2 FTP servers in the LAN



  • Hi.
    I have two FTP servers in the LAN and I configured the NAT port forward rules to forward ports 21 and 9021 from the WAN.
    The FTP server which uses the external port 21 works without any problem from the WAN, but the other FTP server (which is using the external port 9021) is not working, nor in the active neither in the passive mode. It answers to connections but I don't receive any data (I can't see the directory list).
    The FTP helper is not disabled in the WAN configuration.

    Could you help me please?
    Thank you very much!
    Bye.



  • Check the firewall rules to make sure that that port is allowed



  • Yes, that port is allowed because as I wrote the FTP server on the port 9021 answer (I can read its banner) but it does not send any data.
    I think the problem is on the answer packets, not on the request ones.



  • Can you provide the log messages from the client like the following picture?
    It may do some help to find out the question.




  • Status: Resolving address of trento.eurogestsrl.com
    Status: Connecting to 123.123.123.123:9021…
    Status: Connection established, waiting for welcome message…
    Response: 220 FTP Server ready.
    Command: USER abox
    Response: 331 Password required for abox.
    Command: PASS ****
    Response: 230 User abox logged in.
    Command: SYST
    Response: 215 UNIX Type: L8
    Command: FEAT
    Response: 211-Features:
    Response: MDTM
    Response: REST STREAM
    Response: SIZE
    Response: 211 End
    Status: Connected
    Status: Retrieving directory listing…
    Command: PWD
    Response: 257 "/" is current directory.
    Command: TYPE I
    Response: 200 Type set to I
    Command: PASV
    Response: 227 Entering Passive Mode (192,168,33,9,206,91).
    Status: Server sent passive reply with unroutable address. Using server address instead.
    Command: LIST
    Error: Connection timed out
    Error: Failed to retrieve directory listing



  • For passive mode you need to dedicate a range of ports (anything from few ports to hundreds depending on number of connections) that you forward to the server. Your ftp server is also sending it's private address in the reply, change that to the public IP your pfsense has on it's WAN.

    Edit: How this is done depends on the server used, for example this is how it would be done in vsftpd:

    
    vsftpd.conf:
    
    ...
    pasv_min_port=40000
    pasv_max_port=40099
    pasv_address=123.123.123.123
    ...
    
    

    The above assumes you reserve 100 ports for passive mode data connections.

    I believe you have to disable the ftp helper on WAN interface if you do it this way.



  • @decibel83:

    Response: 227 Entering Passive Mode (192,168,33,9,206,91).

    The port of FTP Passive Mode should around ( (206 X 256) + 91) = 52827


Log in to reply