How to set up FTP? (client behind pfSense, active mode)

  • I understand how FTP works in all modes (see and I have the following scenario:
    I want all clients on the LAN to be able to connect to random FTP servers on the Internet, mainly to download software, usually not even a login is required. Mostly by following links on web pages.
    I do understand that FTP is an old technology and should no longer be used, but unfortunately it is.
    When following links in browsers, I assume we are talking about Active FTP here. If I'm wrong, let me know.
    Passive FTP would work "out-of-the-box", but not with browsers and not when all upper ports are closed by default, so that's not an option.
    My previous router with DD-WRT supported this without configuring anything (maybe the browser was switching to passive FTP and of course outgoing traffic is always open there).
    Then I had a ZyWALL, where I had to enable FTP ALG to get this working.
    Now I have pfSense and don't know how to configure this. I understand that older versions had FTP ALG, but this is no longer included or something.
    I heard there are "packages" to install this FTP proxy. I know FTP is crap, but as long as it is used (=forever) pfSense should provide some support for it.
    The help page for this ( also doesn't tell anything how to set this up (except "will not work"). There's a link to a command-line tool though. Is there any documentation on how to set this up? I mean this must be something that everyone needs, so it should be fairly common. I see a lot of questions, but no real answers to this.

  • LAYER 8 Netgate

    Look at the FTP Client Proxy package.

  • @Derelict:

    Look at the FTP Client Proxy package.

    Thanks for your reply Derelict. Unfortunately I already knew that I probably needed to install a package or something (see my question). As I'm new to pfSense, I was looking for instructions. Anyway, after some more hours of googling, I found the solution myself. For anyone else reading this thread, here's the solution. It always is easy or even trivial after you know the solution.

    I found the thread where user jimp in this forum explains that he implemented this package. The link goes to GitHub (, to a specific commit, and the post is from 2015, but looking at the GitHub repository, there are 12112 commits, with the latest from 12 Oct 2015.
    Anyway, there is no need to work with GitHub, or compile anything, here are the simple instructions:

    1. Remove all FTP-related firewall rules you have already added while trying around.
    2. In pfSense, go to System / Package Manager / Available Packages and install "FTP_Client_Proxy"
    3. Go to Services / FTP Client Proxy and select the following options:

    • Check "Enable the FTP Proxy"
    • Local Interface = LAN
    • Check "Early Firewall Rule" (only if you have a "block all" rule at the end)
    • Save

    I tested with pfSense version 2.4.2-RELEASE-p1 (amd64) and it works fine from the browser.

    Very simple and straightforward - if you know how.

  • @e4ch Thank you so much for posting this clear, and now I've understood it, simple solution to a problem I was fighting. Saved me a ton of hair pulling!

Log in to reply