FTP not working. NAT rules setup like I did with other ports except using port 21 and it's not working.



  • Hello, I'm at the office while everyone else off so I can work on this swap over from a SonicWall to netgate. For my website I have 2 connections that connect to the site, normal website and FTP. for our network I have several others, database using SQL etc. They all work and I can connect internally. However, I cannot connect up to the FTP site. I set it up the same way and used the virtual address I set to the web and on the nat side I selected FTP and pointed to the correct port but it just times out. Am I supposed to set up FTP's differently?



  • I forgot to mention that I cannot access it internally or from our website externally. The website allows users to download files from the ftp but as I mentioned it's not working.
    Thanks for any and all assistance.



  • @JLundberg

    is the web server behind pfSense?
    is there a published FTP server on your web site? (it is dangerous)
    @JLundberg "website allows users to download files from the ftp"

    it is advisable to place the web servers in a DMZ in all cases

    do you have a drawing of this configuration?



  • @DaddyGo
    The ftp site is behind the firewall on our web server. I don't have a seperate it just runs off our website. I used the same port settings that were setup up on the original SonicWall I took off this morning. I use the same virtual port that has the public address for both the webserver and the ftp site and use 3 NAT settings to branch to the 3 different ports: HTTP, HTTPS and FTP. I can reach the website but not the FTP



  • @JLundberg

    I don't know how big your web site visit, but it's a very dangerous configuration..

    "public FTP + web"

    use a virtual host for FTP if you are already sticking to it

    FTP is an obsolete protocol that must always be separated

    web server is not usually port forwarded
    that is why there is the DMZ


  • LAYER 8 Netgate

    FTP Servers inside the firewall:

    FTP in active mode requires an FTP Application Layer Gateway at the client end to open the ephemeral destination port sourced from the ftp-data port (port 20) for the data connection from the server to the client based on what it sees in the FTP protocol stream (the PORT command sent from the client telling the server where to connect for ftp-data).

    For FTP passive mode you need to:

    Instruct/set the server to use the actual outside address the client should connect to in the passive mode protocol handshake. This can be explicitly set using Outbound NAT if you have multiple outside IP addresses. Some clients, like Filezilla, are smart enough to connect back to the address the FTP connection was made to instead of what is embedded in the FTP session but, as a server operator, that cannot be relied on.

    Set the passive port range in the server and forward those TCP ports inbound to the FTP server just like you do with port 21.

    FTP Clients inside the firewall:

    For connections to outside FTP servers in passive mode, nothing special is required unless outbound connections are strictly firewalled.

    If you need to connect from FTP clients inside the firewall to outside FTP servers in active mode, the FTP_Client_Proxy package can help with opening the incoming ftp-data connections from the server.

    FTP stands for F This Protocol, btw. Use sftp or scp.



  • @Derelict said in FTP not working. NAT rules setup like I did with other ports except using port 21 and it's not working.:

    Use sftp

    You could think that SFTP is even more difficult to set up as FTP, it that's not the case.
    You have web server. Probably some device running and OS and a "web server program" like IIS or NGINX or Apache2.
    If you could set up an SSH access (even Windows 'Home' has one, ready to be activated) - the one that runs over port 22 - the same one that pfSense uses (when activated, which is highly advisable) end users can use their normal FTP programs like FileZilla, SmartFP, WINSCP, etc and use the SFTP mode. The advantage is dual : just one port to open "22" - SFTP is far more secure, because SSH. You could even use certs to control access, and stop sending over user names and passwords.
    "SSH server" can be chrooted into 'some' directory, as an FTP server.

    Btw : I won't says 'FTP' won't work. pfSense can do it - there is even a package that might help you. Can't say more, it's years that I left FTP usage. And that was a good thing.



