FTP server on port other than 21
-
Maybe this is a simple question…but I've read the FTP troubleshooting FAQ and am still at a loss. I'm trying to rebuild a setup that was working fine on Smoothwall. When someone external needs to FTP in it's a limited access session on internal port 2121. Only internal addresses should be able to access port 21 which is less restrictive than 2121.
I've tried numerous combinations on PFSense and the closest I could get was to eventually FTP to port 21 and NAT to inside 21...which is all well and good...except that I have no rules that access port 21 (it states to go 21 --> 2121) on the NAT and I removed the auto-generated firewall rule for 21. It specifically says that any 21 is to be forwarded to 2121 and 21 isn't allowed. It seems that PFSense is overriding this behind the scenes as there is no rule to allow this to happen but it does.
So the basic question is: How do I allow an external IP to access my FTP server and have it NAT to 2121 instead of 21?
The thing I take away from the FAQ is maybe doing a NAT with a range of ports open. However, before going down that road...it works to get to port 21 with the helper turned on...is there a way to redirect to 2121 or is it built-in to PFSense to assume 21 using this method?
Thanks!
PS I just recalled that I was using 2121 because I didn't want common port 21 listening on the external. So, I'd be equally happy to have 2121 listening and jumping to 2121 internal...is there any way to configure the FTP helper to listen on a port other than 21? Of course, tweaking that and my experience above indicates it might try to go to 21 ob the inside still.