NAT for FTP server not working

  • hello to everyone, I have a problem on the nat of my PFSENSE:
    I created an FTP server on IIS 6.1, this server uses port 55536 because the 21 is already used by another FTP server. when I try to connect from an FTP client (FILEZILLA) it gives me the following error:
    Status: Disconnected from the server
    Status: Resolution of the IP address in progress
    Status: Connecting to 95.110.XXX.XXX:55536
    Status: Connection established, waiting for the welcome message ...
    Status: Server not secure, does not support FTP over TLS.
    Status: Login made
    Status: Reading Folder List ...
    Status: The server sent a passive response containing an unreachable address. The server address will be used.

    on the pf sense I have configured the following NAT rule:

    also trying to connect via private IP the server connects correctly, the error is displayed only using the public ip 95.110.XXX.XXX.

    how can I solve this problem? some idea?

    thanks a lot to everyone

  • You need to configure your ftp server to use its WAN IP address, not its LAN address.  You need to properly define your passive range and make sure it's also forwarded.

  • hi KOM,

    i have passive on iis the passive doors, from 49152-65535, open all the doors also on the PFSENSE, now when I try to connect this is the error that gives me back

    Stato: Disconnesso dal server
    Stato: Connessione a 95.110.XXX.XXX:55536
    Stato: Connessione stabilita, in attesa del messaggio di benvenuto...
    Stato: Server non sicuro, non supporta FTP su TLS.
    Stato: Accesso effettuato
    Stato: Lettura elenco cartelle...
    Comando: PWD
    Risposta: 257 "/" is current directory.
    Comando: TYPE I
    Risposta: 200 Type set to I.
    Comando: PASV
    Risposta: 227 Entering Passive Mode (95,110,XXX,XXX,219,38).
    Comando: LIST
    Risposta: 150 Opening BINARY mode data connection.
    Errore: Timeout connessione dopo 20 secondi di inattività
    Errore: Non è stato possibile leggere il contenuto della cartella

    and do not connect, do you have any other ideas?


  • LAYER 8 Global Moderator

    "open all the doors also on the PFSENSE"

    So you forwarded that huge range of passive ports?  That is nuts!!!  Set your server to use a reasonable number of ports say 58000-58100, etc.. How many clients do you expect to be connected at the same time..

    Your current log shows that tried to connect to port 219*256 + 38 = 56,102

  • and do not connect, do you have any other ideas?

    Did you reconfigure IIS so that it thinks its using your public address and not its LAN address like I said?  For example, when I used to use vsftpd, you had to configure passive like this:


    where 50000-50100 is your passive range and a.b.c.d is your WAN IP address.

Log in to reply