Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTP Client Proxy Package - not working - 2.3.1

    Scheduled Pinned Locked Moved Cache/Proxy
    9 Posts 3 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      itd
      last edited by

      Dear all

      We would like to use the FTP Client Proxy Package with PFSense 2.3.1 so that our user can use a external passive FTP.

      We can start a ftp session but as soon as the client changes to the passive mode, the connection times out.

      What could be wrong?

      I attached the settings for the plugin.

      Thank you and best regards

      Steve
      ftpproxy.jpg
      ftpproxy.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The FTP Client Proxy is not necessary for local clients and a remote passive FTP server. The client side does not need anything special in that case. The server side is typically to blame for passive FTP issues, and the client side for active FTP issues.

        One exception might be if you have a load balancing group active. If you are not careful your port 21 connection could leave one WAN and the data connection could leave another WAN, which the server would most likely reject.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • I
          itd
          last edited by

          Hi jimp

          Sorry was unclear. We block nearly every port from LAN to WAN.

          As far as i understand the plugin, it should help in this situation with open the required ports for passive FTP on our side.

          Is this correct?

          Best regards

          Steve

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Yes it should help with that. Depending on how your rules are crafted you probably need to check "Early Firewall Rule" in the proxy options then.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • I
              itd
              last edited by

              Hi jimp

              Is already active. See the screenshot from the first post.

              Best regards

              Steve

              1 Reply Last reply Reply Quote 0
              • F
                fr0t
                last edited by

                FTP Client Proxy is for active mode connections only, for passive mode its always static ports range which You need to manually open in the firewall (because you know this range) and thats all

                This is whole idea of FTP Client Proxy - detect port (for active connection) and open this port in firewall, its nothing to do with passive mode.

                Regards
                fr0t

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  @fr0t:

                  FTP Client Proxy is for active mode connections only, for passive mode its always static ports range which You need to manually open in the firewall (because you know this range) and thats all

                  This is whole idea of FTP Client Proxy - detect port (for active connection) and open this port in firewall, its nothing to do with passive mode.

                  That isn't quite true of the ftp-proxy daemon we use. While it does not alter the contents of the packets in PASV mode, it attempts to add rules for passive mode clients connecting to a remote passive mode server.

                  From the man page:

                  In case of passive mode (PASV or EPSV):

                  nat from $client to $server port $port -> $proxy
                        pass in quick inet proto tcp
                    from $client to $server port $port
                        pass out quick inet proto tcp
                    from $proxy to $server port $port

                  If that's not working, something else in the ruleset or config must be getting in the way.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • I
                    itd
                    last edited by

                    Can i check somewhere why it does not work?

                    Best regards

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Check the firewall logs, check the state table, see if the traffic is getting through on the correct port(s) or being blocked.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.