Need help to possibly setup FTP server
-
I am attempting to setup FTP access. This is on a Windows 2016 server. I have already installed FTP and went thru the basic configuration.
I am using Filezilla to test the configuration and I am testing the connection on our LAN (not externally yet). I can only get it to work if I turn off the firewall on the server. This is not acceptable so I need to know what ports need to be opened or how I can specify the ports I want to use. With port 21 exempted it will make the connection but don't get the directory listing. After I get it to work locally I will need to configure the external firewall at that point. Someone please give me some pointers on this.thanks
-
One thing you have to be aware of is passive vs active mode. Active mode does not work well with NAT. The original ftp used active mode where ports were assigned when needed. Passive mode uses the same port. Browsers normally use passive mode, but command line ftp clients often use active mode.
-
If I remember correctly you need ports 20 & 21 for FTP to work.
-
@jackaustin said in Need help to possibly setup FTP server:
I can only get it to work if I turn off the firewall on the server.
And what does that have to do with pfsense? Nor do I get how that is related to L2/Switching/Vlans? Moving to off topic.. When you have a specific firewall rule for say ftp, then create a thread in the firewall section.
How to configure ftp on your windows server - you prob get better help on a windows forum to be honest.
FTP uses port 21 for control connections. For the data channel (directory listings use this) as already mentioned need to understand if your using active or passive. Here is a better link than just wiki https://slacksite.com/other/ftp.html
Port 20 is only ever used as source port in active connection.
I personally would rethink the whole "ftp" thing to be honest.. It has really been something that should of died off 10 some years ago. Can you not use sftp? This is way more secure, and only uses 1 port (normally ssh port 22)..
To get it to work externally to your server. Again you need to determine if your clients are using active or passive to talk to your server for the data connection. If passive then you need to set your ftp server passive ports that will be used, you will then need to forward those. And also make sure that your ftp server sends the correct public IP to the client vs its local rfc1918 address.
With client using active - there is really nothing to do other than forward 21, since the control channel connection will go from server to client, and default allow any would allow this connection. Unless you have modified those?
-
This post is deleted! -
After I get it to work locally I will need to configure the external firewall at that point. Someone, please give me some pointers on this.
-
Have given you all the details you could ever need..
To get it to work externally to your server. Again you need to determine if your clients are using active or passive to talk to your server for the data connection. If passive then you need to set your ftp server passive ports that will be used, you will then need to forward those. And also make sure that your ftp server sends the correct public IP to the client vs its local rfc1918 address.
Do you know your clients are using passive, do you know the passive ports your ftp server is going to use? Do you know that your ftp server is handing out your public IP and not its local rfc1918 address?
For a client to use an active connection - all that is needed is to forward tcp 21.. Since the client will tell the server which IP and port to connect too.. How ftp works is all in the link I already provided. But without details of your setup it impossible to help you work out the exactly how to setup the port forwards for the passive ports, etc. As to how to configure your MS ftp server and the servers firewall to allow for it - your better off asking on a MS centered forum/site.
But all of the details of how ftp works, what would have to be done to get it to work behind pfsense has been given.
edit: This guy is just a spammer... His spam post has been deleted. But info provided could be useful for next guy trying to setup ftp..
-
This post is deleted! -
This post is deleted! -
The answers are posted above.
If you did not recognize the messages form johnpoz and JKnott as answers, they contain enough info to get you started. -
This post is deleted! -
This post is deleted! -
This post is deleted! -
@mrsiddle dude what are you looking for? The info needed to get ftp server working has been given here, and multiple multiple threads here as well.
What is it your not understanding, what exactly are you trying to accomplish?
-
This post is deleted! -
@mrsiddle some oddity in your ftp client on your phone would have nothing to do with pfsense.
Unable to get directly listing could be issue with data channel.. Are you doing passive or active ftp from your phone?
There are FAR EASIER ways to sync files to your phone vs ftp that is for sure.. But all the info on how to setup ftp server behind pfsense has already been given here, and plenty of other threads here..
-
This post is deleted! -
This post is deleted! -
@mrsiddle said in Need help to possibly setup FTP server:
I am doing ftp
And you understand that there is a control channel and then a data channel.. The data channel is either active or passive.. This determines in what direction the channel is opened.
Here - if you have any hope of troubleshooting ftp, the first requirement is to understand how it actually works.
https://slacksite.com/other/ftp.html
Active FTP vs. Passive FTP, a Definitive ExplanationOut of the box a client behind pfsense doing passive there really is nothing to do to talk to a ftp server out on the public internet. Since the default lan rules are any any, and you would be able to connect out control port 21, and whatever the data port is sent by the server.
Where you have problems as a client behind pfsense is doing active, since the server trying to connect to the clients IP would not be allowed by the firewall. Unless the admin of pfsense set it up - say using the ftp helper/proxy package.
Running a server behind pfsense for active is normally not a problem since the server makes the outbound connection to the clients IP and Port. And again the default out rules are any any so the server would be allowed. All that would normally be needed is to forward port 21 to the server behind pfsense.
Now with server running passive behind, you run into the issue to what passive ports the server will use, and those ports will have to also be forwarded to the server along with the control port.
Other issues that come into play even with using the helper is if using encrypted control channel - where pfsense can not see the ports that will be used for the data channel - nor can it figure out or change wrong IP given in the control channel of rfc1918 addresses.
If your going to continue to use ftp, which is a dead protocol and really shouldn't be used any more.. SFTP via ssh port 22 is only 1 port and secure unlike ftp where username and passwords are sent in the clear, etc. You really need to understand how its going to work to use it behind any stateful firewall also tie that in with nat being done, etc. Not just pfsense.
You need to understand how a ftp server is going to work to make sure it presents its correct IP to the client (server behind nat).. And you need to understand what ports its going to use for passive.
from a client side talking to some server out on the public internet - you need to know what your using active or passive for the data channel. And you need to be able to alter between them depending, and you may need to adjust your edge firewall to allow or handle inbound connections from the server if doing active. Or you need to make sure you allow the correct outbound ports if you have altered the default any any rule, etc.
I have in the past gone over in great detail setting this up, and going over the protocol and how to use it in really any configuration behind pfsense. The details have been given for this OP original question..
But to be honest if your still using ftp today - your doing it wrong ;) ftp really should of died off 10 years ago. That its just not actually finally being removed from different browsers as even an option is great, even if late.. Use SFTP, use some web based transfer method that also uses just 1 port and normally secure ie via https.
Or use some sort of specialty sync software.. There are plenty of them out there, icloud, dropbox, googledrive, onedrive.. You could run nextcloud for example on your own network and sync music files to your phones and stuff that way.
-
This post is deleted!
