How to setup ftp on pfsense 2.0



  • Please, I really need help! I configured a pfsense firewall and everything works great, but I can't connect to an external ftp server from clients behind pfsense. I opened ports 20 and 21, but nothing happened. It seems the ftp transaction start but it stops when it enter in passive mode. What can I do? I want to use pfsense in my company, but I can't without ftp….



  • Hello!

    You probably need to make sure that your ftp client sends the correct IP adress to the ftp server.
    I think your client sends the computers IP adress as the response adress and that´s an internal IP of your LAN.

    In the FlashFxp client I use it´s called "Use site IP for passive connections" that I have to enable.
    Think I seen some that´s called something with "IP masq" in some clients.
    Look around your settings in the client.

    /illern



  • In addition to what illern posted, you also need to forward the passive ports that you configured on your FTP server, to the FTP server.



  • as far as I understand the scenario you are trying to connect from your lan a ftpserver lying in the wanzone. afaik you don't need to open any port at all for this connection. doesn't even matter if you use active or passive connections - all packets arriving from the server at pfsense wan nic are requested and therefore should get routed by nat to your lan ip.

    follow illern's hint, guess that will bring the solution



  • Thanks for advices, but I didn't solved the problem… Any other suggestions?



  • Opening ports 20 and 21 is not required for outbound traffic…you may in fact be routing packets inappropriately.  You may want to post screen grabs of your rules on each interface.  On a default install of pfsense RC3, ftp clients should work on our LAN side with no rules added to pfSense.

    The typical reasons you might define rules for port 21 traffic is:

    1.  You want to block outbound from ftp clients in your LAN.
    2.  You want inbound requests for port 21 to go to a server on your LAN side (in other words, you host an ftp server.)
    3.  You have multiple WAN connections and you want port 21 traffic going to a particular ISP.  Not sure what happens with load balancing and FTP but I'd guess it would be problematic.



  • I opened ports 20 and 21, but nothing happened. It seems the ftp transaction start but it stops when it enter in passive mode.

    First of all, it's a bit confusing. What are you trying to achieve? Active or passive mode to work?
    Ports 20/21 are for active.
    Second of all, the ftp situation you're describing should work out of the box (for me it did) without opening any additional rules besides the default LAN rule (pass LAN subnet to any on any protocol).
    But I did witness a situation last week, when after it all worked I added another WAN to the box and did a bit of a policy routing - then I got what you describe (sort of): on active ftp connections the client connects, then hangs.

    What solved it was disabling the ftp proxy: (system->advanced->system tunables->debug.pfftpproxy –>1)
    Try that.



  • @Ozzik:

    What solved it was disabling the ftp proxy: (system->advanced->system tunables->debug.pfftpproxy –>1)
    Try that.

    Ozzik,

    2.0 RC3, two WANs and a single LAN, the only way to have a passive ftp server behind pfsense is to disable the ftp helper proxy as you said.

    The difficult thing is that, after importing configuration from a 1.2.3 firewall, that tunable is not shown anymore in system->advanced->system tunables->, so if you miss it before importing a previous conifiguration then you can spend a lot of time trying to understand what is not working anymore.

    Thanks for your hint!

    maurilio.



  • i had the same problem what solve the problem was dissabling the ftp-proxy, tks a lot for this great forum :)



  • Well after searching I've ran across this thread about how to setup FTP on 2.0, just needing some help.

    I've setup a NAT: Port Forward on 20-21 to my internal ftp server 20-21

    I've setup Filezilla in Active mode, I've tried passive as well but no luck.

    Under Advanced -> Firewall/Nat -> I have only the first 2 boxes checked, i've tried mutiple options here as well.

    I've also tried changing the system tunables to 1 like the above posts.

    Anyways I'm lost, can anyone offer any suggestions on what else to try? Thanks!


Log in to reply