[SOLVED] Explicit FTP over TLS not working from external.
-
Hi there,
I am struggling with some FTP issues. Already I have read the following topic;
https://forum.netgate.com/topic/131452/pfsense-block-access-external-public-ftpI have setup the FTP feature on IIS. The Data Channel Port Range is set from 5000 to 6000. The external public IP address is entered (see image below)
I always use FileZilla as the preferred FTP client. My server only accepts explicit FTP over TLS. On my local network it works like a charm. It asks to accept the certificate and then connects to the directory. When I connect from a remote site to the FTP server it stops at Initializing TLS… After 20 seconds the connection will be aborted. For the record I told Filezilla to use Active connections and only use port 5000 to 6000 for active connections.
Beneath firewall rules I have created;
What am I doing wrong here? Any help would be appreciated as always.
Thank you guys!
Regards Herman -
Since that is a local server and also TLS, all pfSense needs to do is port forward in. It can't control anything beyond that.
If it's failing to make a TLS connection then you might have to enable debugging in FileZilla to get more information out of it.
The fact that you can get that far means the port forward itself is working. I'd say this is between FileZilla and your server.
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@jimp Like I mentioned before the same settup on my LAN works like a charm. It goes wrong when the FTP requests come from the outside.
I will check out the debugging in Filezilla.
Regards,
Herman -
Then you need to check things like:
- A tcpdump/wireshark capture of the negotiation between the client and server to see what ports it really uses
- The state table entries from your client when a connection is attempted
- Look in the firewall logs for any sign of blocked/failed connections from the client
-
@herman said in Explicit FTP over TLS not working from external.:
I told Filezilla to use Active connections and only use port 5000 to 6000 for active connections.
But you posted configuration for a server to be passive connection. Where the server tells the client what port to connect to on the data port.
If your client is active then then the server would connect back to the client. Is the client behind a nat? If so the firewall in front of it would need to allow for active client.
As I have said for the last 10 years the first step in troubleshooting ftp is actually understanding how the protocol works and what are you doing active or passive.
Also been saying for 10 years why do people put themselves through this shit? Use sftp and only have 1 port and be secure.. Way easier to deal with nat using it.
-
-
yeah standard port would be 22, but you can use whatever port you want.. If you want to keep the log spam lower for example. I personally would only allow public key auth to as well.
-
@johnpoz Damn, It seems that Server 2016 doesn't support SFTP natively. Any suggestions?
-
Yeah just install it ;) Be it the ms version of just the openssh version that has been ported to windows. ftp should of died off 10+ years ago... There are zero reason to use it..
What exactly are you needing to move between clients and server? Why not just provide users web gui to move their files over https?
Here 10 second google
https://www.ntweekly.com/2017/12/22/install-openssh-windows-server-2016-1709/Posted on December 22, 2017 by MVP
How To Install OpenSSH On Windows Server 2016 1709This week, The Windows Insider team announced that OpenSSH has arrived to Windows Server 2016 1709 and Windows 10 1709.
In this article, I’ll show you how to Install the new OpenSSH Server and Client and how I configure OpenSSH Server on my Windows Server 2016 1709.
I’ll also show you how to use WinSCP and copy files from my Windows Server 2016 1709 Server using SSH.
-
@johnpoz Thanks John. I wil certainly look at this. Looks very interesting so far! For now I solved my problem installing Filezilla Server. configured it as Implicit FTP over TLS. Created a certificate. Also created the NAT rules on pfSense to listen on port 990. Opened some data ports from 50000 to 65535. To make it some more secure I just allow access from certain WAN IP addresses. So if you are not in my Alias list then you wil not get connected to the FTP server anyway.
John, thanks again for your great help and tips. Most appreciate this.
Anyway now hoping that my topic about the dropping speed also gets solved soon.
BTW. How do I put [SOLVED] in front of the title? Just edit the Title?
Many thanks to you all again!
Regards,
Herman
