Problem accessing external FTP on Port 21

Phobia · Dec 5, 2006, 7:30 PM

Hello,

I have a dual WAN PFSense running version 1.01 :

WAN - Cable (DHCP) –> Linksys BEFSX41 (192.168.1.0/24) --> DMZ (192.168.1.2) to PFSense
OPT - DSL (PPPoe) with integrated router (192.168.2.0/24) --> DMZ (192.168.2.2) to PFSense
LAN - 192.168.0.0/24

With various LAN clients, I have had trouble getting various FTP clients to work when they are connecting to servers on the standard port (21). I have tried various policy based routing rules (ports 20 & 21 and just 21), but can't seem to get it to work consistently. At best, it will sometimes list folders, and sometimes not, but generally not. File transfers don't work at all, even if the listing is there.

I have disabled the FTP helper on all interfaces. I have tried enabling it on one interface, I have tried enabling it on all interfaces without achieving better results.

I have searched and read the threads here, but other than seeing that some folks have it working, haven't seen something which helps me.

FTP on non-standard ports works BTW, not sure if that is important or not.

Any help would be greatly appreciated!

Thanks,

-- Phob

hoba · Dec 5, 2006, 9:05 PM

http://forum.pfsense.org/index.php/topic,2282.msg13472.html#msg13472

Phobia · Dec 6, 2006, 7:33 PM

I missed that somehow when reading. Thanks, the allowing all to localhost rule seems to have fixed the issue for me.

– Phob

GotzBoost · Dec 24, 2006, 11:27 PM

This still does not answer the question, why does FTP work perfectly fine on say port 2121. But if you connect via the standard port 21 it requires the FTP-Helper to be enabled? Why? What does this FTP-Helper do, or what is configured in the firewall internally that stops the standard port 21 from working?

hoba · Dec 25, 2006, 7:40 PM

Passive ftp will always work, with or without ftp helper. However, the ftphelper enables you to even use active ftp through the firewall. It also helps inbound ftp connections (if you host an ftpserver inside your local network) if enabled at interfaces>wan. If you need more details, what it actually does please search the forum.

MrPK · Apr 15, 2007, 3:55 PM

Same problem, FTP clients from WAN can login to FTP server on DMZ (has Virtual IP), but can't list folders! Changing clients to passive doesn't help!

Can somebody explain how to configure pfSense using web admin GUI to get FTP work? This should be easy, FTP is one of most basic protocols, why those problems? This is really anoying and I'm just aboy to give up and go over to IPCop…

sullrich · Apr 15, 2007, 4:17 PM

FTP is not a basic protocol. It is one of the most NAT unfriendly protocols on the planet.

The forum has more than enough posting on FTP. Try searching … Or switch to IPCOP.

MrPK · Apr 19, 2007, 8:01 PM

FTP problem solved! Well, simple answear would be much more time saving for me…

So everyone who need help with FTP issues, here are simple steps to get it work (both passive and active modes works).
From the web GUI:

1. Fire Wall -> NAT: add standard FTP rule, in my case:
WAN TCP 21 (FTP) 10.1.1.xx (ext.: 212.xx.xx.xx)

2. Fire Wall -> Rules: Beside the automatic rulles created by pfSense add one more.
TCP * * 127.0.0.1 8000 - 8020 * (permitted traffic to 127.0.0.1 on ports 8000-8020)

3. Interfaces -> LAN: Ensure that the FTP helper box is NOT checked.

4. Interfaces -> WAN: Ensure that the FTP helper box is NOT checked.

Knowing this I could save a lot of time, irritation and head acke. I hope this info help other users!

Reference:
http://wiki.pfsense.com/wikka.php?wakka=FTPTroubleShooting