Howto setup pfsense to work with active ftp connection



  • Hello!

    I´m running pfsense version 2.0.1  with LAN and WAN Interface.
    Everything is working fine, except active ftp connections.
    Before i switched to pfsense, i was running ipcop.

    I have to ftp an external server which only allows active connections. Login is working, but for example Listing not.
    I think i found the solution here -> http://forum.pfsense.org/index.php?topic=50151.0

    But there are a few questions: Ipsec is enabled on the pfsense and in use. When i change the outbound nat to manuel, does this affect my vpn connections?
    Do i have any other disadvantages?

    Thx!


  • Rebel Alliance Global Moderator

    What?  your client is what sets the connection to be active or passive.  Not pfsense, in an active connection your client tells the ftp server what port to connect to from port 20.

    The ftp helper in pfsense will allow this traffic automatically for you once it has seen your ftp control connection send the command and will auto change the private IP your client normally sends to your wan IP.

    I connect to in active mode to ftp servers on the public internet all the time.

    You shouldn't have to do anything other than make the connection for ftp to work.

    Now if you were running the server behind pfsense - then you have to configure port forward on 21 to it, and again you should be done.

    here I just made an active connection to ftp server on public net from behind pfsense without any issues

    
    Status:	Resolving address of johnpoz.net
    Status:	Connecting to 173.xxx.xxx.xxx:21...
    Status:	Connection established, waiting for welcome message...
    Response:	220 snipped FTP Server
    Command:	USER johnpoz
    Response:	331 Password required for johnpoz
    Command:	PASS **********
    Response:	230 User johnpoz logged in
    Command:	SYST
    Response:	215 UNIX Type: L8
    Command:	FEAT
    Response:	211-Features:
    Response:	 MDTM
    Response:	 MFMT
    Response:	 TVFS
    Response:	 UTF8
    Response:	 MFF modify;UNIX.group;UNIX.mode;
    Response:	 MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
    Response:	 LANG en-US;ko-KR.UTF-8;ko-KR;bg-BG;zh-CN;ja-JP.UTF-8;ja-JP;zh-TW;fr-FR
    Response:	 REST STREAM
    Response:	 SIZE
    Response:	211 End
    Command:	OPTS UTF8 ON
    Response:	200 UTF8 set to on
    Status:	Connected
    Status:	Retrieving directory listing...
    Command:	PWD
    Response:	257 "/" is the current directory
    Command:	TYPE I
    Response:	200 Type set to I
    Command:	PORT 192,168,1,100,26,102
    Response:	200 PORT command successful
    Command:	MLSD
    Response:	150 Opening ASCII mode data connection for MLSD
    Response:	226 Transfer complete
    Status:	Directory listing successful
    
    

    Now clearly that server could not connect back to me with that 192.168.1.100 IP - the helper changed it for me.  See this is the directory pull

    Response: 150 Opening ASCII mode data connection for MLSD
    Response: 226 Transfer complete
    Status: Directory listing successful

    You should have nothing to do to connect to ftp outside your pfsense box.



  • What?  your client is what sets the connection to be active or passive.

    The external Ftp Server only allows active connections. And I can´t change this cause this is not my server.

    I tried to connect to an other active ftp server and it´s working  :o without changes

    I think the problem is the ftp port. I have to connect on port 20740 for the server where it´s not working.
    So what i have to change?


  • Rebel Alliance Global Moderator

    So – if not on 21, its likely the ftp helper does not see it as ftp to help you and open the port back open.

    If that is the case, you can setup your client to only use specific ports, and then forward them on pfsense to your clients private ip.

    So see below I could set filezilla to only use 6000 to 7000 as its active port to tell the server to connect to.  Then on pfsense set 6000-7000 forward to that machine.  It could be 6000 to 6100, 20000 to 20100, etc.  Its up to you

    So as you see when sends port command now
    Command: PORT 192,168,1,100,26,184
    Response: 200 PORT command successful

    26*256+184 = 6840, which is between 6000-7000

    Then look at second example where I set to 20000-20050

    Command: PORT 192,168,1,100,78,69
    Response: 200 PORT command successful

    78*256 + 69 = 20,037






  • Ok, thx  :)

    But is there no possibility to change the ftp helper config so that he can see my specific port as ftp? On my ipcop it was very easy.. Only adding the port to  /etc/rc.d/rc.network and it was working.
    Maybe there is also a similar way with pfsense??

    This would be better for me, cause i´m using the windows CLI FTP and i don´t think that i´m able to change the ports there.


  • Rebel Alliance Global Moderator

    Yeah its quite possible that is an option, off the top not sure where that would be done..  But sure I have to assume you could do that - which would be a better option.  Let me see what I can find, I can always setup one of my external boxes ftp to listen on a nonstandard port for testing



  • Thx!

    Hope you can find something  ;)


Locked