Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ftp client passive mode

    Scheduled Pinned Locked Moved General pfSense Questions
    41 Posts 5 Posters 16.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sasa1
      last edited by

      I have a problem with a server behind pfsense 2.4.4 because I am unable to access a remote ftp server in passive mode.
      I can't understand where the problem can be because I installed the "FTP Client Proxy" component and on the server I enabled the incoming ports from 1024-65535.
      but when i try to access a remote ftp server i get the error message:
      Connesso a speedtest.tele2.net.
      220 (vsFTPd 3.0.3)
      200 Always in UTF8 mode.
      Utente (speedtest.tele2.net:(none)): anonymous
      331 Please specify the password.
      Password:
      230 Login successful.
      ftp> ls
      200 PORT command successful. Consider using PASV.
      425 Failed to establish connection.

      in attach ftp configuration.
      Thanks.
      ftp.PNG

      1 Reply Last reply Reply Quote 0
      • J
        javier2020
        last edited by

        I think you don't need to use "FTP Client Proxy".

        I have succeeded by adding the following parameters in the /etc/vsftpd.conf file on the FTP server.

        pasv_enable=Yes
        pasv_min_port=10100
        pasv_max_port=10110
        

        and then on PfSense use "Port forward" to forwarding tcp port range 10100-10110 and tcp port 21.

        I hope it works for you.

        1 Reply Last reply Reply Quote 0
        • S
          sasa1
          last edited by

          but the ftp server is not mine and is not behind pfsense.
          My problem is with the ftp client which needs to connect to an ftp server.
          Thanks.

          B 1 Reply Last reply Reply Quote 0
          • B
            bigsy @sasa1
            last edited by

            @sasa1 I've just done a successful anonymous connection to the server details you posted.

            This is behind pfs 2.4.5-RELEASE using Transmit for MacOS in passive mode. I do not have the FTP client proxy installed.

            I've masked the server details in case you want to remove them from your post.

            3: Connected to speedtest.xxx.xxx.
            3: Cmd: USER anonymous
            3: 331: Please specify the password.
            3: Cmd: PASS password
            3: 230: Login successful.
            3: Cmd: TYPE A
            3: 200: Switching to ASCII mode.
            3: Logged in to speedtest.xxx.xxx as anonymous.
            3: Cmd: SYST
            3: 215: UNIX Type: L8
            3: Cmd: PWD
            3: 257: "/" is the current directory
            3: Cmd: PWD
            3: 257: "/" is the current directory
            3: Disconnecting from server…
            3: Cmd: QUIT
            3: 221: Goodbye.
            
            
            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              @sasa1 said in ftp client passive mode:

              because I installed the "FTP Client Prox

              That proxy is only need when you want to connect to internet ftp server via active mode.

              There is zero to do with pfsense to connect to a ftp server on the internet in passive mode. Unless your limiting what ports a client can talk outbound to the internet there should be no issues.. This default is any any lan rule, so all outbound traffic to the internet from lan is allowed. this would be the port your trying to connect to in passive mode.

              Understanding how the ftp protocol works is step one in trying to troubleshoot it.

              Who makes the connection when in active or passive for the data connection.
              https://slacksite.com/other/ftp.html

              Here connecting to your server in 2 different modes... here is passive

              Command:	PASV
              Response:	227 Entering Passive Mode (90,130,70,73,109,28).
              
              

              This tells the client to connect to ip 90.130.70.73 on port (109*256)+28 or 27932

              Now when you connect via active mode the client will tell the server what port to connect too..

              Command:	PORT 192,168,9,100,23,121
              
              

              The client told the server to connect to 192.168.9.100 port 23*256+121, but for starters the server couldn't connect to my local IP... So the ftp active proxy would have to change that for you and open the ftp port.. Which might be in use already.. So you could have some random failures..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 1
              • S
                sasa1
                last edited by

                Hi,
                on my pfsense I disabled the "ftp client proxy" and tried the connection to the remote server in ftp but I have this result:
                230 Login successful.
                ftp> ls
                500 Illegal PORT command.
                425 Use PORT or PASV first.
                ftp>

                Thanks.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  Your still doing the port command - says so right there!! in what you posted.

