• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

FTP access from WAN

Scheduled Pinned Locked Moved Firewalling
4 Posts 3 Posters 4.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    micro80
    last edited by Jan 21, 2011, 3:04 PM

    Hello
    I have created a NAT forwarding tru the firewall to a specific IP address on my LAN.
    I can establish connection but I get error in the FTP program.
    Rules is like this:

    Rules:
    TCP/UDP * * WAN address 21 (FTP) *   NAT WAN to WAN FTP

    NAT rules:
    TCP/UDP * * 172.16.10.100 21 (FTP) *   NAT WAN to WAN FTP  
    TCP/UDP * * WAN address 21 (FTP) *   NAT WAN to WAN FTP

    The error Message I get is:
    Status: Finner IP-adresse for mikkel.gotdns.com
    Status: Kobler til 81.166.107.132:21…
    Status: Tilkoblet, venter på velkomstmelding...
    Respons: 220 Gene6 FTP Server v3.10.0 (Build 2) ready...
    Kommando: USER mikkel
    Respons: 331 Password required for mikkel.
    Kommando: PASS *********
    Respons: 230 User mikkel logged in.
    Kommando: CLNT FileZilla
    Respons: 200 Noted.
    Kommando: OPTS UTF8 ON
    Respons: 200 UTF8 OPTS ON
    Status: Tilkoblet
    Status: Mottar mappeliste...
    Kommando: PWD
    Respons: 257 "/" is current directory.
    Kommando: TYPE I
    Respons: 200 Type set to I.
    Kommando: PASV
    Feil: Koblet fra serveren: ECONNABORTED - Connection aborted
    Feil: Feil ved mottakelse av mappelisten

    What is wrong and how can I fix it?
    If I skip the step in the network setup with pfSense firewall its works just fine.

    1 Reply Last reply Reply Quote 0
    • B
      brcisna
      last edited by Jan 24, 2011, 1:49 AM

      micro80,

      you did not mention which version of pfSense you are using?
      what os and version of ftp server are you using?
      i run into the exact problem you have explained with a 64-bit version of centos 5 running vsftp server. but, the 4 other 32 bit versions of vsftp server(s) worked as expected. (these were all the same version vsftp, for posterity)
      ,, this is pfSense-1.2.3-RELEASE
      i only guessed that something in the 64 bit kernel had different conntrak modules that simply couldn't traverse the pfSense box's nat .
      i could get 'one way' connection', telnet for example but never could see files reliably. i finally gave up after quite a bit of tcpdumps,,etc.
      is your os, by chance 64 bit?

      b

      1 Reply Last reply Reply Quote 0
      • M
        micro80
        last edited by Jan 26, 2011, 11:24 PM

        I run 1.2.3-RELEASE
        I did find the solution and its to run FTP like active and not passive transfer modus.
        Its very bad but I dont know any solution to skip this problem.
        I want to skip it because now I have problem to connect with windows FTP built in client.

        Anyone have a solution?

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by Feb 9, 2011, 3:00 PM Feb 9, 2011, 4:24 AM

          Dump your rules and start over.  Assuming your FTP server's IP is 172.16.10.100, change the default port to something non standard like 7431, create the following NAT Port Forward:

          Interface - WAN
          External address - any
          Protocol - TCP
          External Port Range (from) - 7431
          External Port Range (to) - leave blank
          NAT IP - 172.16.10.100
          Local Port - 7431
          Description - FTP Server
          Check the box for "Auto-add a firewall rule to permit traffic through this NAT rule"

          You now need to enable PASV mode on your FTP server, enter the External (Public) IP for your network and configure a PASV port range… e.g. 30000-30200 (need at least 1 port for every connected FTP user).

          Create another NAT port forward for that PASV port range to your FTP server:

          Interface - WAN
          External address - any
          Protocol - TCP
          External Port Range (from) - 30000
          External Port Range (to) - 30200
          NAT IP - 172.16.10.100
          Local Port - 30000
          Description - FTP Passive Ports
          Check the box for "Auto-add a firewall rule to permit traffic through this NAT rule"

          Save, Apply, Done.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            [[user:consent.lead]]
            [[user:consent.not_received]]