Windows ftp server/NAT & firewall rules

  • I have found after MANY hours reading forum posts and bothering people on IRC that I must leave the option "disable ftp helper) checked. No matter how I configure nat/firewall rules, or my ftp server it won't even establish on the command port much less the data ports. I have had to create nat and firewall mappings for the command port and the data port range (in case of PASV) and can find no solution to this otherwise.

    Can someone either explain or point me in the right direction about the details of this "disable ftp helper" option? I'm very familiar with the FTP protocol but since installing pfsense I've had no end of trouble getting this simple situation resolved.

    thanks for any help,


  • Starting with a stock config of pfSense to get ftp to work do the following:

    webgui -> intefaces -> wan – uncheck disable the ftp-proxy application
    fwebgui -> firewall -> nat -- create nat rule for port 21 to specified machine

    pfSense will create 2 firewall rules automatically. Everything should just work.

    The pftpx application will automatically open and close the appropriate ports when somebody connects via ftp.

  • As already said, disable the FTP Helper.
    I am using Filezilla server. There you can specify a passive port range which the server should use. I forwarded the Port on which the server listens and this port range to my Windows Server.

  • Then it is odd that I tried these very steps multiple times and with 2 different ftp servers with no luck. Even though I have a current solution, I want to investigate my problem and find out why the recommend steps aren't working.

    As already said, disable the FTP Helper.

    The option in question is listed as "Disable ftp helper" which is checked by default (thus the option is set to disable). Unchecking it then enables the ftp helper. I assume you mean here to enable the helper by unchecking the option?

    I would still enjoy a more thorough explanation of this helper option if anyone knows of any, and since I am new to BSD and Linux firewalls in general, I would appreciate any guidance. For example, does the helper application do a stateful packet inspection of the outgoing PASV response from the server and replace the LAN IP of the server with that of the WAN interface? Or is there a more specific function, etc.?

  • I don't know all the nitty gritty details, but yes the helper does replace the lan ip with the public ip. So when connecting from outside it appears as the ftp server is your public ip address. Pftpx handles all the translation. I'm using vsftpd on Fedora Core and was able to get it up and running with the default config. I know this is different than windows ftp, but it should work the same.

  • I wonder if anyone out there can confirm getting pfsense to work with the suggested configuration above with an FTP on a Windows (preferably WinXP) machine (i.e. unchecking "disable userland ftp proxy"). Although one would think the OS wouldn't make a difference, I just don't see how I could be screwing such a simple process up. FTP protocol should be the same regardless but something sure isn't right. Until I can figure out what it is I'll have to leave 2 NAT/firewall rules; 1 for the command and 1 for the data ports.

  • Make sure the XP firewall is turned off.

  • No local firewalls are running on the machine in question. And just in case, I made comparable allow rules on the XP firewall in case it ever made its way 'On'.

  • what error messages do you get on the ftpclient? does it login at all?

  • If the ftp helper app is checked (disabled) then it doesn't even allow the command port to pass so the client appears to hit a wall; no exchange is even started.

    But strangely I've noticed when setting pfsense up again and when adding a NAT rule,  the rule that I create (that subsequently enables firewall rules) comes back as dest unresolvable, I guess for the LAN IP, but I don't see how it could since that IP is setup for a static IP map and is online.

  • Using proxyarp?

  • No

  • Hi,
    here a more detailed Version on how I have a working FTP Setup:
    On the PFsense machine:
    1. Check on every "Lan" and "Wan" Interface that the "Disable the userland FTP-Proxy application" Box is ticked.
    2. On Nat I forwardet TCP/UDP Ports from 4000-4010, selected the Wan interface and let firewallrules be autocreated.

    On the Windows machine:
    install Filezilla:
    go to options and select the Ports on which this Server should liste - in my case changed from 21 to 4000
    activated the Passive Range from 4001-4010 and ticked the box, that the Ip Adress of the FTP Server should be resolved from checking a webpage "filezilla something"

    Now you should be able to rech from another internet connection your FTP Server

  • Your ftp server is listening on another port than 21? No wonder the ftphelper was not able to manage this traffic. It only supports port 21 setups out of the box.

  • I just setup Filezilla ftp server here on Win XP and it worked fine with any ftp client I threw at it. However the exact same (I think!) config on a remote site just got me a login, but no data connection. I could even make directories, but no LIST. Filezilla client did the same.

    I then tried leap FTP client to connect to the remote Filezilla server and it works fine.

    I have no idea why Leap works and the others fail.


    Moral of the story: its probably your ftp server config thats the problem, not the firewall.

Log in to reply