Configure pfsense for FTP server



  • Hello all,
    I set up FTP server on Centos and I want to use pfsense behind the FTP server, they work in Local network but I have 2 NIC and
    I want to connect NIC1 to FTp server and NIC2 to LocalNetwork and I don't connect to Internet via this.
    so , How do I configure both of NICs to also act as a LAN port ? I don't need WAN port?
    I don't know, but I create a bridge between LAN and WAN interface ,then I create a rule "any to FTPserver" ,but This don't work.
    Please Help me,

    Im new to the software so any help will be much appreciated.

    Many thanks
    FAD



  • Are you using an ftp client or browser to access the server.  Ftp can run in either of 2 modes, active and passive.  Ftp clients generally run in active mode, but some can be made to use passive.  Browsers use passive.  The issue with firewalls is, in active mode, the server opens a 2nd connection, which the firewall blocks.  Passive mode doesn't and works well through a firewall.


  • Rebel Alliance Global Moderator

    "Passive mode doesn't and works well through a firewall."

    Passive mode uses a 2nd connection as well.

    "but I create a bridge between LAN and WAN interface"

    WTF dude really?

    "I want to use pfsense behind the FTP server,"

    Huh????  Here is advice I give to anyone running a ftp server???  Why??  FTP has been dead for years - use sftp or freaking http/https to move your files for gosh sake..

    If you want to run a ftp server behind pfsense, if your clients out on the internet are using active it works bing bang zoom.  Just forward 21 to your ftp server.  If your wanting your clients to use passive out on the internet then you need to make sure your ftp server presents your wan IP, and you also forward the passive port range it will tell the clients to use.

    If you insist on using ftp, you need to understand the difference between active and passive mode.
    http://slacksite.com/other/ftp.html



  • Passive mode uses a 2nd connection as well.

    Yep, but it's initiated by the client, not the server, which is why I said:
    "The issue with firewalls is, in active mode, the server opens a 2nd connection"

    When the server initiates the 2nd connection, the firewall has no way to associate it with the original connection and so blocks it.  When the client initiates it, it's just another outgoing connection, which the firewall passes.

    There's nothing wrong with an ftp server that allows anonymous connections for downloading files.  It's easier to set up than http  But you wouldn't want to use passwords, unless over ssl/tls.  There are still plenty of sites that use ftp for file download.


  • Rebel Alliance Global Moderator

    ""The issue with firewalls is, in active mode, the server opens a 2nd connection""

    True - but to be honest passive connection to a server behind a nat is a bigger pain because you have to have the passive ports forwarded and your ftp server has to present its public IP not the rfc1918 that it is on.

    Now from a client side firewall yes passive is easier, but from a server side passive is more firewall rules to be created and bigger pita.

    "There are still plenty of sites that use ftp for file download."

    Yeah and its PITA through nat since you have to understand if your clients are active or passive, etc.  As to what is harder to setup for anonymous file download - clickity clickity I can have a httpd serve up files with only 1 port to forward, ie 80.  Vs having to understand how the data channel of a ftp server works and what is being used active or passive.



  • I finally bit the bullet, nuked my FTP server and replaced it with an ownCloud.  Best decision I've made this month.  More features, better management and no FTP firewall hassles.



  • Just disable support for active mode FTP and screw those who for some insane reason can't use passive mode clients. For passive mode FTP the server side and port forwarding is almost trivial.


  • Rebel Alliance Global Moderator

    "For passive mode FTP the server side and port forwarding is almost trivial."

    You have that BACKWARDS!!  With ftp server behind a nat, with passive clients connecting you need to make sure the ftp server presents its public IP not its rfc1918.  You also need to make sure you know what passive ports the ftp server is going to use and then forward those as well.

    When clients are going to use active the only port you have to forward is 21, the client will tell the ftp server what port to connect to.  So as long as your outbound firewall rules do not block your ftp server from talking outbound to random high ports your fine.  Normally the ftp server would create the connection from source port 20.  So even if you lock down outbound rules.  1 simple rule allow the ftp server to go anywhere from source port 20 allows your ftp to work.



  • Well it's not terribly difficult either at least with the FTP server software I've used. With ProFTPd it's just two configuration directives and you're set assuming you have the command port and the passive range forwarded on the firewall.

    What if you're trying to use active mode server in an environment where the server can't make any outgoing connections other than connections related to the incoming ones? That's where you would have to have some sort of proxy/helper like the ftp-proxy that we still had a while ago.


