FTP On Port 21

  • Having a tough time Nat-ing FTP to an internal server. Can connect with port 21 but port 20 won't open.

  • LAYER 8 Netgate

    An active FTP server requires port 20 be open on the CLIENT side, not the server side. That is what the FTP proxy package does for CLIENTS behind pfSense, not servers.

    Inbound connections to a passive server do not use port 20.


    Hint: Just use SFTP/SCP.

  • Understand that part of it. I have port 21 nat-ed to the internal server. But when the client connects it can't get a directory reading or push data. This is my first experience with pfsense and it's very confusing. So I've been researching and looking for examples. I've read that link you've supplied maybe 4 times and aren't any videos I've found with any demonstration on how to set ftp up on regular port 21. I've only opened the control port for ftp because the client said it was necessary. But since my earlier post I've been successful in connecting to the server outside of my lan if I change my filezilla setting to fall back to active mode. And that's the only way I've been able to connect.

  • LAYER 8 Netgate

    Is the server in active or passive mode?

    Did you read the links I forwarded?

    Active mode requires that the client side pass an incoming port 20 connection from the server. There is nothing your firewall can do to facilitate that other than allowing the connection outbound, which would be the default.

    FTP is an antiquated protocol that is not firewall-friendly.

    For passive mode you need to:

    1. Instruct/set the server to use the actual outside address the client should connect to in the passive mode protocol handshake.
    2. Set the passive port range in the server and forward those ports inbound to the server just like you do with port 21.

  • The server settings I can't change. Its lockdown. As stated prior my prior firewall dynamically created the necessary ports needed to communicate on ftp between the client and server on port 21 and 20. On pfsense that does not happen and I have no idea on how to get it to create the necessary ports to communicate with the client. I've tried making a rule that allows port 20 on the lan to send data on any port over my wan and main lan, I've uninstalled the ftp proxy package, I've even tried 1:1 rules to where the client's server connects directly to my internal server and traffic on any port flows to any port. The only way this works is on active mode and I can't fathom that pfsense does not give the necessary tools for this to work when a 6 year old sonicwall did. And this is the only thing that I haven't gotten to work. Every other ftp server behind my wan are on other ports they work fine for the most part on active or passive and if i could change this servers ports i would but i can't.

  • LAYER 8 Netgate

    Again, active FTP requires an FTP Application Layer Gateway at the client end to open the ephemeral destination port sourced from the ftp-data port (port 20) for the data connection from the server to the client based on what it sees in the FTP protocol stream (the PORT command sent from the client telling the server where to connect for ftp-data).

    There is nothing pfSense on the server side can do there. "It worked on the sonicwall" leads me to believe you didn't have a firm grasp of what was happening before or you are not accurately describing the problem.


  • LAYER 8 Global Moderator

    How/Why are we still talking about FTP... Our last discussion of this should of be 10+ years ago, and even then should of been techs discussing the old days of FTP and the PITA it "was" to use via NAT.

    Step 1 in troubleshooting this long should of died protocol is understanding how it works.. And what your using active or passive.

    Here is great easy to understand write up about the 2 different modes and what direction the data channel is opened in when using active or passive.


    If its your server just shut it down and use sftp to transfer your files to and from it - its 1 port.. None of this active/passive control/data channel nonsense that causes users so much grief. As a side benefit its not sending your username and password in the clear in your control channel like ftp ;)

  • Maybe I'm not explaining this right. From outside of my work network I can connect to this particular server using port 21 with filezilla if I have the settings to fall back to active mode, everything works fine if I do that. The problem is the server is at my job it's a piece of high tech equipment it's lockdown I can't get into it to make any changes that would be more up to date or easier to use, plus the company that is ftp-ing data into the server will not change their settings just for my station. So i'm stuck trying to get pfsense to do what the sonicwall did. I do have a firm grasp on what the sonicwall did I even looked it up just to make sure I wasn't going crazy. https://www.sonicwall.com/en-us/support/knowledge-base/170505318942162. In that manual or guide it specifically states "SonicWall overcomes this problem by actively scanning FTP traffic using DPI and dynamically opening ports required for clients to connect to the server. This way, only the Control port, TCP port 21, requires to be explicitly opened in the SonicWall." So the sonic wall was doing what I have to program pfsense to do in the background dynamically. I'm not on trying to get someone to do anything for me or trying to get mocked, I'm on here as a last resort trying to get some help because I don't want to give up on this wonderful product. But if it's not possible to get this to do what I need, can someone please just let me know, or if it can and I'm just not going about it the right way I would really really appreciate some guidance.

  • LAYER 8 Netgate

    That sounds like your FTP server is in passive mode, not active. That brings us back to this:

    For passive mode you need to:

    1. Instruct/set the server to use the actual outside address the client should connect to in the passive mode protocol handshake.
    2. Set the passive port range in the server and forward those ports inbound to the server just like you do with port 21.

    If you do not know the range of the passive FTP ports the server uses you will have to do some sleuthing to get them.

    Anyone who makes such a device should have documentation on the ports required.

    It makes perfect sense that it used to work and now doesn't if the old firewall has an ALG for passive FTP on the server side.

  • Thank you all for all your support and help, after doing a 1:1 mapping of my external ip address and my internal ftp server that's set to port 21 with the ftp port , port fowarded, it worked!! 😰

  • LAYER 8 Netgate

    And I assume a pass any rule to the 1:1.

    Which is...not recommended.

  • yes it's a pass any rule, how can i fine tune it?

  • LAYER 8 Netgate

    By obtaining the range of ports that the FTP server actually requires for the passive transfers and only forwarding those.

Log in to reply