Ftp server behind pfsense

  • Hi There,

    I am vexed trying to set up an FTP server behind pfSense 1.2.3.  I've read many posts and wiki ( http://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense ), and tried what is suggested there to use the FTP helper with absolutely no luck.

    The "firewall log" in pfSense shows the port 21 being NATed to my WAN address and not my FTP server, which is behind pfSense in a DMZ, even though I have my server's IP in the NAT rule.  If I could, I would like to ask the community for the nitty-gritty details, totally dumbed down to my level…

    Say my WAN address is 142.XX.XX.XX, my FTP server is, and my DMZ is  I've read I need to enable the FTP proxy on the WAN interface (which I have), but what about the DMZ interface, do I want it enabled or disabled ? (right now I have it enabled).

    Sorry to be asking what may be very basic questions...


  • The ftp proxy needs to be enabled on the interface which receives the inbound FTP request (in this case, the WAN).  Make sure your firewall rule allows the FTP traffic to the private IP address of your FTP server and ensure that you have the appropriate NAT rule in place NATing from your WAN interface to the FTP server's internal address.  This should be all you need.  Mind you, you can also just SFTP which suffers none of the annoying NAT related drama associated with FTP.

  • Thank you submicron.  I'd swear I've tried all this, but very likely have not set it up right, so I'll set it up again and test from outside tomorrow.  I've first deleted all NAT and firewal rules related to FTP and rebooted twice.

    One question, you say enable the helper on WAN.  How about the DMZ interface ? – by default it is enabled (i.e. box not checked).  Do I need to disable it by checking the box ?

    Thanks Again !


  • …I've NAT'd incoming FTP from WAN to my server (alias QNap, on DMZ), and TWO firewall rules were automatically created (please see screenshots below).  I get an error I was getting before on the scrolling banner at the top of the WebGUI page that says
    < Acknowledge All - [Filter Reload] # unresolvable dest aliases > and it points to the newly created firewall rules.

    What am I doing wrong ?  ???

    Regards,  -NJ

  • …here's my DMZ rules ..maybe the problem is here ?...

  • See that error about unresolvable aliases?  That's important.

    Separately, you are making this way more complicated than it needs to be.  Firewall rules are evaluated on the interface which recieves the inbound connections, thus a DMZ firewall rule should only apply to devices inside your DMZ making connections to the outside world.  The same applies to your FTP helper application.  If you are FTPing out from your DMZ, then you would want to run the helper on this interface.

  • …thank you again for the comments.  This is why I posted.  Why the the "unresolvable aliases" and how do I fix that ?  The rules were automatically created when I NATed, why are they giving me that error ?

    Also, all suggestions on setting up the FTP helper say, enable it on the WAN.  So, do I enable the helper on both ? or just my DMZ ?  Please understand I am not a network expert, though I am eager to learn.  This is my house where I also have a small office.  I very much appreciate any help you can give.

    So, here is what I just tried -- I disabled the helper on the WAN, and enabled it on the DMZ.  I was able to ftp and get the login screen, but logged me out immediately after typing my password.  I did this 3 times with the same result.  My firewall log shows allowed connection to my FTP server, but nothing else.

    Cheers,  -NJ

Log in to reply