FTP access from WAN

micro80 · Jan 21, 2011, 3:04 PM

Hello
I have created a NAT forwarding tru the firewall to a specific IP address on my LAN.
I can establish connection but I get error in the FTP program.
Rules is like this:

Rules:
TCP/UDP * * WAN address 21 (FTP) * NAT WAN to WAN FTP

NAT rules:
TCP/UDP * * 172.16.10.100 21 (FTP) * NAT WAN to WAN FTP
TCP/UDP * * WAN address 21 (FTP) * NAT WAN to WAN FTP

The error Message I get is:
Status: Finner IP-adresse for mikkel.gotdns.com
Status: Kobler til 81.166.107.132:21…
Status: Tilkoblet, venter på velkomstmelding...
Respons: 220 Gene6 FTP Server v3.10.0 (Build 2) ready...
Kommando: USER mikkel
Respons: 331 Password required for mikkel.
Kommando: PASS *********
Respons: 230 User mikkel logged in.
Kommando: CLNT FileZilla
Respons: 200 Noted.
Kommando: OPTS UTF8 ON
Respons: 200 UTF8 OPTS ON
Status: Tilkoblet
Status: Mottar mappeliste...
Kommando: PWD
Respons: 257 "/" is current directory.
Kommando: TYPE I
Respons: 200 Type set to I.
Kommando: PASV
Feil: Koblet fra serveren: ECONNABORTED - Connection aborted
Feil: Feil ved mottakelse av mappelisten

What is wrong and how can I fix it?
If I skip the step in the network setup with pfSense firewall its works just fine.

brcisna · Jan 24, 2011, 1:49 AM

micro80,

you did not mention which version of pfSense you are using?
what os and version of ftp server are you using?
i run into the exact problem you have explained with a 64-bit version of centos 5 running vsftp server. but, the 4 other 32 bit versions of vsftp server(s) worked as expected. (these were all the same version vsftp, for posterity)
,, this is pfSense-1.2.3-RELEASE
i only guessed that something in the 64 bit kernel had different conntrak modules that simply couldn't traverse the pfSense box's nat .
i could get 'one way' connection', telnet for example but never could see files reliably. i finally gave up after quite a bit of tcpdumps,,etc.
is your os, by chance 64 bit?

b

micro80 · Jan 26, 2011, 11:24 PM

I run 1.2.3-RELEASE
I did find the solution and its to run FTP like active and not passive transfer modus.
Its very bad but I dont know any solution to skip this problem.
I want to skip it because now I have problem to connect with windows FTP built in client.

Anyone have a solution?

marvosa · Feb 9, 2011, 3:00 PM

Dump your rules and start over. Assuming your FTP server's IP is 172.16.10.100, change the default port to something non standard like 7431, create the following NAT Port Forward:

Interface - WAN
External address - any
Protocol - TCP
External Port Range (from) - 7431
External Port Range (to) - leave blank
NAT IP - 172.16.10.100
Local Port - 7431
Description - FTP Server
Check the box for "Auto-add a firewall rule to permit traffic through this NAT rule"

You now need to enable PASV mode on your FTP server, enter the External (Public) IP for your network and configure a PASV port range… e.g. 30000-30200 (need at least 1 port for every connected FTP user).

Create another NAT port forward for that PASV port range to your FTP server:

Interface - WAN
External address - any
Protocol - TCP
External Port Range (from) - 30000
External Port Range (to) - 30200
NAT IP - 172.16.10.100
Local Port - 30000
Description - FTP Passive Ports
Check the box for "Auto-add a firewall rule to permit traffic through this NAT rule"

Save, Apply, Done.