FTP Server behind PFSENSE not directory listing (active/passive connections)



  • Hello friends, I am using the latest version of pfsense. I was able to configure nat for web server, ssh etc. I am trying to configure an ftp server behind the fw in windows 2012 in active mode (I know the risks involved, but there are batch scripts that require this type of connection.). In the worst case, configure it passively. I tried anyway, and I know that the problem comes to me in pfsense since everything in the lan works ok. There are no problems with windows firewall or ftp server. I make the rules in pfsense (I have tried floating rules, nat over ports 20, 21 and high ports for passive mode) I always get to the FTP server, connect, but I have NEVER been able to make a directory listing. I have even been able to make changes directory and create new directories, but never listed directory. I am not very experienced in firewalling or in pfsense. I have read innumerable posts in the forum, with people who have the same problem and have solved it, but I can't hit the mark. The firewall log does not indicate that there is something that is filtered or failed. But obviously something I am putting wrong or is holding me back. It would help me to know WHERE I have the error. If you could help me a lot I would appreciate it. If there was a graphic example with screenshots of how this is configured, perhaps it would serve me and many who have the same problem. Thank you very much for your time and understanding.
    Mike


  • LAYER 8 Global Moderator

    @malbor said in FTP Server behind PFSENSE not directory listing (active/passive connections):

    nat over ports 20

    That never going to be needed - there is never a scenario where you would port forward 20..

    Understanding how active/passive works is step 1
    https://slacksite.com/other/ftp.html

    Where are you testing from? You need to test from outside... Throwing nat reflection into the mix, ie trying to hit your public IP to be forwarded back in from a client on your network is going to be just more confusion for you.

    If your doing active ftp from outside... The only thing required is port forward 21 (control channel).. Since now the server will make the connection to the client for the data channel.. So unless your filtering outbound connections server would be able to talk to the client. Where you could run into issues with that is the client firewall not opening the inbound ports for the data connection from the server.

    In passive connection to the server.. You need to make sure that the server actually sends your public IP, and not its rfc1918 local IP. You also need to make sure that server uses a specific range of IPs for its passive ports, and you forward these on pfsense to the server, say 5000-6000 or something..

    Where you run into a problem with that from the client point of view is maybe those ports are not allowed outbound..

    So again.. Understanding how the protocol works, what your doing active or passive is step 1..

    Another issue you could run into is if the client is say windows cmd line ftp command, it can not do passive only active. So even when you send the pasv command, it doesn't work.. Since the client is only capable of active.

    but there are batch scripts that require this type of connection.

    That gets me to think your using the windows ftp client, which can not do passive connections.. You know sftp/scp can be scripted as well.. And now you only need the 1 port..

    Have you read
    https://docs.netgate.com/pfsense/en/latest/nat/setup-ftp-server-behind-pfsense.html


Log in to reply