FTP Server > pfSense returning WAN IP instead of Virtual IP



  • When a client connects, it cannot establish the data connection. The reason is the firewall returns the actual WAN IP instead of the Virtual IP which the FTP rules are assigned to.

    So, the packets look something like:

    ClientIP.50087 > ServerVirtualIP.ftp – Control
    ServerWANIP.DataPort > ClientIP.32884 -- Data

    Any ideas? Userland FTP-proxy is disabled on the DMZ interface and the WAN interface.



  • try creating a alias? mind you there known issues setting up ftp's



  • Any other ideas?

    The FTP server has it's ports forwarded so alias' or FTP proxy shouldn't matter.



  • You need an outbound NAT rule that maps the outgoing data connection to the virtual ip.



  • So something like this:
    Interface   Source   Source Port   Destination   Destination Port   NAT Address   NAT Port   Static Port   Description
    WAN     192.168.1.5/32   *   *   *   123.123.123.5   20   NO FTP Data Channel > Outbound

    Or would I want to use static port?
    WAN    192.168.1.5/32  *  *  *  123.123.123.5  *  Yes FTP Data Channel > Outbound



  • Anyone?

    On a side note, why is the pfSense FTP doc such a flaming pile of poo?


  • Rebel Alliance Developer Netgate

    What type of Virtual IP are you using? The FTP Proxy can only properly listen on a CARP type VIP.



  • The second rule with static port should work. It will also redirect all outbound traffic from 192.168.1.5 to the vip, not just the ftp data connection but that is probably what you want.



  • @jimp: I am using CARP. I don't want to use the FTP proxy…I just want it to forward the ports. It should be disabled as long as both the WAN and DMZ have disable userland proxy checked, correct?

    @kpa: So, using Static Port, all communications on the VIP will go back to the internal IP I specified and nothing else? All other external communication will NOT be redirected to the single internal IP, correct?

    Static Port's documentation is, again, a flaming pile of poo.



  • Yeah, only outgoing connections originating from 192.168.1.5 will be mapped to the VIP. You'll still need to add port forwards for incoming connections.
    Btw static port means exactly what the documentation states: "do not randomize source port on the outgoing connections", nothing else. The redirection is really done with the selection of the NAT address in the outbound rule and static port is just an extra option that is normally not needed. In your case it's better to turn it on since (active) ftp data connection originates from port 20 and you want it to originate from the same port on the VIP.


Log in to reply