Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    This is infuriating, FTP issues

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 593 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nafeasonto
      last edited by

      PfSense for some reason is throwing me off as a firewall compared to ASA.

      I am trying to set up a FTP server.

      IN IIS, i set the data port range, to 25000-25020.  Attached it to the public IP address.

      IN the FTP site, I did the same thing, except data port range is already set.

      In the PFSENE firewall, I forwarded port 21, to the outside address of my ISP, and the PASSIVE range, to the 25000-25020 to the OUTSIDE address of my ISP. I used the PORT FORWARD feature on the firewall, and had it make an automatic NAT rule.

      I can connect to my FTP, but it fails directory listing, I know the FTP works, as locally it can get the directory, so it's setup right.

      But why is PFSENSE STILL blocking the 25000-25020 range.

      What am I missing.

      1 Reply Last reply Reply Quote 0
      • pttP
        ptt Rebel Alliance
        last edited by

        Take a look at: https://forum.pfsense.org/index.php?topic=141629.msg773016#msg773016

        1 Reply Last reply Reply Quote 0
        • N
          nafeasonto
          last edited by

          I tried FileZilla server, it lists the directory maybe one or times then still fails.

          There is something wrong on the PFSENSE failing to forward the ports for some reason, what else am I missing.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "But why is PFSENSE STILL blocking the 25000-25020 range."

            That is a pretty short range.. Lets see the ftp history where it shows that in your PASV command…  Troubleshoot your port forward issue if you say ftp server is using the correct range..

            https://doc.pfsense.org/index.php/FTP_Troubleshooting

            So you see here in simple connect to ftp I spun up local.. The PASV command returns 19,172 which = 19*256 + 172 or port 5036, which is great since have ftp server set to use port 5000-5100

            Also you sure its giving out your public IP.. See mine gave out the 192.168 address since I just connected to it local..  If your going to be coming from public side it needs to give the public IP.. pfsense is not going to auto change that like it use to back in the day with the ftp helpler/proxy..  Your not trying to test this via nat reflection are you - your actually coming from the outside, not from some box on your network hitting your public IP hoping to get reflected back in.

            My other suggestion would be to just use sftp.. Its secure and only 1 port ;)

            Where is the client coming from?  Maybe the passive port is blocked on their side... This is why ftp with its 2 different channels and the active and passive modes through nat - normally on both sides and restrictions in firewall is such a PITA.. It should of died off 10+ years ago... Just use SFTP, one single port 22.. Its either open or its not.. easy peasy and your not sending the freaking username and password in clear text ;)

            pasvport.png
            pasvport.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              In the PFSENE firewall, I forwarded port 21, to the outside address of my ISP, and the PASSIVE range, to the 25000-25020 to the OUTSIDE address of my ISP. I used the PORT FORWARD feature on the firewall, and had it make an automatic NAT rule.

              Post said port forward.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Good catch Derelict - yeah "OUTSIDE address of my ISP" never going to work that way ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.