FTP access from WAN

micro80

Hello
I have created a NAT forwarding tru the firewall to a specific IP address on my LAN.
I can establish connection but I get error in the FTP program.
Rules is like this:

Rules:
TCP/UDP * * WAN address 21 (FTP) *   NAT WAN to WAN FTP

NAT rules:
TCP/UDP * * 172.16.10.100 21 (FTP) *   NAT WAN to WAN FTP  
TCP/UDP * * WAN address 21 (FTP) *   NAT WAN to WAN FTP

The error Message I get is:
Status: Finner IP-adresse for mikkel.gotdns.com
Status: Kobler til 81.166.107.132:21…
Status: Tilkoblet, venter på velkomstmelding...
Respons: 220 Gene6 FTP Server v3.10.0 (Build 2) ready...
Kommando: USER mikkel
Respons: 331 Password required for mikkel.
Kommando: PASS *********
Respons: 230 User mikkel logged in.
Kommando: CLNT FileZilla
Respons: 200 Noted.
Kommando: OPTS UTF8 ON
Respons: 200 UTF8 OPTS ON
Status: Tilkoblet
Status: Mottar mappeliste...
Kommando: PWD
Respons: 257 "/" is current directory.
Kommando: TYPE I
Respons: 200 Type set to I.
Kommando: PASV
Feil: Koblet fra serveren: ECONNABORTED - Connection aborted
Feil: Feil ved mottakelse av mappelisten

What is wrong and how can I fix it?
If I skip the step in the network setup with pfSense firewall its works just fine.

brcisna

micro80,

you did not mention which version of pfSense you are using?
what os and version of ftp server are you using?
i run into the exact problem you have explained with a 64-bit version of centos 5 running vsftp server. but, the 4 other 32 bit versions of vsftp server(s) worked as expected. (these were all the same version vsftp, for posterity)
,, this is pfSense-1.2.3-RELEASE
i only guessed that something in the 64 bit kernel had different conntrak modules that simply couldn't traverse the pfSense box's nat .
i could get 'one way' connection', telnet for example but never could see files reliably. i finally gave up after quite a bit of tcpdumps,,etc.
is your os, by chance 64 bit?

b

micro80

I run 1.2.3-RELEASE
I did find the solution and its to run FTP like active and not passive transfer modus.
Its very bad but I dont know any solution to skip this problem.
I want to skip it because now I have problem to connect with windows FTP built in client.

Anyone have a solution?

marvosa

Dump your rules and start over.  Assuming your FTP server's IP is 172.16.10.100, change the default port to something non standard like 7431, create the following NAT Port Forward:

Interface - WAN
External address - any
Protocol - TCP
External Port Range (from) - 7431
External Port Range (to) - leave blank
NAT IP - 172.16.10.100
Local Port - 7431
Description - FTP Server
Check the box for "Auto-add a firewall rule to permit traffic through this NAT rule"

You now need to enable PASV mode on your FTP server, enter the External (Public) IP for your network and configure a PASV port range… e.g. 30000-30200 (need at least 1 port for every connected FTP user).

Create another NAT port forward for that PASV port range to your FTP server:

Interface - WAN
External address - any
Protocol - TCP
External Port Range (from) - 30000
External Port Range (to) - 30200
NAT IP - 172.16.10.100
Local Port - 30000
Description - FTP Passive Ports
Check the box for "Auto-add a firewall rule to permit traffic through this NAT rule"

Save, Apply, Done.