  • I understand. Thanks. I'm working on changing things over here at work. This is just one of my many hats.
    The old webserver is on 2003 I'm working on changing things over to modern but had to work on getting our accounting pkg working on server 2016. The SonicWall is on its last leg and wanted to get it replaced before I ran into a big problem. I didn't plan on this being this difficult (at least for me) I know just enough to keep things going. I was able to find out the issue of our website not being able to connect from inside (was always trying to open back up pfsense when I would type in the website. I needed to turn on the default nat reflection. the default is off and I needed to set it to NAT + Proxy and that that started working. I have the FTP issue and then figuring out why when I vpn my client doesn't receive the DNS and I can't run without typing in the servers address. that last one can wait but our customers need to be able to connect to the ftp and download files.
    In the SonicWall the main difference I see is it has the service setup as data port 20, Control port 21 Sort of like @Derelict
    stated. (whereas the other nat policies I set have either HTTP, HTTPS or SSL etc. only one per my nat police.

    how do I set multiple or do I set 2 policies one for port 21 and one for port 20 ? sorry for being such a novice on this



  • @Gertjan
    Yes it's running IIS



  • @Derelict
    Are you saying I will need to make changes to my current FTP server settings? So, pfsense can't be set up to function just like the older SonicWall? I may have misunderstood and sorry if I did.



  • @JLundberg

    @Gertjan "Btw : I won't says 'FTP' won't work. pfSense can do it - there is even a package that might help you. Can't say more, it's years that I left FTP usage. And that was a good thing."

    if you still want to use this obsolete procedure, just "sftp"
    this is the minimum

    or separate the things from a "web" ........................ "FTP" server
    or NAT behind and pushed up the port to a minimum of 30K

    BTW: the scanners, disrupt the port 21


  • LAYER 8 Netgate

    @JLundberg said in FTP not working. NAT rules setup like I did with other ports except using port 21 and it's not working.:

    @Derelict
    Are you saying I will need to make changes to my current FTP server settings? So, pfsense can't be set up to function just like the older SonicWall? I may have misunderstood and sorry if I did.

    I don't know how to explain it any clearer than I already did.

    The sonicwall might have had some ALG that overcame misconfiguration of the server like something that translated the passive address sent by the server to the WAN address. pfSense has no such ALG.



  • I was hoping for a drop-in replacement (after correct setup) to replace the current SonicWall. pfsense seems to be more capable (not in my hands though... Crap I did want to spend my whole day here :(


  • LAYER 8 Netgate

    @JLundberg If there is ever a read-only Friday it is Friday, July 3. Second only to Friday December 23 probably.



  • @JLundberg

    SonicWall is not equal to pfSense 😉
    therefore we use😀



  • @Derelict
    Understand. Yep I wanted to spend more time with my son. Single dad here. Thanks for your help. I'll continue to go over what you and the others have said.



  • @JLundberg

    the best you can do......
    " I wanted to spend more time with my son."

    Have a nice weekend ✋



  • @Derelict
    Yes I know you are explaining it clearly and I thank you for that. I wish I had more training to understand the clear things spoken of. Thanks again. I'll do some searching to try and understand more on if there was something like an ALG that made the SonicWall FTP easier to set up (but overall the sonicwall not having all the abilities like pfsense)

    I thank you.



  • Hello!

    My experience with sonicwall tz's is that they dynamically open ports to support ftp.

    "SonicWall overcomes this problem by actively scanning FTP traffic using DPI and dynamically opening ports required for clients to connect to the server. This way, only the Control port, TCP port 21, requires to be explicitly opened in the SonicWall."
    https://www.sonicwall.com/support/knowledge-base/configuration-for-a-passive-mode-ftp-server-behind-the-sonicwall/170505318942162/

    John



  • @serbus
    So I need to open explicitly open both or just 20 and leave my FTP NAT settings as they are?


  • LAYER 8 Global Moderator

    @JLundberg said in FTP not working. NAT rules setup like I did with other ports except using port 21 and it's not working.:

    So I need to open explicitly open both or just 20 and leave my FTP NAT

    Port 20 never needs to be forwarded, it will only ever be a source port in an active session..

    To correctly setup ftp behind a nat firewall, you need to understand how it works to be honest.

    Here is a great write up..
    https://slacksite.com/other/ftp.html



  • Hello!

    FTP without the dynamic port forwarding was too much of a burden. I converted everything (Win servers, NAS, webops, clients, scripts, etc...) over to sftp. Security beyond basic src ip restrictions was never a concern for these particular ftp transfers, but the move to sftp was definitely on the todo list and the upgrades from sonicwalls -> netgates were the catalyst.

    John


Log in to reply