Outbound NAT rule for port 20 not working for Active FTP

  • Maybe my understanding is flawed. Please set me straight if so.

    Here is what I have:

    • pfSense 2.0.1 x64 running on HP DL380 G4
    • Only a basic LAN and single WAN setup.
    • Using proxy ARPs for virtual IPs
    • Filezilla FTP server published on a virtual IP

    If I have 1:1 NAT mapping my inside IP of the FTP server to the virtual IP outside, Active FTP works fine.

    If I have an Outbound NAT rule defined with the following:

    • Interface: WAN
    • Protocol: TCP
    • Source IP: Inside IP of  the FTP server/32
    • Source Port: any
    • Destination IP: any
    • Destination port: 20
    • NAT Address: The Virtual IP on which my FTP is published
    • NAT port: *
    • Static Port: No (though setting this to yes doesn;t make any difference either)

    The outboud NAT rule is the first one in the order.

    Trying to download data using Active FTP what I see coming out of the firewall is a mangled up sync request being sent to the client that is from the WAN address of the firewall (and not the virtual IP) and not destined to port 20 on the client.

    It seems as if whatever FTP helper is built into the kernel grabs the packet and mangles it up which then causes it to not get picked up by the Outbound NAT rule. The same thing does not happen when 1:1 NAT is defined.

    Now I have verified that Outbound rules do work in general. In the above Outbound rule if I change the Destination port to 80 and go to www.whatsmyip.org, I do see the request from the correct virtual IP.

    For various other reasons I do not want to have a 1:1 NAT (have other published services) and I do not want to publish FTP on the WAN address of the firewall.



  • Brain fart! Got it to work. Its the source port that should be 20. Not the destination port.

Log in to reply