FTP in pfSense 2.0

  • Hi All,

    Wanted to participate in the game so I installed 2.0 and recreated the configuration, from scratch, that I used in 1.23.

    I am having problems using FTP to upload files to the servers that are behind the 2.0 firewall.

    I see the option to select interfaces to enable TFTP on but not getting what to do. No check box.

    I have forwarded ports 20 and 21 to my FTP server which is vsftp running on a freebsd 8.1 and confirmed that there was an exception added to the rules for it.

    FTP worked under 1.23 using the helper.

    What am I missing?

  • jethro,

    It sounds as though you are saying this is from a public ip address that you can not upload files to your ftp server? Can you even see the ftp server's files in the remote pc's web browser? Can you telnet port 21 from the remote pc to the ftp server?
    I have not actually tried pfSense 2.0 myself,but trying to telnet is at least a starting point to see if you are getting at least one way communication to the ftp server from a remote pc.
    I had lots of troubles getting one ftp server to work correctly behind pfSense-1.2.3.  Sometimes this server will display ftp contents,sometimes it does not. Never have got it to work reliably? All other ftp servers (4) of them worked perfectly?
    By the way I am using vsftp on Centos 5 for what it's worth.


  • Thanks for reply.

    Yes, I am trying to upload files to a server behind the firewall.

    I use filezilla Client. It appears to connect but tanks after about 5 seconds and tells me it cant LIST.

    Nothing has changed except now on 2.0.

  • LAYER 8 Global Moderator

    From your comment about forwarding 20, I take it your a bit lacking in how ftp works.

    I would really suggest you take a look at this article

    You will notice than you would never need to forward 20, in active that is the source port that server would make the connection from - so no forward, and in passive its not even used.

    I just tested to a vsftpd 2.2.2 running on ubuntu box, and forward 21 "active" connections worked just fine.. Now passive would just not work at all.

    Which seems to be the case from this thread

    Seems the ftp helper is built into 2 kernel, which clearly is doing something since I looked in the log and vsftpd was sending the private IP, but my client outside was seeing the public IP 24.x.x.x

    Seems there is no way to disable it in 2?  If you could then you could set your ftp server to use a smaller range of ports, and then forward those – which I tried btw, still no luck.. just could not get passive connection to work.. But active was not a problem at all -- I would suggest you have your clients just use active.

  • 2.0 nanobsd - net5501 - this evening's build:

    passive implicit SSL (FTPS) with port 990 and the passive ports fwd to my ftp server works great.  however, I have not been able to get the standard ftp (port 21 and passive ports fwd to ftp server) to work.   had no problems getting both types working with m0n0wall.


  • Thanks for help folks.

    Yes I know very little about FTP and am hop9ng to keep it that way!

    I have always used passive. Not sure why. I'll try the active set up. Not sure what the difference is but I'll ask my buddy Google.

  • LAYER 8 Global Moderator

    As to the difference – I pointed you to a great article that goes over the difference!

  • Running 2.0-BETA5 (i386)
    built on Tue Jan 11 06:28:44 EST 2011

    I'm also seeing issues w/ access to an FTP server behind pfSense NAT (opt1).

    Using PASV FTP, I can connect on port 21 and communicate, but the connection fails when the server sends "227 Entering Passive Mode (192,168,10,9,250,185)" back to the client.  The client tries to connect on the given port, but it doesn't seem to make it.

    Using Active mode, the connection works, but active mode FTP isn't an option for a lot of clients.

    For testing purposes, I've allowed ALL traffic on my WAN interface and used 1:1 NAT to the internal server.  There are no firewalls enabled on either the internal server or the FTP client.

    If I connect using FTP over SSL then the PASV connection works correctly.  From here, it appears that the FTP helper is interfering, but when the connection is encrypted via SSL, the helper can't interfere and the connection works correctly.

  • LAYER 8 Global Moderator

    "(192,168,10,9,250,185)" back to the client."

    The help can not be involved with that

    Your telling the client connect to a private IP on port 250*256+185 or port 64185

    Thats a private IP, you would need to configure your ftp server to send the public IP not a private, this is what the ftp helper does, it will convert that IP for you so client on internet would see your public IP.

