and changing it to report as its external IP.  This works, but it breaks internal FTP.

        Is there anyway around this?  Some way to have the server respond as its internal IP, but have the firewall translate it to the external IP as it passes through?  Our old Cisco box did this, I think they called it an FTP fix-up.

        Plus, I don't think there is any way to tell IIS FTP to respond to PASV commands with anything other than its own, real, internal IP?

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          Ok, here's how I got around these problems, hopefully this is useful to others who are having problems with FTP.

          For my windows servers, I'm installing FileZilla FTP server, and dumping IIS.   FileZilla is easy to configure a port range (vs registry hacks for IIS), and easy to configure it to use whatever IP address you want when announcing its external IP address (IIS can't even do this).   Additionally, it has a setting for NOT using this external IP when talking to internal clients!  So internal FTP still works.

          For linux, I just added these options to my vsftpd.conf file.  Most other linux FTP servers will have something similar.
          pasv_address=<my_external_ip></my_external_ip>
          pasv_min_port=<my_beginning_port_range></my_beginning_port_range>
          pasv_max_port=<my_ending_port_range></my_ending_port_range>

          Then I opened that port range on the firewall for hosts that need FTP.

          Still, I am hoping the FTP stuff is working better in the next release of pfSense, then we may be able to move our other public subnet over from the Cisco box to a pfSense box.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.