FTPES Connections

  • Hello,

    I have a pfsense firewall which is working great except for one problem.

    I have a FTP server (FTPES) located at another location outside my network.

    I have set up on both the FTP server and pfsense and opened port 21 and ports 50000-50009 on both for passive FTP on the pfSense firewall.

    When I try to connect using Filezilla, i get the following:

    Status: Resolving address of ftpserver.me.com
    Status: Connecting to x.x.x.x:21…
    Status: Connection established, waiting for welcome message...
    Response: 220 Serv-U FTP Server v6.3 for WinSock ready...
    Command: AUTH TLS
    Response: 234 AUTH command OK. Initializing SSL connection.
    Status: Initializing TLS...
    Error: Connection timed out
    Error: Could not connect to server

    Anytime where information is supposed to be passed back through the firewall to the application, it dies.  Regular FTP works great, but I need FTPES working.  Any suggestions?


  • Since you forward manually the passive port range: did you make sure that the ftp-helper is disabled on the involved interfaces?

  • How do i disable this?  Will it impact any other services running?

    Also if i turned off the manual port forwarding, will the system know to use the right passive ports?

    Do I keep the rules active for those ports or just turn off the port forwarding?

    Thanks again!

  • You disable it on the interface-config page at the bottom.

    The ftp helper is a ftp-proxy to help get ftp-connections through restrictive rules.
    Since you manually forwarded the passive range you dont need it.

    I dont think you can get ftpes running with the ftphelper.

  • A little more information was leaked to me from the previous admin (as I am new to here and he doesn't know the answer either).

    Here is the layout on our network.

    1. We have a FTP server on our internal side and it also is FTPES.  That's why the ports are open.  Our outside clients (not on our network) can connect and send/receive data.

    2. We also have a second IP address at a data centre.  I have no problems connecting to this as I disabled the userland FTP-Proxy application on the LAN side.  This is working great.

    When we try to connect to our internal FTP server, we have to use our external name of the server.  When we try to connect to our ftp server, it connects as indicated, but when the ftp server tries to send the certificate information back to the FTP client, it times out.  Normal FTP works but it takes a long time to connect.  The FTPES just doesn't work.

    I have turned on NAT reflection as we have other applications that we need to use using our external names (laptops need access both inside and outside of our office).

    All your patience and help has been great.


Log in to reply