This is infuriating, FTP issues

nafeasonto

PfSense for some reason is throwing me off as a firewall compared to ASA.

I am trying to set up a FTP server.

IN IIS, i set the data port range, to 25000-25020.  Attached it to the public IP address.

IN the FTP site, I did the same thing, except data port range is already set.

In the PFSENE firewall, I forwarded port 21, to the outside address of my ISP, and the PASSIVE range, to the 25000-25020 to the OUTSIDE address of my ISP. I used the PORT FORWARD feature on the firewall, and had it make an automatic NAT rule.

I can connect to my FTP, but it fails directory listing, I know the FTP works, as locally it can get the directory, so it's setup right.

But why is PFSENSE STILL blocking the 25000-25020 range.

What am I missing.

ptt

Take a look at: https://forum.pfsense.org/index.php?topic=141629.msg773016#msg773016

nafeasonto

I tried FileZilla server, it lists the directory maybe one or times then still fails.

There is something wrong on the PFSENSE failing to forward the ports for some reason, what else am I missing.

johnpoz

"But why is PFSENSE STILL blocking the 25000-25020 range."

That is a pretty short range.. Lets see the ftp history where it shows that in your PASV command…  Troubleshoot your port forward issue if you say ftp server is using the correct range..

https://doc.pfsense.org/index.php/FTP_Troubleshooting

So you see here in simple connect to ftp I spun up local.. The PASV command returns 19,172 which = 19*256 + 172 or port 5036, which is great since have ftp server set to use port 5000-5100

Also you sure its giving out your public IP.. See mine gave out the 192.168 address since I just connected to it local..  If your going to be coming from public side it needs to give the public IP.. pfsense is not going to auto change that like it use to back in the day with the ftp helpler/proxy..  Your not trying to test this via nat reflection are you - your actually coming from the outside, not from some box on your network hitting your public IP hoping to get reflected back in.

My other suggestion would be to just use sftp.. Its secure and only 1 port ;)

Where is the client coming from?  Maybe the passive port is blocked on their side... This is why ftp with its 2 different channels and the active and passive modes through nat - normally on both sides and restrictions in firewall is such a PITA.. It should of died off 10+ years ago... Just use SFTP, one single port 22.. Its either open or its not.. easy peasy and your not sending the freaking username and password in clear text ;)

Derelict

In the PFSENE firewall, I forwarded port 21, to the outside address of my ISP, and the PASSIVE range, to the 25000-25020 to the OUTSIDE address of my ISP. I used the PORT FORWARD feature on the firewall, and had it make an automatic NAT rule.

Post said port forward.

johnpoz

Good catch Derelict - yeah "OUTSIDE address of my ISP" never going to work that way ;)