Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't access FTP server behind pfsense

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 5 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RChadwick
      last edited by

      Coming from a DD-WRT router that just had ports opened for my servers, and worked fine for years, I plugged in my new PFSense box, and everything is now working except FTP. I read the manual, and searched the forums, and unchecked 'Disable the userland FTP-Proxy application' as well as 'Block Private Networks'. Now IE and Firefox can access my FTP server (Filezilla), but keeps disconnecting. Here's a clip of the log:

      1. 9/13/2010 21:41:50 PM - (not logged in) (192.168.8.1)> Connected, sending welcome message…
        (000019) 9/13/2010 21:41:50 PM - (not logged in) (192.168.8.1)> 220 Welcome to the FTP Server
        (000019) 9/13/2010 21:41:50 PM - (not logged in) (192.168.8.1)> USER anonymous
        (000019) 9/13/2010 21:41:50 PM - (not logged in) (192.168.8.1)> 331 Password required for anonymous
        (000019) 9/13/2010 21:41:50 PM - (not logged in) (192.168.8.1)> PASS *****
        (000019) 9/13/2010 21:41:50 PM - anonymous (192.168.8.1)> 230 Logged on
        (000019) 9/13/2010 21:41:51 PM - anonymous (192.168.8.1)> CWD /
        (000019) 9/13/2010 21:41:51 PM - anonymous (192.168.8.1)> 250 CWD successful. "/" is current directory.
        (000019) 9/13/2010 21:41:51 PM - anonymous (192.168.8.1)> TYPE A
        (000019) 9/13/2010 21:41:51 PM - anonymous (192.168.8.1)> 200 Type set to A
        (000019) 9/13/2010 21:41:51 PM - anonymous (192.168.8.1)> PASV
        (000019) 9/13/2010 21:41:51 PM - anonymous (192.168.8.1)> 227 Entering Passive Mode (192,168,8,24,10,88)
        (000019) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> disconnected.
        (000020) 9/13/2010 21:42:12 PM - (not logged in) (192.168.8.1)> Connected, sending welcome message...
        (000020) 9/13/2010 21:42:12 PM - (not logged in) (192.168.8.1)> 220 Welcome to the FTP Server
        (000020) 9/13/2010 21:42:12 PM - (not logged in) (192.168.8.1)> USER anonymous
        (000020) 9/13/2010 21:42:12 PM - (not logged in) (192.168.8.1)> 331 Password required for anonymous
        (000020) 9/13/2010 21:42:12 PM - (not logged in) (192.168.8.1)> PASS *****
        (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> 230 Logged on
        (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> CWD /
        (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> 250 CWD successful. "/" is current directory.
        (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> TYPE A
        (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> 200 Type set to A
        (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> PASV
        (000020) 9/13/2010 21:42:12 PM - anonymous (192.168.8.1)> 227 Entering Passive Mode (192,168,8,24,10,95)
        (000020) 9/13/2010 21:44:13 PM - anonymous (192.168.8.1)> 421 Connection timed out.
        (000020) 9/13/2010 21:44:13 PM - anonymous (192.168.8.1)> disconnected.

      Also, I'm trying to connect from the LAN. If I try and connect directly to the server's IP address, it works fine, but if I use the domain name, it looks like it's routing through pfsense, and it disconnects. Any ideas on what I'm doing wrong?

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by

        Try enabling NAT reflection?

        1 Reply Last reply Reply Quote 0
        • R
          RChadwick
          last edited by

          It's enabled. I can access my webserver's pages internally without problem. Thanks for the idea tho.

          1 Reply Last reply Reply Quote 0
          • J
            juminosy
            last edited by

            @danswartz:

            Try enabling NAT reflection?

            Having the same problem as the OP, and NAT already enabled. :(

            unusonusonronald Cruz

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              Don't use NAT reflection.  If you're using pfSense as your DNS forwarder, put exceptions in for your local machines so that LAN hosts will always get the internal IP address of instead of the external one.

              1 Reply Last reply Reply Quote 0
              • R
                RChadwick
                last edited by

                I just got a chance to check from a computer outside my network, and the FTP seems to be fine. One small annoyance… In my FTP Server's logs, it shows the IP address of the pfsense box, instead of the remote IP. There isn't by chance a way around that, is there?

                1 Reply Last reply Reply Quote 0
                • GruensFroeschliG
                  GruensFroeschli
                  last edited by

                  This is the FTP helper running on the pfSense.

                  The way i set up ftp (and it always worked without flaw):

                  • Configure the ftp server to work in passive mode. Configure manually a passive range. eg: 21000 - 21999
                  • Disable the ftp helper.
                  • forward ports 21 and 21000-21999

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • R
                    RChadwick
                    last edited by

                    That sounded like an ideal solution, but it doesn't work for me. I disabled the helper proxy, and forwarded the ports to the computer with the server. There doesn't seem to be a way to configure the FTP server to only use passive mode, but I configured IE to do so. Nothing shows up in the FTP logs, either from my local network, or remotely. Direct to the IP address within my network still works fine. Any ideas?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.