  • Rebel Alliance Global Moderator

    None of its is actually difficult..  The problem is people trying to do it that don't have a clue to what active vs passive in ftp actually means.

    If your setup is blocking your ftp server from making outbound connections then yeah your going to have issues trying to allow active connections.  If your in such a setup then FTP is really bad choice.  The client is who determines what connection it is going to be active or passive.

    the built in ftp cli in windows for example doesn't even support passive.  If your wanting to run a ftp server to allow for anonymous people to download files then you really would need to support both modes both active and passive.  If you ask me if your wanting to provide files anonymous for clients on the public internet to download your best choice would be to just provide those up via http.  This way your only needing 1 forward, and the server would never be making outbound connections it would just be answering a connection you forwarded to it.

    I agree some ftp servers are easier to setup then others behind a nat.  But some can be more difficult than others.  Where its not easy to present a different IP then what its interface has or to limit what passive ports it will use, etc.

    KOM gets it and moved away from ftp.  To be honest if you ask your typical user they don't have a clue about ftp, for sure the difference between active or passive.  Most don't even have a actual ftp client that would allow them to easy change to different modes.  If your goal is to make it easy for users to access files you want to serve up your best choice would be http..



  • Thanks for the reply..
    I have to setup FTP server and I has not any choice.
    I want to use active mode , but i don't know , how to define the rule for it.
    Please help me with further explanation.


  • Rebel Alliance Global Moderator

    There is NOTING to do special on the firewall for clients to connect active to ftp behind pfsense.  Forward 21 to your ftp server and your done!!

    Unless you have your lan rules locked down to limit outbound connections?

    In an out of the box pfsense with any any as the lan rule, forward 21 to your ftp and your done with clients making active connections.  Since the client will tell the ftp server what port to connect to for the data connection and the server will make the outbound connection.  With rules any any its just like your ftp server was going to access www.google.com..

    "I have to setup FTP server and I has not any choice. "

    Sorry but I don't buy that.. I just don't…  why do you not have a choice??  Run sftp??  Run some web based access.  FTP is not secure and is for gosh sake not the only game in town for moving files..



  • Thanks for the reply.
    You are very best and help me a lot.
    I define rules "Single host with any port to single host(IP FTP server) with port 21"  and "Single host with any port to single host(IP FTP server) with port 50000-50999" in LAN for specific user.
    Are They true? when I connect to ftp server , I can see my files in FTP server.
    Please help me, I'm nervous and stressed.
    Best Regards
    FAD


  • Rebel Alliance Global Moderator

    Are those the ports your ftp server is using for passive?  You stated you wanted ACTIVE only..

    "I want to use active mode , but i don't know , how to define the rule for it."

    So why are you forwarding ports for passive mode?  When you connect tot he ftp server from where??



  • Hi,
    Thanks for reply.
    After reading more about FTP and your guidance , I decide to config FTP server for passive mode and I define range 50000 to 50999 for passive port.
    I don't get "So why are you forwarding ports for passive mode?"
    I use FTP server and Pfsense firewall only for local Network and Specified number of my partners in company's network are going to connect to FTP server ,so FTP server don't service to out of network and over internet.
    but the rules that I define,  Are true? I 'm not sure about tasks that I do.
    Thank you


  • Netgate

    Port forward and pass traffic for ports 21 and 50000-50999 to your FTP servers inside IP address.

    Set your FTP server to send the actual outside WAN address, not its inside address, to clients for the DATA connections.



  • Hi,
    I don't want to use internet connection then do  I need to config for port forward and  outside WAN address?

    I'm confused.
    Thanks a lot for your guidance,You 're grate.


  • Rebel Alliance Global Moderator

    So this is an internal network only? Why are Natting inside a rfc1918 network???  Are you??  If your not natting then you wouldn't be port forwarding..

    As to my question on why your forwarding passive.. Because you stated you wanted ACTIVE!!!  Then in your next post your forwarding passive ports.. So that is the reason for my question..

    "I'm confused."

    Clearly I will agree with that statement 110% ;)

    So this is an internal network.. Why are you using ftp?? Why not something like smb,nfs or afp? And across a nat even??  WTF???

    But does not matter if your natting to public or another rf1918 address.  The fact your natting means you you need to make sure that the ftp server hands out the IP that its address is natted too, not its actual address.