FTP issue in Ver. 2.2 or later

tomli

Dear all,

After upgraded my Pfsense server from 2.0 to 2.2/2.2.4/2.2.6, my FTP server cannot work properly. Then, I did some search in google. I find the ver. 2.2 or later cannot support FTP proxy. Therefore, I changed my vsftpd.conf in my ftp server.

added the below parameters:-
pasv_enable=YES
pasv_min_port=41361
pasv_max_port=65534
pasv_address=x.x.x.x    <- (NAT Public IP).

Then, the remote client can login my ftp server again. However,  the local client cannot connect the ftp server. Please teach/suggest me how to solve the above issue. Attached is my network diagram.

Thank you for your help.    :)

heper

did you find this when googling? https://doc.pfsense.org/index.php/FTP_without_a_Proxy

tomli

Yes, I read it before. If I do not add "pasv_address" parameter, the configuration cannot work properly. Please advise.

marvosa

First, you only need 1 pasv port per user and I highly doubt you have 24,000+ users, so you should revise your range.  Second, your external clients should be using pasv, but your internal clients should be using active mode.  Try forcing your internal clients to active mode instead of letting the client auto detect.

tomli

First, my client do not have any technical knowledge. So they don't know what is Active/PASV mode in FTP. Second, client use many different FTP client program (such as DOS, FileZilla, Linux..etc). I cannot easy control it  :'(. I can control the Pfsense server only. Is it any other good solution for me? Thanks.

Guest

First, my client do not have any technical knowledge.

Jump in and make money, its yours!  ;)

So they don't know what is Active/PASV mode in FTP. Second, client use many different FTP client program (such as DOS, FileZilla, Linux..etc).

You could set up a FTP server in the DMZ and they use then this server to go with.

I cannot easy control it  :'(. I can control the Pfsense server only. Is it any other good solution for me? Thanks.

FTP either active or passive will be transporting all in clear text format and might be the insecureness protocol
ever. And so it might be on the other hand to secure it by yours and not pfSense. Set up a FTP/S or S-FTP
server inside of your DMZ would be the best for you and your clients. If not able to realize it a FTP server
inside of the DMZ will be solve it also but really insecure for you and your clients or customers.

johnpoz

Why could you not just fire up a 2nd instance of vsftp have it listen on the IP your sending your want/internet users to with the passive setup to use your public ip.  And a second instance listen on different rfc1918 address where your local clients go.

Or as hinted upon just use a secure method of file transfer like sftp that only uses 1 port and there you go no issues, and now your secure!!  And all you have to do is forward 1 port on pfsense.

ftp has been antiquated for YEARS, anyone still using it just nuts or lazy… There are FREE sftp clients for any user of any OS to use, there is FREE servers, shit any linux distro out there comes with it.  You can do it on windows now for free as well.

So what could be the excuse of still trying to use a unsecure antiquated protocol like ftp?