FTP + SSL connection problem



  • Hey there,

    I can successfully connect to FTP servers thanks to the FTP workaround rule but since switching to my shiny pfsense router I can't complete the connection to a FTP/SSL server. I get the following error message:

    [11:33:10] 220
    [11:33:10] AUTH TLS
    [11:33:10] 234 AUTH command ok; starting SSL connection.
    [11:33:10] Connected. Exchanging encryption keys…
    [11:33:50] Timeout (40s).
    [11:33:50] Client closed the connection.

    Connecting to that server was working on our old router, it stopped working right when we switched to pfsense.

    Is this a know problem and is there a solution?



  • do the logs show anything being blocked at that time?



  • Nope, nothing :(

    There are no special rules on the firewall, except the FTP workaround and emule/Kademlia blocks on LAN and open ports for VPN and WebGUI on WAN.



  • You could disable the ftp-helper but then you'll only be able to use passive ftp to remote servers.



  • Argh, that's too bad :(

    I'm not sure if I have to disable the FTP helper on LAN or WAN, so I tried both. Disabling it on LAN prevents me from connecting to the FTPS server, says I'm not recognized, disabling it on WAN gives me the same results as before :(



  • You have to use passive mode with disabled ftp helper. Btw, you only need the ftphelper at WAN if you host a ftp server that has to be available from wan.



  • I tried disabling the FTP helper on WAN (checkbox checked) on WAN but while I still can connect to other FTP servers I still get a timeout on that FTPS server while exchanging keys :( Our client told us they can't change the process we get files from them so I'm stuck here :(



  • Would it work if I set up an SFTP server inside my LAN? Would my client be able to connect to it and upload his files without trouble?



  • If not using the ftp-helper you need to froward all ports (controlport, usually 21 and the passive portrange) and you should try to make the server aware of the public IP the clients see it coming from.


Locked