PFsense blocking FTP

SweetElite · Nov 26, 2017, 2:31 PM

Hello,

Im using Pfsense 2.4.2.

So I have been trying for a month to get my FTP Server working.

I can connect to it using the land IP while inside the network..

When I try to use the wan IP , I get this error

Status: Connecting to XX.XX.XX.XX:21…
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

I have the NAt rule to allowed this port to the ftp server land Ip..

I dont know what Im doing wrong.

Could someone really give me a hand with this.

Here is a screen shot of the rules i have...

Thanks you in advance..
![ftp nat.jpg](/public/imported_attachments/1/ftp nat.jpg)
![ftp nat.jpg_thumb](/public/imported_attachments/1/ftp nat.jpg_thumb)

![ftp client.jpg](/public/imported_attachments/1/ftp client.jpg)
![ftp client.jpg_thumb](/public/imported_attachments/1/ftp client.jpg_thumb)

Grimson · Nov 26, 2017, 2:40 PM

https://forum.pfsense.org/index.php?topic=15811.0

johnpoz · Nov 26, 2017, 2:45 PM

In no scenario would you ever need to forward 20.. This is the source port of a server with an active client..

And your trying to access it from nat reflection? Or are you trying to access it from outside your network?

Your trying to do a passive connection to a server behind pfsense. Then you would have to forward the passive ports used that the server would send back

Understanding how ftp works is first step to fixing your issue.
http://slacksite.com/other/ftp.html

To allow for passive connections from outside pfsense to server inside pfsense.. You need to forward 21 or whatever port you want to use for control to this server, if your going to be using more than 1 ftp server behind pfsense - which it seems your trying to do.

You need to set this server to correctly hand back your public IP for the passive data connection to work. And you need to set this server to use specific ports for the passive connections. Say 5000 to 5100 and then forward those to the ftp server.

SweetElite · Dec 1, 2017, 10:58 PM

Hello yes thanks. Im trying to access the server inside pfsense. I can access it with the lan IP but when I try using wan of the website ftp,xxxxxx,com i cant,

I have the port fowards and passive set.
heres what i get,,,

Status: Retrieving directory listing of "/public_html"…
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Response: 150 Accepted data connection
Response: 226-Options: -a -l
Response: 226 43 matches total
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

it coconnects but will not show the files then times out

Thanks

johnpoz · Dec 2, 2017, 8:51 AM

"Status: Server sent passive reply with unroutable address. Using server address instead."

So your server sent its actual RFC address vs its public IP..

And what was the pasv command sent so you can figure out what port the client got told to use?

So see attached… here I connected to server in active mode.. Sent PORT command that told server hey connect to me 64.53.x.x on port (197x256+70) = 50502

29.192.171.195.in-addr.arpa. 3600 IN PTR ftp.sophos.com.

See the 196,64 - that is telling me to connect on port (196 x 256)+64 or port 50240... So where is this command? If your server is passive behind then you would have to forward the passive ports your using.. What passive ports did you set up on the server? I only see you forwarding 21.. Not the data ports... See 2nd pic as example where you set specific passive ports to use on the server and the IP to send the client vs its local rfc1918 address

" I try using wan of the website ftp,xxxxxx,com i cant,"

Also if your trying to do that from inside your own network, that would be nat reflection and even more of PITA... You need to test your ftp server from outside exactly... If you send me your IP and username and password I will test it from outside for you. But you need to correctly setup the server and firewall rules for passive behind pfsense if you ever expect anyone from outside on the internet to connect.. You really should use say sftp which is secure and only need to forward 1 port..

johnpoz · Dec 4, 2017, 9:44 PM

You need to edit that ForcePassiveIP… Its sending its actual IP..

Status: Connecting to 74.71.x.x:21...
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.
Status: Directory listing of "/" successful
Status: Retrieving directory listing of "/"...
Command: PASV
Response: 227 Entering Passive Mode (192,168,1,25,195,108)
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Response: 150 Accepted data connection
Response: 226-Options: -a -l
Response: 226 2 matches total
Status: Directory listing of "/" successful

And its not sending ports in the 5000-5100 range.. Its sending 50000+

You might want to edit your posting.. You posted the FQDN which is why I could login..

SweetElite · Dec 4, 2017, 11:46 PM

@johnpoz:

You need to edit that ForcePassiveIP… Its sending its actual IP..

Status: Connecting to 74.71.x.x:21...
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.
Status: Directory listing of "/" successful
Status: Retrieving directory listing of "/"...
Command: PASV
Response: 227 Entering Passive Mode (192,168,1,25,195,108)
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Response: 150 Accepted data connection
Response: 226-Options: -a -l
Response: 226 2 matches total
Status: Directory listing of "/" successful

And its not sending ports in the 5000-5100 range.. Its sending 50000+

You might want to edit your posting.. You posted the FQDN which is why I could login..

Ok thanks So you were able to log on the ftp server wow. thats something am Im not able to log on it here my self..

where do I need to edit the ForcePassiveIP at?

Thanks for your time.. an I still cant get on..

johnpoz · Dec 5, 2017, 3:27 AM

I am able to login from the outside.. You can not be BEHIND pfsense and hit your wan and expect this to work..

In your pureftp config that you posted… You have it remarked out #

"thats something am Im not able to log on it here my self.."

Your logging in from what you posted.. Are you not understanding the difference between control and data in ftp?? You can not get to the data unless you have logged in, be it your using passive or active.. Did you even look at the link I provided on the difference between active and passive?

BTW even when I used active I could not post data - getting a permission error when tried to upload a test.txt file..

If your going to insist on running a protocol that should of died off 10 years ago, you need to understand how it works.. I would really sugget you just use sftp to move your files.. It's SECURE and only need 1 port forwarded..