PfSense 2.0 RC3 and client FTP

  • Hi all.

    I have a 2.0  RC3 pfsense box with multi-wan and NAT config. Yesterday a client tried to connect to an external FTP server and get the message "connection closed by foreign host" when try to DIR or GET a file from the server. As my instalation is recent i think that nobody tried to ftp before that. The problem occurs in all clients.
    I´ve been searching for a solution and found and,7096.0.html that focus on 1.2.3 and didn´t solve my problem. It looks like this is an old issue that wasn´t solved.
    This is beeing a big problem for me in the last 2 days, i would thank a lot for a help.


  • First of all, you need to allow FTP data traffic, port 21 works only to send cmd.

  • Oh sorry, i forgot to post it.

    First off all i allowed TCP/UDP from lan net to localhost port 8000 to 8030.
    Then allowed traffic TCP/UDP from lan net to internet ports 20-21 only trough WAN, not OPT1.
    The links i posted before say that i need to disable ftp_helper in WAN and OPT1 and enable in LAN, but 2.0 RC3 doesn´t have this button in Interfaces / LAN or WAN.

  • Ok. Note that active FTP data comunication is started by client with source port 20, not destination port.

  • I changed to source port 20-21 destination 20-21 and could transfer a little bit of data, but the error still occurs… :( .
    I´m really in trouble with that, because a paying client needs this to keep working. I can have some trouble with that...

    Tks for all.


  • Ok.
    Cmd port 21 (destination)
    Data port 20. Active mode(source)
    Data ports passive mode (destination)

    If you know FTP server ip and you 'trust' this server, enable all outbound ports to it and use passive mode for data transfer.

  • dont know if you already try to dissable the ftp proxy on your lan interface, that do the trick for me and allowing me to conect to a ftp server behind pfsense


  • @marcelloc:

    Cmd port 21 (destination)
    Data port 20. Active mode(source)
    Data ports passive mode (destination)

    Sorry, i didn´t know wath you mean with that  :-\


    If you know FTP server ip and you 'trust' this server, enable all outbound ports to it and use passive mode for data transfer.

    Yes, i trust this ftp server. I just don´t know how to do what you said. About the passive mode, i don´t think it can be done. The client software has the ftp routine inside it, i can´t just change  it.  :(
    And no, i´m not an ftp expert. I´m not even a pfsense expert, i´m just trying to be.

  • Take a look át. Google to see how FTP works.

    FTP Can send files in active or passive mode.

    Know how protocol works is the first step before creating rules to permit or deny it.

  • Even I am facing the similar issue.

    I have a dual WAN setup with failover configuration. There is an application that uses Windows 2k3 FTP.exe to connect to a remote server and download some patches. Microsoft in its all wisdom has done away with PASV mode on FTP.exe and client can not connect to the server in active mode.

    Passive mode works just fine with filezilla on the same FTP server.

    I tried running ftp-proxy, but there were no anchors for ftp-proxy, so it couldn't create any firewall rules dynamically.

    How do I make the client working in active mode itself and how do I debug if kernel ftp helper is working?

  • I had to turn off my pfSense box and reactivate a hardware-based router with load balance to avoid problems with this client, but this caused me another problems.  >:(

    In another box with just one WAN ftp works fine, without modifications. By these days i'll turn it on again, but Google, forums, etc still didn't gave me any idea nor even a light…  :-
    Very good product, but i'm becoming very frustrated with that.
    Sorry if i was melancholic, but...

  • You can also buy few hours of paid support.
    I'm sure it will work.

  • I wonder if you're seeing the same issue that I am? (reported here:,42980.msg222115.html)

    My workaround was to force outgoing FTP traffic across the default gateway.

Log in to reply