Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT rule for port 20 not working for Active FTP

    Scheduled Pinned Locked Moved NAT
    2 Posts 1 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      ssheikh
      last edited by

      Maybe my understanding is flawed. Please set me straight if so.

      Here is what I have:

      • pfSense 2.0.1 x64 running on HP DL380 G4
      • Only a basic LAN and single WAN setup.
      • Using proxy ARPs for virtual IPs
      • Filezilla FTP server published on a virtual IP

      If I have 1:1 NAT mapping my inside IP of the FTP server to the virtual IP outside, Active FTP works fine.

      If I have an Outbound NAT rule defined with the following:

      • Interface: WAN
      • Protocol: TCP
      • Source IP: Inside IP of  the FTP server/32
      • Source Port: any
      • Destination IP: any
      • Destination port: 20
      • NAT Address: The Virtual IP on which my FTP is published
      • NAT port: *
      • Static Port: No (though setting this to yes doesn;t make any difference either)

      The outboud NAT rule is the first one in the order.

      Trying to download data using Active FTP what I see coming out of the firewall is a mangled up sync request being sent to the client that is from the WAN address of the firewall (and not the virtual IP) and not destined to port 20 on the client.

      It seems as if whatever FTP helper is built into the kernel grabs the packet and mangles it up which then causes it to not get picked up by the Outbound NAT rule. The same thing does not happen when 1:1 NAT is defined.

      Now I have verified that Outbound rules do work in general. In the above Outbound rule if I change the Destination port to 80 and go to www.whatsmyip.org, I do see the request from the correct virtual IP.

      For various other reasons I do not want to have a 1:1 NAT (have other published services) and I do not want to publish FTP on the WAN address of the firewall.

      Thanks,

      Shahid

      1 Reply Last reply Reply Quote 0
      • S
        ssheikh
        last edited by

        Brain fart! Got it to work. Its the source port that should be 20. Not the destination port.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.