FTP set up help

  • I have tried all the settings I have read about here and other places none work.

    I really need a step by step set of instructions.
    I bought the definitive guide to pfSense, does not help much with my FTP problems.
    The book does not help with this, would think it one of the first things to talk about.

    What I have:
    pfsense 2.0.1
    One WAN with 3 extra network cards.

    Trying to get from internet to proFTP server on the LAN interface.

    The proFTp server works fine if I go directly to it from inside of the network.
    I have set MasqueradeAddress to my public WAN address and PassivePorts in the proftpd.conf file

    The following pics are the current settings and I have tried.

    I am using logmein to get to a remote computer to try the ftp back to my ftp server.
    The connection just hangs at trying to connect and no log entry in the system or firewall logs.

  • kwiles, not sure if your ftp server requires it, but in my server (rumpus) I also need to forward a range for ftp data ports as well as the ftp control port (port 21).

    Also I needed to enable a checkbox on the ftp server that says: 'use lan address for passive connections'.
    With these settings I was able to get ftp to work without using tunables as you have.

  • The ports 60000 to 65535 were also forwarded for the passive ports.

    If you are talking about the ftp client that has 'use lan address for passive connections'.
    I am using filezilla and have tried both passive and active settings.

  • Right, you have also forwarded data ports.
    No, the lan address for passive connections is a setting in my ftp server application.

    Have you tried scanning your firewall with a port-scanning tool? Forwarded ports should show as open.
    I use this tool if I need to scan ports: shieldsup

  • From what I have read, just by adding the PassivePorts line to the proftpd.conf file will enable passive mode.
    But when I try and log into the ftp server, (from inside network) using passive mode, I get connected but it hangs and times out getting a directory listing.

    Use active mode to connect and it works fine.

    SFTP is a lot slower in transferring files than FTP but maybe I need to look into that.

  • SFTP does not work either, I would prefer FTP over SFTP because we have large files that need transferring.

    I can't believe it's this hard to setup a FTP server behind a pfsense firewall.

    No one has a step by step instructions to set this up?  I would think the ppl that developed pfsense would have one but have not found one.

    Do I have a corrupt install of pfsense now?
    Do I need to reinstall it?
    How can I tell if the configuration files are corrupt?

  • There is a step by step guide.
    Howto setup ftp server behind pfsense
    Going on what you wrote, you might still run into problems as you seem to be having difficulties in getting through NAT.

  • Yes, I have seen that text but it appears to be for versions less than 2.x

    Step 2
    2. Enable Proxy helper (by unchecking) on the WAN interface.

    This does not exist in version 2.x  I don't think the docs have been touched since 1.x

    In the Disadvantages section

    1. A bit glitchy in the scripts that setup the rules within PFsense. I have seen the setup become currupt if you tinker too much with these settings back and forth and require a full reinstall and resetup of PFsense. (start from scratch, DO NOT use a backup config)

    It seems the doc could be a lot more helpful.

  • I run vsftp on a server inside my LAN, and the only thing I did in pfSense was to forward the ports, for NAT.  I can ftp to that server, from the internet in either port or pasv mode without any issues.

    BTW  This is on a 2.0.1 setup.


  • Well I have reinstalled pfSense so I could start from a fresh install.

    Still can not get it to work.

    See pics for my configuration.

    The proxy setting I have tried as default or a value of 1.

    The FTP client I have tried active or passive.

    The log file shows it being passed but wireshark does not see it reaching the FTP server.

    Any more ideas?

  • LAYER 8 Global Moderator

    It is amazing how much trouble users have with such a simple thing.

    For starters there is no reason to disable the helper if that is what you did?  Not sure what you mean by proxy setting.

    Your lan rule for 6100 to 6200 not required at all.  The rule above it would allow the traffic in the first place.  And traffic from your lan would not be hitting the pfsense lan inteface to get to that IP range anyway.. Unless you have more interfaces on the private side in pfsense?  And then again the rule above that would allow the traffic.

    if you using the ftp helper there is no need to forward any passive ports.  ftp helper will do that for you.

    I believe where most users have issues is they try and access their ftp server via the public IP/fqdn from some other client on the same private side of pfsense.

    To be honest is there really a need for documentation to forward port 21 for ftp??  This is all that should be required to allow both active and passive ftp access from outside pfsense.  With the helper in play.

    I am using 2.1 and not having any problems with this at all.

    Should be simple enough to watch the traffic hit your pfsense 21 rules - just setup logging on those.  Then hit it from some client on the outside of your network.

    You sure your not behind a double nat, ie something doing nat or firewalling in front of your pfsense box.  This is also a common issue when users have issues with port forwarding.  Because there nat router in front of their pfsense install that never allows the traffic to hit the pfsense interface in the first place.

  • I removed the 6100/6200 and set the proxy back to it's default value, still does not work.

    As I said in my first post I use www.logmein.com to log into my computer at home, then use filezilla to try and access the FTP server.  So I am not behind another NAT.

    As I said in my last post the log file on pfsense shows port 21 being passed  and that the wireshark, an Ethernet sniffer, does not show any packets to or from the FTP server.

    As for whether better documentation is needed for FTP, is yes, cause it appears a lot of other people are having troubles also.  The documentation is not up to date anyway.

    I have 4 cards in the pfsense box they are
    em0 - WAN give by DHCP from the AT&T modem.
    re0 - LAN
    re1 - Wireless
    re2 - AgileDemo

    I can ping the FTP sever from the pfsense box on the LAN interface.

    So if the NAT and firewall rule are correct for FTP server then I am at a lose still.

  • LAYER 8 Global Moderator

    em0 - WAN give by DHCP from the AT&T modem.

