Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default allow LAN to any rule above VPN -> FTP Retrieving directory listing works on Unsecure FTP

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ressurexR
      ressurex
      last edited by johnpoz

      Can some explain what I am doing right? Or Wrong??

      The problem was that I use a VPN gateway with allways on. ( privacy concern) And when using SFTP the download speed is 50%. But with normal unsecure ftp its almost 100%. And since I don’t need double encryption either unsecured is what I want due to download speeds of my very large files.

      I have standard firewall rules in LAN and the ones pfblockerNG has created including some LAN devices that are not allowed Internet access.
      Then I all ways have had the Default allow LAN to any rule at the button too. this has all ways worked fine.

      When I try to logon my ftp server using filezilla and normal unsecure ftp, it states the error:
      Error: Failed to retrieve directory listing

      Error:

      Command: CWD /LINUX/ISOS/FINISHED
      Response: 250 Directory successfully changed.
      Command: PWD
      Response: 257 "/LINUX/ISOS/FINISHED"
      Command: TYPE I
      Response: 200 Switching to Binary mode.
      Command: PORT 95,174,xx,xx,4,236
      Response: 200 PORT command successful. Consider using PASV.
      Command: LIST
      Response: 425 Failed to establish connection.
      Error: Failed to retrieve directory listing

      But!! When I move the Default allow LAN to any rule above VPN rules, the ftp Directory listing is successful, and I can browse and download etc.

      Success:

      Status: Resolving address of ftpserverDK.site
      Status: Connecting to (censored IP):21...
      Status: Connection established, waiting for welcome message...
      Status: Logged in
      Status: Retrieving directory listing of "/LINUX/ISOS/FINISHED "...
      Status: Directory listing of "/LINUX/ISOS/FINISHED” successful

      Is it just because the Default allow LAN to any rule above VPN rules will allow port 21 to be used for ftp?
      When I don’t move the Default allow LAN to any rule above VPN rules, SFTP normally works fine with port 22. But FTP doesn’t.

      Can someone tell me why that is so I understand the issue with my ftp server a bit. I really don’t see why Default allow LAN to any rule above VPN rules is a problem?? But I a bit worried if it gives me security issues I simply don’t understand hence my VPN and everything I worthless etc.

      Semi Newbie Question: Why does only Default allow LAN to any rule above VPN rules give my FileZilla a successful directory listing using ftp(21)?

      alt text

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        @ressurex said in Default allow LAN to any rule above VPN -> FTP Retrieving directory listing works on Unsecure FTP:

        VPN rules give my FileZilla a successful directory listing using ftp(21)?

        Ftp doesn't use 21 for directory listing, that is just the control channel, data will be port 20 as source in active, your using active it seems like - since it suggest you switch to pasv.. And see the port command telling the server which IP and port to connect to..

        This can work if your using the ftp active package, but it would have to be setup to use the correct interfaces... And are you talking to the vpn endpoint for ftp or some other server past your vpn endpoint.. If past - your vpn endpoint would have to allow for the active connection to come back and be sent down the tunnel to you.

        I suggest you read up on how ftp works for control and data and difference between active and passive connections.
        https://slacksite.com/other/ftp.html

        Your going to be better off just using passive to access ftp servers outside pfsense, now pfsense doesn't need to create any firewall rules for the active to come back in.. And will allow you to route your traffic how you want via your vpn if you want.

        sftp works different - it only uses the one port (22).

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • ressurexR
          ressurex
          last edited by

          THANKS! i thought it would be something concerning this. passive/active stuff.

          I have moved my Default allow LAN to any rule back to my working setup, this mean lowest possible. and below VPN.
          I will use SFTP which works fine and read up on this accordingly.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            Happy to help - but to be honest you should of stopped using ftp like 10 years ago ;)

            Are you pushing or pulling files from this server - I just pull files from a remote server all the way in the NL while I am in the US over https, and I pretty much saturate my 500mbps line.. I see +40MBps all the time..

            btw: your listing a public IP in that port command.. If your ok with it fine, if not you might want to obscure the last couple of octets or something.. I can edit for you if desire.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • ressurexR
              ressurex
              last edited by

              old habit i guess. i just like filezilla.
              yes please edit anything puplic. ftpserverDK.site is just a dummy though.

              thanks.

              have a nice day.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                edited out the last couple of octets for you.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • ressurexR
                  ressurex
                  last edited by ressurex

                  Hi Jonhpoz

                  I solved it with following.

                  disabled the Default allow LAN to any rule
                  installed FTP Client Proxy package.
                  enabled it with local interface as LAN and Early Firewall Rule enabled.

                  Now filezilla work fine fine over passive ftp(21), Directory listing also.!

                  https://forum.netgate.com/topic/80717/ftp-client-proxy-package

                  this seemed to do what i was looking fore. I'm downloading with maximum speed now.
                  200Mbit.

                  thanks for your input also

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    You don't need the ftp package for passive. Only Active, unless your are super restrictive on your outbound rules.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.