                  And that it says its illegal is telling you most likely that you sent your rfc1918 address. Or you didn't at the wrong time..

                  Also if your trying to use the cmd line ftp client in windows - it doesn't support passive.. you can do the command all day.. It doesn't support it.. never has..

                  Here this is with using the ftp proxy - works just fine with windows client

                  ftp> user anonymous
                  331 Please specify the password.
                  Password:
                  230 Login successful.
                  ftp> ls
                  200 PORT command successful. Consider using PASV.
                  150 Here comes the directory listing.
                  1000GB.zip
                  100GB.zip
                  100KB.zip
                  100MB.zip
                  10GB.zip
                  10MB.zip
                  1GB.zip
                  1KB.zip
                  1MB.zip
                  200MB.zip
                  20MB.zip
                  2MB.zip
                  3MB.zip
                  500MB.zip
                  50MB.zip
                  512KB.zip
                  5MB.zip
                  upload
                  226 Directory send OK.
                  ftp: 183 bytes received in 0.02Seconds 9.63Kbytes/sec.
                  ftp>
                  

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 1
                  • S
                    sasa1
                    last edited by

                    on another PC that is in another network but with the same configuration (therefore always using the ftp Windows client and always behind pfsense) I can access the ftp server:

                    C:\Users\Administrator>ftp speedtest.tele2.net
                    Connesso a speedtest.tele2.net.
                    220 (vsFTPd 3.0.3)
                    200 Always in UTF8 mode.
                    Utente (speedtest.tele2.net:(none)): anonymous
                    331 Please specify the password.
                    Password:
                    230 Login successful.
                    ftp> ls
                    200 PORT command successful. Consider using PASV.
                    150 Here comes the directory listing.
                    1000GB.zip
                    100GB.zip
                    100KB.zip
                    100MB.zip
                    10GB.zip

                    I would like to have the same possibility also on this PC where it doesn't work.
                    Thanks.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      And for active to work, you would have to use the ftp client, and you would have to set it up... And the port your client says to use to talk to it would have to be open..

                      I just showed you ftp client works just fine.. I gave you the info on how ftp actual works..

                      If something is not working, I suggest you sniff on pfsense for this ftp traffic and take a look to what could be going wrong..

                      If this client is on a different network, say your DMZ you listed - the ftp active proxy would have to be listening on that interface as well, you only have it listening on your LAN.

                      You can have it listen on multiple interfaces

                      listenmultiple.jpg

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 1
                      • S
                        sasa1
                        last edited by

                        so "Enable the FTP Proxy" (about FTP Client Proxy) must be enabled?
                        I have enabled the component again and I have selected all the networks but the error message remains the same.
                        what can I check in pfsense to find the problem?
                        thanks.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          @sasa1 said in ftp client passive mode:

                          so "Enable the FTP Proxy" (about FTP Client Proxy) must be enabled?

                          YES if your going to do ACTIVE mode! Already went over this... windows ftp client can not do passive, so if you want to use that then yes your going to have to use the ftp proxy package..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          • S
                            sasa1
                            last edited by

                            I have enabled "ftp client proxy" and I have selected all the networks but the error message is this:
                            ftp> ls
                            200 PORT command successful. Consider using PASV.
                            425 Failed to establish connection.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by johnpoz

                              @sasa1 said in ftp client passive mode:

                              200 PORT command successful. Consider using PASV.
                              425 Failed to establish connection.

                              And what port was trying to be used... Sniff on pfsense and look and see!

                              Try a different client that gives you better logging, like filezilla which will show you the port command sent. So you can see what IP and port... Then sniff on pfsense - is the proxy changing it on your wan.. Is the port your telling to connect to already in use? etc..