  • I should have posted the FTP server's response to the WAN client rather than the server's response to the LAN client.

    It may be that I have miss-understood the role of the FTP helper.  However, looking at packet captures on Opt1, WAN, and Client, I see that the firewall does translate the private IP address to the correct public IP address.

    Attempting to connect to the FTP server located on OPT1 has the same result weather I am using a client on the LAN or a client on the WAN.

    Telling the FTP server itself to return the public IP also makes no difference.

  • Hi

    I have a same problem.
    My ftp server is filezilla:         (firewall,pfsense) wan->lan (SBS2000,Filezilla)
    Port use 21 and passive mod. In connection progress stop Directory list
    pfsense NAT port 20 and passiv port( 20000-20010)
    If use port 30, work fine.
    Or use SSL on pp0 port works good.

    sorry my english :)

  • Rebel Alliance Developer Netgate

    There are still some known issues with the FTP proxy on 2.0 but it's being actively worked on over the last few days.

  • Try a snapshot later than this post or better of tomorrow it should be fixed.

  • nanobsd - Jan 17 21:39:59 - net5501

    still no love  :)  same problem with passive ftp. did not test active.  passive FTPS still works.


  • nanobsd - Tue Jan 18 04:33:29 - net5501:

    passive FTP seems to be working with this snapshot.



  • Please be more specific which side of ftp works.
    IE passive ftp as client behind nat works
    active ftp client rdr to an internal server works

    and such to make this easy for everybody.

  • nanobsd - Tue Jan 18 04:33:29 - net5501:

    passive FTP client –-- {NAT - m0n0wall} --- (internet) --- {pfSense - NAT} --- {FTP Server} => Works!

    passive FTPS client --- {NAT - m0n0wall} --- (internet) --- {pfSense - NAT} --- {FTP Server} => Works!  (only tested implicit mode)

    Did not test active FTP.

    only tested with FileZilla Client.


  • running 2.0-BETA5 (i386)
    built on Tue Jan 18 03:34:33 EST 2011

    I've tested the following setup

    FTP Server behind pfSense, natted on Opt1
    FTP client external connecting to WAN, PASV
    FTP client on LAN connecting to WAN, PASV
    FTP client on LAN connecting to Opt1, PASV

    Listing of directories doesn't seem to work the first time, but once it fails, all listings / transfers after that work as long as the connection is maintained.  When the connection drops and needs to be re-established, the first PASV listing / transfer fails again and then it is good after that.  Anybody else seeing this?

  • As a matter of clarification, do we need to set a rule to allow TCP traffic on the PASV port range, or is the FTP proxy supposed to dynamically create those rules at the same time that it's re-writing the ip address?

  • @PJ2:

    Listing of directories doesn't seem to work the first time, but once it fails, all listings / transfers after that work as long as the connection is maintained.  When the connection drops and needs to be re-established, the first PASV listing / transfer fails again and then it is good after that.  Anybody else seeing this?

    I did notice some initial problems after I connected that went away so I discounted them. However, I just re-tested and can confirm I'm seeing the same initial failure.


  • just disable my passive port pass rule and was unable to connect via passive FTP so it looks like the rule is still required.

    However, when I re-enabled the rule I got an error message back from pfsense and I couldn't get back into the GUI!  Will try rebooting and see if that helps.

    Edit: I was able to get back in after rebooting.


  • Testing a client in passive mode with the 1 18 build. Functions until you try to re-initiate a prior connection then the whole machine goes down.

    Each time a hard reboot is required and the file system gets corrupted. The file system gets fixed successfully during the boot sequence. I am not sure if the error has something to to do with the hard reboot or the fault but it is repeatable every time. I had putty log the output if anyone is interested in the gory details.

    I already had a rule for passive FTP in place so nothing changed there.

    Edit: Was running the SMP kernel. Did not see the same behavior with the developer kernel.
    Nothing to do with it. Still crashes.

  • Hi !

    I confirm it works too…... But not all the time.

