PfSense FTP issue

  • Hii There,

    I just installed PfSense as my old DD-WRT router was not capable of handling my new internet speed.
    However, when I wanted to port forward my FTP server (yes yes yes, I know I shouldn't be using FTP as it's old and insecure, blablabla), I came by a little issue:

    Server sent passive reply with unroutable address. Using server address instead.

    I've done my fair share of looking on the forums, and pretty much everything came down to one solution:

    Port forward the ports for the passive mode

    However, here comes the fun part:

    It will be a huge pain in the buttocks to do so.
    Why you ask?
    Well… I don't really have just one FTP server running here I need to access, I have a bunch of them running I need to access.
    So opening all the ports for all servers will be a pain in the buttocks.

    So my question is: How can I do this without opening all the ports for the passive mode?
    The odd part in my opinion: DD-WRT worked perfectly fine with opening just the FTP port, yet, PfSense doesn't like this.

    I hope somebody can help me, because opening all the passive ports, for about 10-15 servers, can become a nightmare.


  • LAYER 8 Global Moderator

    dd-wrt has helper/proxy.  Pfsense helper proxy for ftp was removed a few versions back.. A package was created to put back the active mode client back in.

    If you ran your servers in active mode, then you wouldn't have any issues on your side.  Just need to forward ports you want to use for control channel to your servers, since the servers would then be making the connection back to the client it wouldn't be a problem on your side.

  • So if I understand you correctly, I should put my server in active mode, then just forward port 21 and it should work?

    Why was the helper proxy for FTP removed?
    It is such a helpful (and in my opinion, pretty neccessary) thing to have.

  • LAYER 8 Global Moderator

    Because FTP should of died years ago.. Just like how they removed the PPTP server.. These protocols are NOT secure!  And if you use ftps the helper can not work because it can not see the control channel info.  If you use sftp as you should - then you have no need for it.

    If you really want to run ftp, you don't really need a helper..  Active server behind does not need it.  BTW your clients have to select active, your server just needs to allow it.  Passive you can forward the ports.  And even active client you could do - since the source port is 20 you could allow source port 20 traffic into your client.

    This can be a pain if you have multiple clients - which is why they created the ftp client package you can add if you just can not wake up and smell the coffee of the century your in and use a secure way to transfer your files ;)  You do understand sftp is FREE just like ftp, easier and SECURE!!!

    Runs on any OS.. You running an ftp server is on you..  So you choose to be not secure..

  • Hii there,

    I do understand SFTP is safer, but for now, FTP is the way for me to roll (I am, however, looking into SFTP to replace FTP in the near future, just didn't get it in my head just yet, so there is still hope).

    Thanks for the information, I can continue for now :)

  • Because FTP should of died years ago.

    I don't have a problem with anonymous FTP servers.  They're easy to set up for making files publicly available.

  • LAYER 8 Global Moderator

    And all it does is promote continue use of dead protocol.. Why not just host your files anonymous via http?  That is how I provide my iperf3 compiles for windows to the public internet.

Log in to reply