    You say your not behind another nat – but clearly you are!!  That is a private IP, so it is behind a NAT.. Have you forwarded traffic on your AT&T "router or gateway - if it hands out private ips via dhcp it is clearly not just a modem" device to your wan IP of, or put this IP in DMZ of your at&t router?

    Even if in the DMZ of your at&t router - does it have a ftp helper.. Is it going to change private IPs to public?  Is it going to open the ports for the passive connection?

    So what does the traffic hitting your pfsense box wan have for destination since its clearly behind an nat if it as an IP of  Notice your block rules above your other rules, says block private IPs.. Since your behind a nat this could be blocking traffic.

    Did you post this log entry showing that it passed the 21 traffic?  I do  not recall seeing this log?

    Grab traffic at your wan interface and traffic at your lan interface re0 -- you can do this at the same time if you ssh and use tcpdump vs the gui under diag, which I believe only sets you sniff on one interface at a time.

    When I get home - getting ready to head home now I can show example of doing the sniffs and the sniff of the traffic accessing internal ftp from outside, etc.

    But again -- you are clearly behind a NAT on pfsense if your wan interface has a private IP address! ;)

  • Attached is the firewall log.

    I had a long talk with AT&T when it was installed and told them that I had my own firewall and that they should pass everything through and I believe they are because I have accessed a video camera on port 9020 and 9220

    I will talk with AT&T again to make sure someone has not changed the settings, no idea why they would, but will check any way.

  • LAYER 8 Global Moderator

    You access a video camera on those ports via what IP?

    Do you have those forwarded through your router?  Is there some sort of 1 to 1 NAT?

    So do a listen on your lan and wan interface on pfsense via simple tcpdump – do you see the packets

    So for example open up a couple of ssh sessions.  Then at same time run tcpdump

    Here is wan
    [2.1-DEVELOPMENT][root@pfsense.local.lan]/root(6): tcpdump -i 4 -n -q port 21
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on vmx3f1, link-type EN10MB (Ethernet), capture size 96 bytes
    07:08:34.395823 IP > 98.215.xxx.26.21: tcp 0
    07:08:34.396602 IP 98.215.xxx.26.21 > tcp 0
    07:08:34.478660 IP > 98.215.xxx.26.21: tcp 0
    07:08:34.479792 IP 98.215.xxx.26.21 > tcp 47
    07:08:34.480012 IP 98.215.xxx.26.21 > tcp 0
    07:08:34.565247 IP > 98.215.xxx.26.21: tcp 0
    07:08:34.602221 IP > 98.215.xxx.26.21: tcp 0

    That is on my lan interface of my pfsense box
    [2.1-DEVELOPMENT][root@pfsense.local.lan]/root(6): tcpdump -i 3 -n -q port 21
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on vmx3f0, link-type EN10MB (Ethernet), capture size 96 bytes
    07:08:34.395972 IP > tcp 0
    07:08:34.396528 IP > tcp 0
    07:08:34.478732 IP > tcp 0
    07:08:34.479715 IP > tcp 47
    07:08:34.479794 IP > tcp 0
    07:08:34.565333 IP > tcp 0
    07:08:34.602293 IP > tcp 0

    At the same time you could run sniff on your ftp server..  Maybe something else blocking on your network, maybe software firewall on your ftp box?  All that should be required for ftp to work both active and passive forward tcp 21.

  • I had taken out the NAT rules for the camera and now they are back in.
    I did nothing else but add the NAT rules you see.

    This works for both video stream and web pages on the camera.
    You can not view the video without our software but you can get to the login web page from that camera.

    I will take down the camera at the some time later.

    I used LogMeIn to access the video stream from a computer at my home and worked fine.

    Will try the tcpdump when I can.

  • LAYER 8 Global Moderator

    I notice those cameras are on a different network than your ftp server.

  • The only difference is that the LAN goes through a Gigabit switch to get to the FTP server and the  AgileDemo network goes directly to the camera.

    The switch is a none managed switch so no NAT in it.

  • LAYER 8 Global Moderator

    waiting to see the tcpdump from your pfsense interfaces.  If you see the packets on your wan, but not on your lan interface – then we have something look into.

  • Tcpdumps attached.

    If you want it run with different options let me know.
    I used the following commands.

    For WAN
    tcpdump -i em0 > em0.dat

    For LAN
    tcpdump -i re0 > re0.dat

    I do see ftp on the LAN side but I am not versed in tcpdump to understand what I am reading.


  • LAYER 8 Global Moderator

    well I didn't actually match them up but I see ftp packets out of your lan interface re0

    11:01:19.581950 IP pool-173-57-104-76.dllstx.fios.verizon.net.62942 >

    So its forwarding the packets.. So if your ftp server is not seeing it, then its not pfsense fault

    I posted up the easy thing to do for tcpdump..  So you don't see all that other noise, just ftp.  And vs the name resolution you just get IPs

    tcpdump -i 4 -n -q port 21

    -i 4 or -i 3 is my index of my interfaces - you can use either name or index, I used index.. You can view your index off of tcpdump -D


    tcpdump -D

    I can look a bit deeper, but I see packets on your lan interface going to your ftp server on port 21..   But I did not see any response - so that tells me either your ftp server never saw the packets, or he is not answering.

    In my lan sniff you see the server answer back
    07:08:34.396528 IP > tcp 0

    I don't see anything coming from ftp back – so its not getting the packets your putting on the lan interface of your pfsense, or its just not listening on 21, or it has a firewall blocking? But clearly you can see from your sniff of your re0 that packets to ftp on 21 were put on the wire.  So pfsense did what you told it to do, forward the packets to that IP on its lan interface.

Log in to reply