    I have a dual-wan setup, and I can connect to my FTP server, passive mode, behind my pfsense, using latest snapshot, but only through one WAN, not through the other one.
    Previously I had forced it manually to work having defined a passive range and unconditionnaly NAT + allow inbound rule. I disabled them all, and it now works through only one WAN.

    N.B.: the so-called WAN that works is not the WAN interface selected in the first setup, it's an additional VLAN, just the same as the one that doesn't work. I mention this because I remember that back in 1.2.x special rules were applied for WAN interface and nowhere else (e.g. spamd package). And to add one more bit of complexity, all these traffics are hitting CARP vIP (for redundancy, I have my 1.2.3 box ready in case 2.0 beta having attitude problems with me :)).

    I can take snapshots or copy/paste parts of my config if needed for clarification.

    Thank you a lot for your hard work (and sorry to give you some more) !

    P.S. : don't know if it's related to the randomly repeated errors "kernel: arpresolve: can't allocate llinfo for x.x.x.x" ? I can't get rid of these permanently.

  • Testing for FTP client problems today with 2.0-BETA5 (i386) built on Sat Jan 29 23:42:13 EST 2011

    Fresh update with smp kernel: locked up after a few connection attempts. repeated problem twice
    Loaded dev kenel: cannot repeat behavior, connection still hangs sometimes on LIST
    Reloaded smp kernel: same behavior as with dev kernel
    Rebooted: works great. no connection hangs.

  • Rebel Alliance Developer Netgate

    That's currently a known issue. It hangs the box with everything except a dev kernel.

    Some more patches went in to try to fix it before the builds from Saturday, but it still hangs for me.

  • The problem is still persist with the latest build 2011.02.01. I have a single WAN connection but i use many virtual IF alias. I have multiple ftp server behind NAT, forwarded the default tcp port: 21 and a passive port range (from different IF alias). If i try to passive FTP from masqued client machine to outside the pfsense box instant freeze. Nothing help but cold reset. This is a serious problem, i need to revert the whole system to 1.2.3 because of this issue (reinstall a fresh 1.2.3 and restore the configuration).

  • Rebel Alliance Developer Netgate

    Ermal told me yesterday he has a lead on another possible fix but he needs to test it more before he commits it.

    Yesterday I was unable to make my VM hang, when I could do it repeatedly on Friday, but I was working with FTP as a client, not a server. (Though I still saw FTP failures where the LIST command would hang the connection, it just didn't hang the OS)

  • if i delete all the NAT rules what is forward port 21 to internal FTP server then the box not freeze. i think the problem is complicated. internal FTP server behind a NAT with forwarded port 21 and FTP connect to anywhere else the standard tcp port 21(!) at the same time cause an instant freeze. if i connect to an ftp server what is not used the default tcp 21 port works like a charm. so i think the problem is the ftp helper kernel module. somehow the nat rule to the internal ftp server and the nat from internal to outside not compatible each other when both use the default tcp 21 port. the only explanations is the kernel module, and this issue freeze the kernel.

    best option remove that module from the kernel or give an option on the gui to enable/disable ftp helper modul while the problem is permanently fixed. i dont use this module anyway :)

    here is my enviroment:

    WAN Address: 193.6.xxx.4
    IF Alias: 193.6.xxx.13 NAT -> port 21, port 13001-14000 (for passive range)
    IF Alias: 193.6.xxx.14 NAT -> port 21, port 14001-15000 (for passive range)            
    IF Alias: 193.6.xxx.15 NAT -> port 21, port 15001-16000 (for passive range)

    My client PC:

    The pfsense:

    I try to FTP connection from my client PC to 212.92.xxx.12 port 21 (different ISP) with passive mode the pfsense freeze.
    But if i try to connect to another ftp server what is used port 2121 it works.

