• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Passive FTP Server

Scheduled Pinned Locked Moved NAT
4 Posts 2 Posters 440 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jmcdiarmid_uk
    last edited by Oct 15, 2020, 12:39 PM

    Hello,

    I would like to start by saying thank you to everyone that works on pfSense and has posted on the forums over the years. Normally i have managed to solve my problems by reading through posts and taking the advice that has been posted on here by people before me!

    However I have a problem with a passive FTP Server that is hosted behind our pfSense firewall.

    The passive FTP server is part of a Zebra label printer and is used by an external quality assurance body to connect to our printer and print labels for us to affix to our product s before we ship them.

    I completely disagree with using FTP and especially a passive one but it is something that isn't with my control.

    I have port forwarded ports 21 and 50,000 to 60,000 with the source set to the ip address of the server that issues the print files to hopefully give a small level of security.

    The issuing server can successfully connect to the printer over port 21 however doesn't seem to be able to connect over the passive port. I assume this is because there is nowhere that I can find to set the public IP address on the print server so that when the passive port is issued the wrong (internal) IP address is given.

    I have read that the FTP helper was removed in version 2.2 which I assume would have fixed this issue?

    Does anyone know of a work around or a possible solution?

    Thank-you in advance

    1 Reply Last reply Reply Quote 0
    • G
      Gertjan
      last edited by Oct 15, 2020, 1:50 PM

      Hi,

      If the (passive mode) FTP server is behind a NAT, it needs to know it’s external IP address, so it can provide it to the client in a response to PASV command.
      This is why (most ?) FTP server have a method build in that helps them to find the WAN address, because it can change.

      See also https://docs.netgate.com/pfsense/en/latest/recipes/ftp-without-proxy.html

      If this isn't possible, then the NAT becomes a barrier, and this actually somewhat secures your FTP server (printer) usage : it's only accessible from LAN where it is situated.

      What would work : put the Zebra label printer on a network where there is no NAT. Like directly on the Internet (I know, this is pure madness. But actually a small price to pay if your work with guys that obliges you to work with ancient technology).

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      J 1 Reply Last reply Oct 15, 2020, 4:38 PM Reply Quote 0
      • J
        jmcdiarmid_uk @Gertjan
        last edited by Oct 15, 2020, 4:38 PM

        @Gertjan said in Passive FTP Server:

        What would work : put the Zebra label printer on a network where there is no NAT. Like directly on the Internet (I know, this is pure madness. But actually a small price to pay if your work with guys that obliges you to work with ancient technology).

        What is the easiest way to do this with pfsense? How can I give an external address straight to an appliance behind the firewall?

        G 1 Reply Last reply Oct 16, 2020, 9:04 AM Reply Quote 0
        • G
          Gertjan @jmcdiarmid_uk
          last edited by Oct 16, 2020, 9:04 AM

          @jmcdiarmid_uk said in Passive FTP Server:

          What is the easiest way to do this with pfsense?

          The FTP server should be part of the 'network above' pfSense, somewhere in the WAN address range.
          Typically, by using a ISP modem, as these expose the WAN IP on device behind it.

          Check out the how a passive FTP is set up behind a NAT : it's a FTP server settings option. Nothing special has to be done the NAT (pfSense) device, except the port range NATting.
          If your passive FTP server does not have this option, it is completely useless behind a NAT, and can be accessed only from it's 'LAN' .

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received