[Solved] Passive FTP

CosmoNerd

Greetings,

i could use some help with the following scenario which i am banging my head against the wall (well, almost).

I need to allow access to a FTP server behind pfSense, but can't get to establish passive connections (i know FTP is bad, but still need it)

Layout/Config: pfSense with 2 interfaces

| 1 WAN - 66.65.nnn.nn (Default GW) |
| 1 LAN - 192.168.1.1 |

On the LAN interface are the following VLANs

| VL70 - 192.168.70.0/24 |
| VL20 - 192.168.20.0/24 |

All inbound and outbound traffic is routed through OpenVPN tunnels with policy based routing:

NAT / Port Forwarding Rule

The Filezilla Server listens and picks up the outside connection, but disconnects once the client switches to passive mode; the LS command just times out.

Passive Mode configuration for FileZilla:
Passive ports: 60003-61000
Public IP: tried the actual WAN Address (65.66.nnn.nnn) as well as the one from the VPN tunnel (103.254.nnn.nn) - no avail.

ICMP between subnets is working, and the port range is forwarded from the VPN provider.

Any ideas what i am missing?

Ran packet capture on the WAN interface while connecting from https://ftptest.net:

23:08:54.796477 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 0
23:08:54.796650 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0
23:08:54.923073 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 0
23:08:54.923661 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 151
23:08:55.064816 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 52
23:08:55.064841 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 0
23:08:55.064937 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0
23:08:55.186401 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 2
23:08:55.186552 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 16
23:08:55.309057 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 9
23:08:55.514664 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0
23:08:55.637783 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 2
23:08:55.637954 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 32
23:08:55.760399 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 9
23:08:55.957674 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0
23:08:56.080242 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 2
23:08:56.080446 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 15
23:08:56.202198 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 4
23:08:56.399745 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0
23:08:56.522682 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 2
23:08:56.522855 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 32
23:08:56.645537 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 4
23:08:56.842780 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0
23:08:56.965079 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 2
23:08:56.965309 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 122
23:08:57.088133 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 3
23:08:57.294808 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0
23:08:57.430983 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 2
23:08:57.431174 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 31
23:08:57.553638 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 6
23:08:57.750854 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0
23:08:57.873029 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 2
23:08:57.873228 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 19
23:08:57.994532 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 4
23:08:58.192895 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0
23:08:58.314192 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 2
23:08:58.315060 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 51
23:08:58.436748 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 4
23:08:58.643912 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0
23:08:58.765565 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 2
23:08:58.964934 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0
23:09:08.543802 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 52
23:09:08.694319 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 0
23:09:08.694437 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0
23:09:08.694475 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0
23:09:08.818421 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 0
23:09:08.823207 IP 213.239.212.239.43540 > 65.66.2.12.21: tcp 0
23:09:08.823272 IP 65.66.2.12.21 > 213.239.212.239.43540: tcp 0

Thanks!

Network configuration>

sisko212

Which version of pfsense are you using ?
Take note, if is 2.2, the ftp proxy module, is not more available:
https://doc.pfsense.org/index.php/FTP_without_a_Proxy
So, passive connections, shouldn't work anymore…. unfortunatelly :-(

CosmoNerd

Thanks sisko212!

I switched from FileZilla to MS IIS with SSL and it works now.
Your response really made me rethink my configuration and eventually lead to the fix.

Much appreciated!

johnpoz

Its like nobody reads any of the thread here - they just post their own problem… Did you search the forum for ftp before you posted yet another ftp thread.. Can we get a mod to merge all of them or something.. Its like all there is my ftp is broke...

I can tell you for fact that it had nothing to do with you switching to ftp server x or y. And just lack of correct setup in your attempt to do the forwards.. Filezilla allows you to set what passive ports to use and what IP to report which are required when there is no ftp helper/proxy. And works just fine..

CosmoNerd

johnpoz,

i see you point, and i actually tried to configure FileZilla in every possible way including default passive ports, custom defined range, with explicit TLS as well as optional and all no avail.

IIS was certainly my least favorable choice for several reasons, but it works for all modes, plain FTP, explicit and implicit TLS without changing the firewall settings.

johnpoz

BS it does.. There is not helper so if you want passive ftp to work with server behind pfsense - the passive ports the ftp server is going to use have to be forwarded.

It took all of 2 seconds to setup filezilla server to work.. Here see this thread.

https://forum.pfsense.org/index.php?topic=88057.msg486033#msg486033