Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTP Server Behind pfSense

    Scheduled Pinned Locked Moved NAT
    12 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rsecor
      last edited by

      Before I receive the usual comments...

      1. No it has to be normal FTP.
      2. No I cannot change it since it would require getting an entire industry (the Automative Industry) to change, which is something I do not have the ability to do.

      We have an FTP Server (ProFTPD) on a server that is behind pfSense.
      It works find in Passive but we MUST have it work in Active (again due to not being able to change anything outside our control).
      pfSense -> NAT is setup to Pass all port 20 and 21 traffic from anywhere to the private IP address of the machine running the FTP Server.
      pfSense -> Firewall is setup to Pass all traffic (both IPv4 and IPv6 -- just in case) from the private local network (which includes the FTP Server) to the rest of the world.
      As an added bonus.... pfSense is behind an AT&T U-verse Gateway (Pace 5268AC) which is setup to Allow and forward all traffic to the public IP address for ports 20 and 21 to the firewall (pfSense).

      We would like it to work in Active, not just Passive.
      Any reasonable thoughts?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        Active mode requires an ALG at the FTP CLIENT side. There is nothing you can do on the server side to make it work.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          @rsecor said in FTP Server Behind pfSense:

          pfSense -> NAT is setup to Pass all port 20 and 21 traffic from anywhere to the private IP address of the machine running the FTP Server.

          Learn how FTP works would be my suggestion.. Port 20 is never going to be destination port in FTP... Its a source port that would be used to talk to the port in an active connection.

          As stated by derelict if your ftp server is behind pfsense.. If your not blocking your ftp server from creating outbound traffic, active not working has zero to do with the server side... There is NOTHING you can do on pfsense to have this work if the client doesn't allow the data connection from your server.. Or for that matter sends the wrong freaking IP in the first place. Have seen many a client send their rfc1918 IP..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • R
            rsecor
            last edited by

            @Derelict The server the connection is coming from had no issue connecting to other servers via active. If ALG is not on the FTP Client side what would this mean?

            @johnpoz My understanding from http://slacksite.com/other/ftp.html is that under an active connection Port 20 is a data port on the server which could receive data from the data port on the client side. Is this incorrect?

            I tried it from a different machine out in the wild with some debugging on showing that the data port the client machine is opening up is received by the server but subsequent data port related commands die after a timeout.
            ftp> pass
            Passive mode off.
            ftp> ls
            ftp: setsockopt (ignored): Permission denied
            ---> PORT x,x,x,x,224,109
            200 PORT command successful
            ---> LIST
            425 Unable to build data connection: Connection timed out

            johnpozJ 1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              FTP Servers inside the firewall:

              FTP in active mode requires an FTP Application Layer Gateway at the client end to open the ephemeral destination port sourced from the ftp-data port (port 20) for the data connection from the server to the client based on what it sees in the FTP protocol stream (the PORT command sent from the client telling the server where to connect for ftp-data).

              If the FTP Data connection is allowed from the server outbound by the server side firewall the server side firewall's job is done.

              Looks to me like the client does not have permission to open the dataport listener on the local host based on those logs but not sure what you're using there.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @rsecor
                last edited by johnpoz

                @rsecor said in FTP Server Behind pfSense:

                Port 20 is a data port on the server which could receive data from the data port on the client side. Is this incorrect?

                It would never be used as a DEST port... It would be the SOURCE port... So there would never be a reason to port forward it anywhere..

                PORT x,x,x,x,224,109

                So that command is telling the server to contact IP x.x.x.x on port (224*256)+109 = port 57453... Now it would more than likely do that from "source" port 20... So on the client side port 57453 has to be allowed and forwarded to the client.

                20 never comes into play on any forward or firewall rule.. Unless the server outbound firewall was set to say only allow outbound traffic from source port 20.. 20 is never need to be forwarded in any ftp setup be it active, passive..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • R
                  rsecor
                  last edited by

                  From the other side of this (the client side) is able to connect active with no problem elsewhere.
                  Which is why we believe it is something on our side.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    Well sniff the freaking traffic... Do you send SYN to their port they call for in their control channel? If so then its NOT you!!

                    If your not sending the SYN to their data port then it is you... But there is NO setting to do in pfsense that makes this work... The client side is the one that has to allow the traffic... If your not blocking your server from making outbound connections on any port the data connection is on then its NOT pfsense.

                    Simple sniff on pfsense wan will tell you this in like 30 seconds..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Here I fired up ftp server on my nas... Did a simple port forward - sniff and boom there you go..

                      0_1540848790895_ftptest.png

                      You can see the port command 216*256 + 23 is port 55319... There you go you see my syn and then answer, etc.

                      Now since pfsense is doing NAPT source port would be random that pfsense changes.. that is how any nat works.. Are they restricting you have to come from source port 20??

                      validate you send the SYN...

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Static source port 20 outbound NAT rule. That's probably it.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • GrimsonG
                          Grimson Banned
                          last edited by Grimson

                          Get a routed public IP and route it directly to the machine running the FTP server (you want it in a DMZ anyway). This way the FTP server is directly connected to the Internet and no NAT is happening, any issues when using either active or passive are then on the client side.

                          1 Reply Last reply Reply Quote 1
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by Derelict

                            Just kill FTP with 🔥

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 2
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.