FTP problem when client connects from public IP through LAN interface (via VPN)?

jjj

Our setup is this:
Client (public IP) > VPN Box > Web Filter > pfSense (LAN Interface) > FTP Server (in DMZ)
Therefore, the client is connecting with a public IP, through the LAN interface to the FTP server in the DMZ.

The client is connecting to the FTP server and authenticating, but when they try to enter PASV mode, it's getting blocked.

I've allowed all communications from their public IPs on the LAN interface to the DMZ and vice versa so I don't think this is a firewall rule issue.

Is this kind of setup a problem for pfSense?

p.s. on a side note, do we still need the FTP helper rule (127.0.0.1 with 8000 - 8030) in pfSense 2.0?

–-EDIT---
Actually any PASV FTP into the DMZ is blocked....

Status: Connecting to 192.168.X.X:21...
Status: Connection established, waiting for welcome message...
Response: 220 ---
Command: USER loginid
Response: 331 Password required for loginid.
Command: PASS *******
Response: 230 Login OK. Proceed.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current folder.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (123,123,123,123,109,96).
Command: MLSD
Response: 150 Opening BINARY mode data connection for MLSD /.
Error: Connection timed out
Error: Failed to retrieve directory listing

jjj

bump – Is there a problem with PASV FTP with 2.0?