Multiple FTP severs; non-standard ports



  • Can someone enlighten me on how I can host FTP (active and passive) on non-standard ports behind pfSense 2.0-RC1?  Lots of information online suggests using something called proxy helper, but first I can't find this in pfSense 2 and second that seems like it's only going to work for 21/20.

    The ultimate goal is to host multiple ftp servers:
    -one on WAN TCP 21
    -one on WAN TCP 7521
    -one on WAN TCP 7621
    -one on WAN TCP 7721

    I will use 20, 7520, etc… for the data port and assign different ranges of ethereal ports to each server for PASV connections.



  • I'm not sure why nobody has replied.  I did read the forum rules, but if I've violated them (or this is a stupid question or has been answered, please let me know).

    Otherwise, if it's not possible, please consider incorporating this ability into a future version.

    I'll continue to use the beta and report issues as they arise.



  • Hello!
    To setup pfsense for passive connection I did this:

    • I do not have the tftp proxy helper activated in System: Advanced: Firewall and NAT

    • Then we need some NAT settings.
      WAN TCP * * WAN address 7520 - 7521 [Server address or alias] 7520 - 7521 Ftp server LAN 
      WAN TCP * * WAN address 1400 - 1430 [Server address or alias] 1400 - 1430 Ftp passive data ports

    • Then we need 2 WAN firewall rules: (think you get them auto added when you save NAT rules)
      Allow TCP * * [Server address or alias] 7520 - 7521 * none   Ftp server LAN
      Allow TCP * * [Server address or alias] 1400 - 1430 * none   Ftp passive data ports

    • The ftp server program needs to be set to the same passive dataports.

    /illern



  • Yes, but that's only one ftp server, and that's only passive.  I need to be able to support passive and active connections, and do it for two ftp servers.  I can do this with a Cisco ASA, but not with PFSense, from what I can tell.  The firewall will need to rewrite a bunch of information in the packet headers for this to work.


Locked