                              Your not policy routing out some vpn are you, etc. What is the make up of your setup... If it working on 1 network.. clearly it works, etc.. so you have to figure out what other issue is there..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                              1 Reply Last reply Reply Quote 0
                              • S
                                sasa1
                                last edited by

                                I tried with filezilla and a strange thing happens, if I use the domain name it gives me an error if instead I use the IP address it works:

                                Stato: Risoluzione dell'indirizzo IP speedtest.tele2.net in corso
                                Stato: Tentativo di connessione non riuscito con "EAI_NONAME - Nome nodo e nome server non forniti, o sconosiuti".
                                Errore: Impossibile collegarsi al server
                                Stato: In attesa di un nuovo tentativo...
                                Stato: Connessione a 90.130.70.73:21...
                                Stato: Connessione stabilita, in attesa del messaggio di benvenuto...
                                Stato: Server non sicuro, non supporta FTP su TLS.
                                Stato: Il server non supporta caratteri non ASCII.
                                Stato: Accesso effettuato
                                Stato: Lettura elenco cartelle...
                                Stato: Elenco cartella di "/" completato

                                is very strange !

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by johnpoz

                                  My guess is you typo'd the name... simple to test if resolves or not.. do a dig or or nslookup, or whatever your fav dns tool is..

                                  $ dig speedtest.tele2.net
                                  
                                  ; <<>> DiG 9.16.0 <<>> speedtest.tele2.net
                                  ;; global options: +cmd
                                  ;; Got answer:
                                  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8563
                                  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                                  
                                  ;; OPT PSEUDOSECTION:
                                  ; EDNS: version: 0, flags:; udp: 4096
                                  ;; QUESTION SECTION:
                                  ;speedtest.tele2.net.           IN      A
                                  
                                  ;; ANSWER SECTION:
                                  speedtest.tele2.net.    0       IN      A       90.130.70.73
                                  
                                  ;; Query time: 8 msec
                                  ;; SERVER: 192.168.3.10#53(192.168.3.10)
                                  ;; WHEN: Sun Mar 29 10:31:06 Central Daylight Time 2020
                                  ;; MSG SIZE  rcvd: 64
                                  

                                  Or maybe you put in url like http:// not sure.. what your doing wrong.

                                  Can not tell from what you posted if your using active or passive. Pretty sure filezilla defaults to passive.. Which we have been over already multiple times!!

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    sasa1
                                    last edited by

                                    the strange thing is this..that the name is correctly resolved !!

                                    nslookup speedtest.tele2.net
                                    Server: one.one.one.one
                                    Address: 1.1.1.1

                                    Risposta da un server non autorevole:
                                    Nome: speedtest.tele2.net
                                    Addresses: 2a00:800:1010::1
                                    90.130.70.73

                                    with filezilla, using the IP address, it works both in active and in passive mode.

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      Yeah that doesn't make any sense at all... Local issue is you typo'd the name when you put it in to filezilla or had a space or something wrong... Works fine here with name.. filezilla would use the same dns as your OS... Unless its switched to trying to do doh or something?

                                      So so these machines not even using pfsense for dns..

                                      filezilla.jpg

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        sasa1
                                        last edited by

                                        I have typed the name several times and it is the same that I use when I try the connection from the DOS client, I really can't understand!
                                        however with Filezilla using the IP address I can make the ftp connection.

                                        what can I check to understand where the problem is in the ftp connection using the DOS client?
                                        Thanks.

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          Dude we already went over this - what are you NOT understanding about active vs passive??

                                          the built in windows ftp client will NOT do passive - period! So your ftp proxy package would have to be setup.. Which multiple people have shown you works just fine..

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            sasa1
                                            last edited by

                                            I already installed the "ftp proxy client" package but it still doesn't work.

                                            I should add that on other servers (which are in other datacenters) where I have configured pfsense in the same way, ftp access works fine.
                                            I don't understand why only in this circumstance the access in ftp access doesn't work.
                                            Thanks.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.