pfSense n00b here.
I'll try to be as clear as I can describing the issue with pfSense 2.0.1 and our ftp issue.
Here is what works:
FTPing from an external IP address to an FTP behind pfSense works fine so the NAT is working there.
FTPing to the internal IP address (192.168.1.240) of the FTP on the lan works fine.
FTPing to the ftp using the server name on the internal network also works fine.
What doesn't work is FTPing from the internal network (192.168.1.xxx) to the external WAN IP address (eg: 198.169.x.x). The login works fine but as soon as it tries to list the directory we get a:
Response: 220 FTP Server Ready Command: USER someuser Response: 331 Password required for someuser Command: PASS ****** Response: 230- Response: 230-Secured Private FTP Server Response: 230-Unauthorized Access is Strictly Prohibited. Response: 230-=========================================== Response: 230- Response: 230-Consider Yourself Logged. Response: 230- Response: 230 User someuser logged in Command: OPTS UTF8 ON Response: 200 UTF8 set to on Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 "/" is the current directory Command: TYPE I Response: 200 Type set to I Command: PASV Response: 227 Entering Passive Mode (198,169,x,x,163,128) Command: MLSD Error: Connection timed out Error: Failed to retrieve directory listing
Any ideas as to what setting is preventing the ftp server from listing the directory when trying to access it from the internal lan using the wan ip?
Well why and the world would you do that in the first place? But that nat refection, and yeah with the way ftp protocol works and through a nat that could be a messy thing to get working.
Your attempting a passive connection from the client, so server tells client what IP and port to connect too – see that passive command that says connect to him on 198.169 port (163*256)+128 = port 41856
Why would you need to access wan IP if your on the same lan as the ftp server? Routing the ftp traffic through your router, vs just over your switching network doesn't make a lot of sense ;)