Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ftp server behind pfsense

    Scheduled Pinned Locked Moved NAT
    7 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      njaimo
      last edited by

      Hi There,

      I am vexed trying to set up an FTP server behind pfSense 1.2.3.  I've read many posts and wiki ( http://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense ), and tried what is suggested there to use the FTP helper with absolutely no luck.

      The "firewall log" in pfSense shows the port 21 being NATed to my WAN address and not my FTP server, which is behind pfSense in a DMZ, even though I have my server's IP in the NAT rule.  If I could, I would like to ask the community for the nitty-gritty details, totally dumbed down to my level…

      Say my WAN address is 142.XX.XX.XX, my FTP server is 192.168.3.150, and my DMZ is 192.168.3.1.  I've read I need to enable the FTP proxy on the WAN interface (which I have), but what about the DMZ interface, do I want it enabled or disabled ? (right now I have it enabled).

      Sorry to be asking what may be very basic questions...

      -NJ

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        The ftp proxy needs to be enabled on the interface which receives the inbound FTP request (in this case, the WAN).  Make sure your firewall rule allows the FTP traffic to the private IP address of your FTP server and ensure that you have the appropriate NAT rule in place NATing from your WAN interface to the FTP server's internal address.  This should be all you need.  Mind you, you can also just SFTP which suffers none of the annoying NAT related drama associated with FTP.

        1 Reply Last reply Reply Quote 0
        • N
          njaimo
          last edited by

          Thank you submicron.  I'd swear I've tried all this, but very likely have not set it up right, so I'll set it up again and test from outside tomorrow.  I've first deleted all NAT and firewal rules related to FTP and rebooted twice.

          One question, you say enable the helper on WAN.  How about the DMZ interface ? – by default it is enabled (i.e. box not checked).  Do I need to disable it by checking the box ?

          Thanks Again !

          -NJ

          1 Reply Last reply Reply Quote 0
          • N
            njaimo
            last edited by

            …I've NAT'd incoming FTP from WAN to my server (alias QNap, on DMZ), and TWO firewall rules were automatically created (please see screenshots below).  I get an error I was getting before on the scrolling banner at the top of the WebGUI page that says
            < Acknowledge All - [Filter Reload] # unresolvable dest aliases > and it points to the newly created firewall rules.

            What am I doing wrong ?  ???

            Regards,  -NJ

            nat.gif
            nat.gif_thumb
            rules.gif
            rules.gif_thumb

            1 Reply Last reply Reply Quote 0
            • N
              njaimo
              last edited by

              …here's my DMZ rules ..maybe the problem is here ?...

              DMZ.gif
              DMZ.gif_thumb

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                See that error about unresolvable aliases?  That's important.

                Separately, you are making this way more complicated than it needs to be.  Firewall rules are evaluated on the interface which recieves the inbound connections, thus a DMZ firewall rule should only apply to devices inside your DMZ making connections to the outside world.  The same applies to your FTP helper application.  If you are FTPing out from your DMZ, then you would want to run the helper on this interface.

                1 Reply Last reply Reply Quote 0
                • N
                  njaimo
                  last edited by

                  …thank you again for the comments.  This is why I posted.  Why the the "unresolvable aliases" and how do I fix that ?  The rules were automatically created when I NATed, why are they giving me that error ?

                  Also, all suggestions on setting up the FTP helper say, enable it on the WAN.  So, do I enable the helper on both ? or just my DMZ ?  Please understand I am not a network expert, though I am eager to learn.  This is my house where I also have a small office.  I very much appreciate any help you can give.

                  So, here is what I just tried -- I disabled the helper on the WAN, and enabled it on the DMZ.  I was able to ftp and get the login screen, but logged me out immediately after typing my password.  I did this 3 times with the same result.  My firewall log shows allowed connection to my FTP server, but nothing else.

                  Cheers,  -NJ

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.