[SOLVED] FTP server behind pfsense, cannot download from server

  • Hi,

    I have a public ip with NAT 1:1, proxyARP VirtualIP and port forward to allow connectivity to an FTP server.

    I can connect to the server and upload files but I cannot download anything…

    Filezilla says :

    Commande :	PASV
    Réponse:	227 Entering Passive Mode (192,168,251,10,252,111)
    Commande :	RETR aws
    Réponse:	150 Opening ASCII mode data connection for aws (49907 bytes)

    after a while it timeout…

    I don't get it...and need help!


  • Did you configure a passive port range?
    Did you create firewall rules allowing this passive portrange?

  • Yes I have a "Ports" alias containing port 21 and 49152 to 65534.  Then I made a rule on my WAN interface to forward those ports to my server local DMZ IP.

    Thanks for the reply.

  • I assume you created the additional port forward to trigger port forwards.
    This will not work since 49152-65534 is a bigger range than 500 ports.
    Read the note next to NAT reflection telling you that you cannot reflect ranges bigger than 500 ports.
    Also you cannot reflect more than 1000 ports overall.

    In your case i wouldn't bother with NAT reflection and set up split DNS for this server.

  • I cannot use port range bigger than 500 ?

    From my lan I connect to the ftp server with the local dmz ip and from the internet I use my public ip.  Do I still need split dns ?


  • You cannot reflect with NAT reflection port ranges bigger than 500.
    You CAN forward port ranges bigger than 500.

    But now i'm a bit confused.
    Are you using 1:1 NAT or are you using port forwards?

    If you connect locally to the server with it's internal IP then the request never goes over the pfSense.
    Are you telling me it doesn't work even if you connect with the local IP directly?
    In this case you have a missconfiguration on the server.

  • you're right I'm not clear.

    I use NAT 1:1.

    So what I meant was that I have a firewall rule permitting the FTP ports on my WAN interface.

  • Ok, I found another strange thing.

    If I ping the server in the DMZ from a PC in my LAN with this :

    ping -l 1000

    ping replies are fine but if I do this :

    ping -l 2000

    no ping replies…

    So I guess I have a network config problem somewhere, what do you think ?

  • What is the -1 2000 option?

    If you look at the firewall log: Do you see anything blocked?
    If you do a TCP dump on the LAN and the DMZ, Are the same packets getting through?

  • the "-l" option is the send buffer size.

    But I noticed that my problem is not with proftpd, it has to do something with the network because I also have problems with my SSH sessions, they timeout when I do something like "cat /var/log/dmesg"…so I'm still looking for the problem.

    I'll be doing more tests in the coming week.

    Thanks a lot for your help!

  • Sounds like fragmentation is not being handled correctly.

  • Setting the MTU on my WAN interface to 1496 fixed the problem.


Log in to reply