Open port for ftp
-
on a typical router i just use port forward.
using pfsense, i cant figure out how to open port 21 and point it to my PC running an FTP server (192.168.1.147)
i tried to create a rule on the WAN side, nothing. then i tried on the LAN side…nothing.
do i need to make it in both places?
any help?
thanks.
-
FTP is more then port 21.
If you are using it on passive mode, you need to nat passive ip range too.
If you are using active mode , you need to create a lan rule with source port 20, source ip FTP sever and destination any.
You have also the option to use built in tftp proxy.
-
thanks.
on this pc i am using filezilla. on my old linksys router i only used port 21 and had no issues, but you are right about port 20. i never brought it up because i never had to use it. if i have to, i will.
regardless, i have no idea how to create the port in pfsense, there are more options and i dont know if i need to create it on the wan and/or lan side.
are there step by step guides on here?
-
Take a look on doc.pfsense.org. You will find a lot of information.
Pfsense is a statefull firewall, so all rules must be placed where traffic begins.
So, if clients cames from wan, rule stays on wan.
Tftp proxy options are in system -> advanced -> firewall/nat
Port redirections are done in firewall-> nat
-
Take a look on doc.pfsense.org. You will find a lot of information.
Pfsense is a statefull firewall, so all rules must be placed where traffic begins.
So, if clients cames from wan, rule stays on wan.
Tftp proxy options are in system -> advanced -> firewall/nat
Port redirections are done in firewall-> nat
ok, so for ftp i need to open the port on the wan interface and configure port forwarding?
what are the lan rules for, can you give me an example?
-
Port forward has an option to be associated with a firewall rule, It's one of the last options.
Lan rules are used to filter outgoing traffic.(Lan to wan)
-
Port forward has an option to be associated with a firewall rule, It's one of the last options.
Lan rules are used to filter outgoing traffic.(Lan to wan)
ok, so i should focus on port 20 and 21 on the wan interface and write it for the static IP of the PC that is acting as an ftp server.
-
i am still not able to connect in.
i opened ports 20-21 to my LAN ip 192.168.10.250
so far, i have 1 rule created on the WAN interface.
-
port 21 is inbound from WAN to LAN
200.200.200.200.1025 -> 192.168.10.250.21
port 20 is outbound, so no nat required LAN to WAN
192.168.10.250.20 -> 200.200.200.200.1030
-
port 21 is inbound from WAN to LAN
200.200.200.200.1025 -> 192.168.10.250.21
port 20 is outbound, so no nat required LAN to WAN
192.168.10.250.20 -> 200.200.200.200.1030
you lost me…maybe pfsense is too advanced for me.
-
Take a look on this doc, may help you.
http://slacksite.com/other/ftp.html
-
Take a look on this doc, may help you.
http://slacksite.com/other/ftp.html
well that explains the FTP stuff, but i am certain the problem is with my setup in pfsense.
the consumer routers dont have as many options as pfsense (not the ones i used) and opening/fwd a few ports for ftp was very easy.
maybe i need to take a screen shot of my setup and upload it here.
brb
-
-
I think your putting to much thought into it.. All you need to do is create the NAT, and by default pfsense will create the wan rule for you.
So I just opened up ftp for a test.
so attached you will find first me creating the nat (port forward) You only need to pick ftp, your inside ip you want to forward to and the port, again ftp
So then you will see the nat listed (port forward)
And then you will see the wan rule is autocreated for you, unless you change that at the very bottom of creating the nat
NOW testing from outside your network, nat reflection could be causing you grief if your trying to access your ftp using public IP from a box inside your network.
And then finally you will see it working, access and then a dir listing which would use the data port. You only need to create a rule for ftp (21).. Now depending on your server or client if your doing active or passive, etc. Then you might have to do some extra – but out of the box it really should only take 2 seconds to forward ftp into one of your servers.
-
I think your putting to much thought into it.. All you need to do is create the NAT, and by default pfsense will create the wan rule for you.
So I just opened up ftp for a test.
so attached you will find first me creating the nat (port forward) You only need to pick ftp, your inside ip you want to forward to and the port, again ftp
So then you will see the nat listed (port forward)
And then you will see the wan rule is autocreated for you, unless you change that at the very bottom of creating the nat
NOW testing from outside your network, nat reflection could be causing you grief if your trying to access your ftp using public IP from a box inside your network.
