Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTP proxy and pfsense 2.2

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    20 Posts 8 Posters 19.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      It wouldn't be the filezilla client you configure with those, it would be the server..  You also need the server to send its actual public IP not its private.

      If you want to run ftp server behind pfsense that supports passive connections.

      Set it to send your actual public IP.  Use range x-y for passive ports.  Forward 21 on pfsense to your ftp server private IP, forward port x-y to your ftp server private IP = done.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • M
        Maypeur
        last edited by

        Thanks for your reply,

        But, i don't own every ftp server and i can't configure thoses.

        So it is impossible to make ftp client working on a network behind pfsense 2.2 ?

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          There is a big difference if your ftp server or client is behind pfsense.

          In a passive connection from client behind pfsense.  You really don't need to do anything but allow outbound connectivity since the ftp server sends the IP and port to connection.  Only in an active connection does the server create a connection to the client from source port 20

          I would suggest understanding the ins and outs of how ftp works - this is great reference.  http://slacksite.com/other/ftp.html

          So unless your limiting outbound connectivity of your clients there is nothing to do for outbound to server via passive.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • M
            Maypeur
            last edited by

            Thanks, but like i said, this isn't MY, so why talking about ftp server configuration ?

            FTP is still a lot used, and when i see "don't use FTP", it make me smile a lot since we doesn't choose it, it's totaly out of the real word !

            So finaly, pending a new ftp proxy comming out, i just add a rule for LAN which pass used TCP port to all my ip ftp server.

            Thanks for your time.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              What??? "i just add a rule for LAN which pass used TCP port to all my ip ftp server."

              If someone wants to run a ftp server behind your firewall - then get with them and tell them the settings they have to do..  Just because you don't admin the firewall does not mean you need a helper/proxy??

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • M
                Maypeur
                last edited by

                Hello,

                You continue to talk about server configuration, so apparently you doesn't understand or read :

                FTP server aren't on my LAN but outside and on internet like ftp.free.fr, and i don't own it.

                " Just because you don't admin the firewall " ???

                I'm the admin of the firewall on my LAN, so I added a rule to let my users who are in my LAN access to public FTP server on internet.

                So with the outbound rule no proxy is needed but i must create all the rule specificaly for each server.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  I Understand very well, you just don't state details that were asked multiple times.

                  example:
                  "I tried to add WAN => LAN pass rules between TCP 42000 and 42010"

                  So this could be for a passive server behind pfsense, or did you set your client to use specific ports in the active connection? Without some actual details it could go either way.

                  Thank you from this
                  "FTP server aren't on my LAN but outside and on internet like ftp.free.fr, and i don't own it."

                  You don't need any special firewall rules on passive, unless you have outbound ports locked down.  Since the client connects to some port the server gave.  In an active connection yes the server would connect back to the client from source 20.

                  Why do you need to create each rule, do you have all your outbound ports locked down?  Are they using active?

                  As stated help/proxy is gone.. You have to do it old school like your doing now.  Its not that difficult.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • F
                    fireball
                    last edited by

                    I can't speak for the OP, but maybe it is something like this:

                    We have run into a situation on numerous occasions where the remote server is either misconfigured (gives its private IP rather than its public IP), or it is behind a firewall not configured correctly for a passive FTP server. Thus the configuration on the remote end is not set up properly for passive FTP.

                    This makes it such that clients on our local network (behind pfsense) cannot connect using passive mode. The active (port) mode helper would allow local uses to instead use active (port) mode and connect to FTP servers in these cases.

                    Now that the helper is gone this is not an option, and users of pfsense are stuck trying to find some other workaround.

                    All too often the server "admin" on the opposite end has no clue how to set up the server/firewall properly for FTP. It is however the users on the pfsense end that get left in the cold. We can give certain machines 1:1 NAT and then allow specific ports for active FTP if the FTP client supports this (like FileZilla). This works, but is more difficult to set up, and requires a public IP (not an issue here, but I know lots of business with only 1 or 2 public ips due to the shortage).

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      And now… https://forum.pfsense.org/index.php?topic=89841.0

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • F
                        fireball
                        last edited by

                        Very cool. Thanks!

                        1 Reply Last reply Reply Quote 0
                        • M
                          Musli18
                          last edited by

                          Maybe you can help me.

                          I use Pfsense 2.2.2 with 2xWAN, Loadbalancing, Failover.

                          Since the Update to 2.2.2 i can not connect with Filezilla to FTP Server in the Inter for an example to my Webhosting. The Connections is very slow and sometimes the connections is broken.

                          I have read the Problem is the Loadbalancing.

                          How i can i fix it ?

                          Thank you

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            See https://forum.pfsense.org/index.php?topic=89841.msg497482#msg497482

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • M
                              Musli18
                              last edited by

                              if i install the FTP Client Proxy Package. It is the Solution for my Problem with Loadbalancing with FTP?

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                Read through the portion of the thread starting with the post I linked in the previous message, it specifically mentions the problem with load balancing.

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • M
                                  Musli18
                                  last edited by

                                  you write that is not working with Loadbalancing ?

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.