Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT for FTP server not working

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      supportoGecoit
      last edited by

      hello to everyone, I have a problem on the nat of my PFSENSE:
      I created an FTP server on IIS 6.1, this server uses port 55536 because the 21 is already used by another FTP server. when I try to connect from an FTP client (FILEZILLA) it gives me the following error:
      Status: Disconnected from the server
      Status: Resolution of the IP address ftptoday.gecoit.com in progress
      Status: Connecting to 95.110.XXX.XXX:55536 …
      Status: Connection established, waiting for the welcome message ...
      Status: Server not secure, does not support FTP over TLS.
      Status: Login made
      Status: Reading Folder List ...
      Status: The server sent a passive response containing an unreachable address. The server address will be used.

      on the pf sense I have configured the following NAT rule:

      also trying to connect via private IP 192.168.1.3 the server connects correctly, the error is displayed only using the public ip 95.110.XXX.XXX.

      how can I solve this problem? some idea?

      thanks a lot to everyone

      nat.PNG
      nat.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        You need to configure your ftp server to use its WAN IP address, not its LAN address.  You need to properly define your passive range and make sure it's also forwarded.

        https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense

        1 Reply Last reply Reply Quote 0
        • S
          supportoGecoit
          last edited by

          hi KOM,

          i have passive on iis the passive doors, from 49152-65535, open all the doors also on the PFSENSE, now when I try to connect this is the error that gives me back

          Stato: Disconnesso dal server
          Stato: Connessione a 95.110.XXX.XXX:55536…
          Stato: Connessione stabilita, in attesa del messaggio di benvenuto...
          Stato: Server non sicuro, non supporta FTP su TLS.
          Stato: Accesso effettuato
          Stato: Lettura elenco cartelle...
          Comando: PWD
          Risposta: 257 "/" is current directory.
          Comando: TYPE I
          Risposta: 200 Type set to I.
          Comando: PASV
          Risposta: 227 Entering Passive Mode (95,110,XXX,XXX,219,38).
          Comando: LIST
          Risposta: 150 Opening BINARY mode data connection.
          Errore: Timeout connessione dopo 20 secondi di inattività
          Errore: Non è stato possibile leggere il contenuto della cartella

          and do not connect, do you have any other ideas?

          tanks

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "open all the doors also on the PFSENSE"

            So you forwarded that huge range of passive ports?  That is nuts!!!  Set your server to use a reasonable number of ports say 58000-58100, etc.. How many clients do you expect to be connected at the same time..

            Your current log shows that tried to connect to port 219*256 + 38 = 56,102

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              and do not connect, do you have any other ideas?

              Did you reconfigure IIS so that it thinks its using your public address and not its LAN address like I said?  For example, when I used to use vsftpd, you had to configure passive like this:

              pasv_enable=YES
              pasv_min_port=50000
              pasv_max_port=50100
              pasv_address=a.b.c.d
              

              where 50000-50100 is your passive range and a.b.c.d is your WAN IP address.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.