    If i delete all three NAT rules what i describe above, the first scenario works too, so the problem is only the port 21.

    my home configuration: alix board with embedded pfsense, letest 2.0 beta5 build
    i use port forward for ftp, but only one nat rule exist and i use single WAN address without if alias. the passive mode ftp failed, hangs on only the listing, but only if i use total commander as client. in the flashfxp passive mode use PASV and it works. so the native passive mode failed only. but not hangs the router.

    the box freeze only when multiple if alias exist, multiple nat to multiple internal ftp server on the same interface and client connect from internal to external ftp at the same time use the default ftp port. i think it is definetly connected to ftp proxy kernel modul.

    i try to use carp instead of if alias, but the box freeze again, so this is irrevelant.

    sorry for my bad english, i wish i can help you to solve this issue :)

  • It should be fixed on snapshots of tomorrow.

  • @ermal:

    It should be fixed on snapshots of tomorrow.

    thank you! that was fast :)

  • can i try to update a new snapshot? it is possible to fix this issue?

  • All should be fixed on snapshots from today on.

  • i will try, and i post the results to here.

    update: it is working! thanks again!

  • Just got around to testing this, but I wanted to also confirm that FTP / pfSense appears to be working.

    I tested external server & internal client, external client & internal server, internal client & internal server.

    EDIT: running 2.0-BETA5 (i386) built on Wed Feb 9 00:54:34 EST 2011

  • Hi,

    With Pfsense 2.0 RC1 [built on Mon Mar 7 12:03:17 EST 2011 ]

    FTP with Passif mode work like charm (with pfftpproxy)..

    But, on active mode, if client have "low" port for connect to ftp (< 3000 ?) all work like charm.
    if client have high port (> 50.000) ftp client not show directory
    (Freeze a LIST command)

    I use propriotary software how working ONLY with Active mode :(

  • Hi,

    I am going crazy, but i understand why ftp work for someone and not for other.

    1 client with 2 machines (On otherWAN)
    1 - windows 2k3
    1 - Windows 2k8
    Client use ftp.exe
    –-->Dlink xDSL router ----> Internet  ------My Pfsense -----> Lan FTPServer

    Windows2003 on active mode work
    Windows2008 on active mode connection ok but at LS command "freeze" and after waiting 2 min "timeout"

    Note : no Firewall on windows2008, no special rules ont DLINK.
    On windows2003 ftp client trying to talk on port 2085
    On windows2008 ftp client trying to talk on port 50058

    No special rules on pfsense (Only forward port 21 to FTPLAN)

    Note : If i NOT use pfsense but shorewall/iptables/ ip_conntrack_ftp on linux
    (win2K3 AND win2K8 machines is working !)

    Maybe pfftpproxy bug or windows 2k8 R2 specific TCP pile ?

    Help me

  • Just provide a pfctl -vss of this when it happens.

  • IP_PublicWindowsClient –> Internet IP from client (Windows2k3 and Windows 2k8)
    IPFTPLAN ---> Ip local (192.168.x.x where my ftp server)
    IP_PublicFTP --> My Public IP
    Note :  bge0 Is LAN

    With Windows2K3 (Working)
    all tcp IPFTPLAN :21 <- IP_PublicFTP:21 <- IP_PublicWindowsClient:2246       ESTABLISHED:ESTABLISHED
    all tcp IP_PublicWindowsClient:2246 -> IPFTPLAN :21       ESTABLISHED:ESTABLISHED
    bge0 tcp IP_PublicWindowsClient:2250 <- IPFTPLAN :20       FIN_WAIT_2:FIN_WAIT_2
    all tcp IPFTPLAN :20 -> IP_PublicFTP:48730 -> IP_PublicWindowsClient:2250       FIN_WAIT_2:FIN_WAIT_2

    With Windows2k8 not work
    pfctl -vss | grep IP_PublicWindowsClient
    all tcp IPFTPLAN :21 <- PublicFTP :21 <- PublicWindowsClient:49756       ESTABLISHED:ESTABLISHED
    all tcp PublicWindowsClient :49756 -> IPFTPLAN :21       ESTABLISHED:ESTABLISHED
    all tcp IPFTPLAN :20 -> PublicFTP:33868 -> PublicWindowsClient :49757       SYN_SENT:CLOSED

    Thank for your help

    Edit : No idea ermal ?

  • Test with 2.0RC1 15 Mar.

    Same Problem.

  • Can you provide me traffic captures when this happens!
    It seems strange that the same protocol does not work for different versions of Windows?

Log in to reply