Passive FTP Server



  • Hello,

    I would like to start by saying thank you to everyone that works on pfSense and has posted on the forums over the years. Normally i have managed to solve my problems by reading through posts and taking the advice that has been posted on here by people before me!

    However I have a problem with a passive FTP Server that is hosted behind our pfSense firewall.

    The passive FTP server is part of a Zebra label printer and is used by an external quality assurance body to connect to our printer and print labels for us to affix to our product s before we ship them.

    I completely disagree with using FTP and especially a passive one but it is something that isn't with my control.

    I have port forwarded ports 21 and 50,000 to 60,000 with the source set to the ip address of the server that issues the print files to hopefully give a small level of security.

    The issuing server can successfully connect to the printer over port 21 however doesn't seem to be able to connect over the passive port. I assume this is because there is nowhere that I can find to set the public IP address on the print server so that when the passive port is issued the wrong (internal) IP address is given.

    I have read that the FTP helper was removed in version 2.2 which I assume would have fixed this issue?

    Does anyone know of a work around or a possible solution?

    Thank-you in advance



  • Hi,

    If the (passive mode) FTP server is behind a NAT, it needs to know it’s external IP address, so it can provide it to the client in a response to PASV command.
    This is why (most ?) FTP server have a method build in that helps them to find the WAN address, because it can change.

    See also https://docs.netgate.com/pfsense/en/latest/recipes/ftp-without-proxy.html

    If this isn't possible, then the NAT becomes a barrier, and this actually somewhat secures your FTP server (printer) usage : it's only accessible from LAN where it is situated.

    What would work : put the Zebra label printer on a network where there is no NAT. Like directly on the Internet (I know, this is pure madness. But actually a small price to pay if your work with guys that obliges you to work with ancient technology).



  • @Gertjan said in Passive FTP Server:

    What would work : put the Zebra label printer on a network where there is no NAT. Like directly on the Internet (I know, this is pure madness. But actually a small price to pay if your work with guys that obliges you to work with ancient technology).

    What is the easiest way to do this with pfsense? How can I give an external address straight to an appliance behind the firewall?



  • @jmcdiarmid_uk said in Passive FTP Server:

    What is the easiest way to do this with pfsense?

    The FTP server should be part of the 'network above' pfSense, somewhere in the WAN address range.
    Typically, by using a ISP modem, as these expose the WAN IP on device behind it.

    Check out the how a passive FTP is set up behind a NAT : it's a FTP server settings option. Nothing special has to be done the NAT (pfSense) device, except the port range NATting.
    If your passive FTP server does not have this option, it is completely useless behind a NAT, and can be accessed only from it's 'LAN' .


Log in to reply