And then finally you will see it working, access and then a dir listing which would use the data port. You only need to create a rule for ftp (21).. Now depending on your server or client if your doing active or passive, etc. Then you might have to do some extra – but out of the box it really should only take 2 seconds to forward ftp into one of your servers.
what you are saying is different from what was first recommended, so yes, i can see how i might be making this a bigger deal than it should be.
also, i am able to test from the outside in. i have pfsense using 1 ip of my available 13. i am logged on from another network trying to hit the pfsense box.i will take a look at your pics.
thanks for taking the time to make them.
-
johnpoz,
Post your tftp proxy setup too, ftp does not work only on port 21.
-
I think your putting to much thought into it.. All you need to do is create the NAT, and by default pfsense will create the wan rule for you.
So I just opened up ftp for a test.
so attached you will find first me creating the nat (port forward) You only need to pick ftp, your inside ip you want to forward to and the port, again ftp
So then you will see the nat listed (port forward)
And then you will see the wan rule is autocreated for you, unless you change that at the very bottom of creating the nat
NOW testing from outside your network, nat reflection could be causing you grief if your trying to access your ftp using public IP from a box inside your network.
And then finally you will see it working, access and then a dir listing which would use the data port. You only need to create a rule for ftp (21).. Now depending on your server or client if your doing active or passive, etc. Then you might have to do some extra – but out of the box it really should only take 2 seconds to forward ftp into one of your servers.
perfect…that worked w/o any issues at all.
thanks!
-
"ftp does not work only on port 21."
Where did I say it did??? I completely agree with you 20 source port in an active connection and the server creates this connection to the client. And then in passive some normally random port above 1024 would be sent to the client from the server through the control connection and the client would connect to that.
As to my tftp proxy setting – I do not use that.. But I am pretty sure that pfsense has a ftp helper built in, which I believe there has been some discussion on in the past that there is no way to turn it off?
But what would the tftp proxy have to do with ftp? tftp is NOTHING like ftp at all. Its normally UDP for one big difference ;)
-
Now it's clear to me, this sucessfull setup is for active connections only.
-
No that is not what I am saying either – I am not having any issues with passive either
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (24,13,xx,xx,19,137)
150 Connection accepted
-rw-r–r-- 1 ftp ftp 35 Jan 12 11:26 test.txt
226 Transfer OK
ftp> get test.txt
local: test.txt remote: test.txt
227 Entering Passive Mode (24,13,xx,xx,19,138)
150 Connection accepted
226 Transfer OK
35 bytes received in 0.00 secs (235.7 kB/s)There is FTP helper that handles this sort of thing – once you create the nat for the control channel, then pfsense should handle the rest of it for the data channels.
As you can see from above I was clearly in passive mode and pulled a file from the server. (I snipped out part of my public IP for security reasons)
And here it is working in active mode, which if passive is off then your active.
ftp> passive
Passive mode off.
ftp> ls
200 Port command successful
150 Opening data channel for directory list.
-rw-r–r-- 1 ftp ftp 35 Jan 12 11:26 test.txt
226 Transfer OK
ftp> get test.txt
local: test.txt remote: test.txt
200 Port command successful
150 Opening data channel for file transfer.
226 Transfer OK
35 bytes received in 0.01 secs (6.8 kB/s)edit: now where you can have problems is if both server and clients are behind nat. In the examples I have given only the server is behind my nat. My client is from my webhost ssh access, so its on a public IP – working from home today because of snow, but tmrw from work I can do testing with both my server and the client being behind a nat.
Yeah ftp can be fun ;) But with the ftp helper you should not have to do anything manually for your rules be it active or passive into your server.
edit2: was just having a conversation with colleague at work the other day about ftp protocol -- its kind of a mess with todays networks and all the nats and such.. When it was created the net was a much different place -- now if you want some more fun start playing with ftps -- are you going implicit or explicit, and problem is now the port command is inside a secure tunnel so firewall/router helpers can not modify the commands with the correct IPs, etc. So you have problems with that for sure -- if that is the case then yeah you have to create some manual rules for the ports that your going to use.
To be honest I would go with sftp vs ftp, or just ftp over ssh tunnel -- its easier for sure with sftp since your only dealing with 1 port ssh port normally 22 and not control and data ports active and passive, etc. etc.
