FTP access from WAN



  • Hello
    I have created a NAT forwarding tru the firewall to a specific IP address on my LAN.
    I can establish connection but I get error in the FTP program.
    Rules is like this:

    Rules:
    TCP/UDP * * WAN address 21 (FTP) *   NAT WAN to WAN FTP

    NAT rules:
    TCP/UDP * * 172.16.10.100 21 (FTP) *   NAT WAN to WAN FTP  
    TCP/UDP * * WAN address 21 (FTP) *   NAT WAN to WAN FTP

    The error Message I get is:
    Status: Finner IP-adresse for mikkel.gotdns.com
    Status: Kobler til 81.166.107.132:21…
    Status: Tilkoblet, venter på velkomstmelding...
    Respons: 220 Gene6 FTP Server v3.10.0 (Build 2) ready...
    Kommando: USER mikkel
    Respons: 331 Password required for mikkel.
    Kommando: PASS *********
    Respons: 230 User mikkel logged in.
    Kommando: CLNT FileZilla
    Respons: 200 Noted.
    Kommando: OPTS UTF8 ON
    Respons: 200 UTF8 OPTS ON
    Status: Tilkoblet
    Status: Mottar mappeliste...
    Kommando: PWD
    Respons: 257 "/" is current directory.
    Kommando: TYPE I
    Respons: 200 Type set to I.
    Kommando: PASV
    Feil: Koblet fra serveren: ECONNABORTED - Connection aborted
    Feil: Feil ved mottakelse av mappelisten

    What is wrong and how can I fix it?
    If I skip the step in the network setup with pfSense firewall its works just fine.



  • micro80,

    you did not mention which version of pfSense you are using?
    what os and version of ftp server are you using?
    i run into the exact problem you have explained with a 64-bit version of centos 5 running vsftp server. but, the 4 other 32 bit versions of vsftp server(s) worked as expected. (these were all the same version vsftp, for posterity)
    ,, this is pfSense-1.2.3-RELEASE
    i only guessed that something in the 64 bit kernel had different conntrak modules that simply couldn't traverse the pfSense box's nat .
    i could get 'one way' connection', telnet for example but never could see files reliably. i finally gave up after quite a bit of tcpdumps,,etc.
    is your os, by chance 64 bit?

    b



  • I run 1.2.3-RELEASE
    I did find the solution and its to run FTP like active and not passive transfer modus.
    Its very bad but I dont know any solution to skip this problem.
    I want to skip it because now I have problem to connect with windows FTP built in client.

    Anyone have a solution?



  • Dump your rules and start over.  Assuming your FTP server's IP is 172.16.10.100, change the default port to something non standard like 7431, create the following NAT Port Forward:

    Interface - WAN
    External address - any
    Protocol - TCP
    External Port Range (from) - 7431
    External Port Range (to) - leave blank
    NAT IP - 172.16.10.100
    Local Port - 7431
    Description - FTP Server
    Check the box for "Auto-add a firewall rule to permit traffic through this NAT rule"

    You now need to enable PASV mode on your FTP server, enter the External (Public) IP for your network and configure a PASV port range… e.g. 30000-30200 (need at least 1 port for every connected FTP user).

    Create another NAT port forward for that PASV port range to your FTP server:

    Interface - WAN
    External address - any
    Protocol - TCP
    External Port Range (from) - 30000
    External Port Range (to) - 30200
    NAT IP - 172.16.10.100
    Local Port - 30000
    Description - FTP Passive Ports
    Check the box for "Auto-add a firewall rule to permit traffic through this NAT rule"

    Save, Apply, Done.


Log in to reply