Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    This is infuriating, FTP issues

    General pfSense Questions
    4
    6
    367
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nafeasonto last edited by

      PfSense for some reason is throwing me off as a firewall compared to ASA.

      I am trying to set up a FTP server.

      IN IIS, i set the data port range, to 25000-25020.  Attached it to the public IP address.

      IN the FTP site, I did the same thing, except data port range is already set.

      In the PFSENE firewall, I forwarded port 21, to the outside address of my ISP, and the PASSIVE range, to the 25000-25020 to the OUTSIDE address of my ISP. I used the PORT FORWARD feature on the firewall, and had it make an automatic NAT rule.

      I can connect to my FTP, but it fails directory listing, I know the FTP works, as locally it can get the directory, so it's setup right.

      But why is PFSENSE STILL blocking the 25000-25020 range.

      What am I missing.

      1 Reply Last reply Reply Quote 0
      • ptt
        ptt Rebel Alliance last edited by

        Take a look at: https://forum.pfsense.org/index.php?topic=141629.msg773016#msg773016

        1 Reply Last reply Reply Quote 0
        • N
          nafeasonto last edited by

          I tried FileZilla server, it lists the directory maybe one or times then still fails.

          There is something wrong on the PFSENSE failing to forward the ports for some reason, what else am I missing.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            "But why is PFSENSE STILL blocking the 25000-25020 range."

            That is a pretty short range.. Lets see the ftp history where it shows that in your PASV command…  Troubleshoot your port forward issue if you say ftp server is using the correct range..

            https://doc.pfsense.org/index.php/FTP_Troubleshooting

            So you see here in simple connect to ftp I spun up local.. The PASV command returns 19,172 which = 19*256 + 172 or port 5036, which is great since have ftp server set to use port 5000-5100

            Also you sure its giving out your public IP.. See mine gave out the 192.168 address since I just connected to it local..  If your going to be coming from public side it needs to give the public IP.. pfsense is not going to auto change that like it use to back in the day with the ftp helpler/proxy..  Your not trying to test this via nat reflection are you - your actually coming from the outside, not from some box on your network hitting your public IP hoping to get reflected back in.

            My other suggestion would be to just use sftp.. Its secure and only 1 port ;)

            Where is the client coming from?  Maybe the passive port is blocked on their side... This is why ftp with its 2 different channels and the active and passive modes through nat - normally on both sides and restrictions in firewall is such a PITA.. It should of died off 10+ years ago... Just use SFTP, one single port 22.. Its either open or its not.. easy peasy and your not sending the freaking username and password in clear text ;)


            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by

              In the PFSENE firewall, I forwarded port 21, to the outside address of my ISP, and the PASSIVE range, to the 25000-25020 to the OUTSIDE address of my ISP. I used the PORT FORWARD feature on the firewall, and had it make an automatic NAT rule.

              Post said port forward.

              Chattanooga, Tennessee, USA
              The pfSense Book is free of charge!
              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                Good catch Derelict - yeah "OUTSIDE address of my ISP" never going to work that way ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post