NAT for FTP server not working

supportoGecoit

hello to everyone, I have a problem on the nat of my PFSENSE:
I created an FTP server on IIS 6.1, this server uses port 55536 because the 21 is already used by another FTP server. when I try to connect from an FTP client (FILEZILLA) it gives me the following error:
Status: Disconnected from the server
Status: Resolution of the IP address ftptoday.gecoit.com in progress
Status: Connecting to 95.110.XXX.XXX:55536 …
Status: Connection established, waiting for the welcome message ...
Status: Server not secure, does not support FTP over TLS.
Status: Login made
Status: Reading Folder List ...
Status: The server sent a passive response containing an unreachable address. The server address will be used.

on the pf sense I have configured the following NAT rule:

also trying to connect via private IP 192.168.1.3 the server connects correctly, the error is displayed only using the public ip 95.110.XXX.XXX.

how can I solve this problem? some idea?

thanks a lot to everyone

KOM

You need to configure your ftp server to use its WAN IP address, not its LAN address.  You need to properly define your passive range and make sure it's also forwarded.

https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense

supportoGecoit

hi KOM,

i have passive on iis the passive doors, from 49152-65535, open all the doors also on the PFSENSE, now when I try to connect this is the error that gives me back

Stato: Disconnesso dal server
Stato: Connessione a 95.110.XXX.XXX:55536…
Stato: Connessione stabilita, in attesa del messaggio di benvenuto...
Stato: Server non sicuro, non supporta FTP su TLS.
Stato: Accesso effettuato
Stato: Lettura elenco cartelle...
Comando: PWD
Risposta: 257 "/" is current directory.
Comando: TYPE I
Risposta: 200 Type set to I.
Comando: PASV
Risposta: 227 Entering Passive Mode (95,110,XXX,XXX,219,38).
Comando: LIST
Risposta: 150 Opening BINARY mode data connection.
Errore: Timeout connessione dopo 20 secondi di inattività
Errore: Non è stato possibile leggere il contenuto della cartella

and do not connect, do you have any other ideas?

tanks

johnpoz

"open all the doors also on the PFSENSE"

So you forwarded that huge range of passive ports?  That is nuts!!!  Set your server to use a reasonable number of ports say 58000-58100, etc.. How many clients do you expect to be connected at the same time..

Your current log shows that tried to connect to port 219*256 + 38 = 56,102

KOM

and do not connect, do you have any other ideas?

Did you reconfigure IIS so that it thinks its using your public address and not its LAN address like I said?  For example, when I used to use vsftpd, you had to configure passive like this:

pasv_enable=YES
pasv_min_port=50000
pasv_max_port=50100
pasv_address=a.b.c.d

where 50000-50100 is your passive range and a.b.c.d is your WAN IP address.