Howto setup pfsense to work with active ftp connection
I´m running pfsense version 2.0.1 with LAN and WAN Interface.
Everything is working fine, except active ftp connections.
Before i switched to pfsense, i was running ipcop.
I have to ftp an external server which only allows active connections. Login is working, but for example Listing not.
I think i found the solution here -> http://forum.pfsense.org/index.php?topic=50151.0
But there are a few questions: Ipsec is enabled on the pfsense and in use. When i change the outbound nat to manuel, does this affect my vpn connections?
Do i have any other disadvantages?
What? your client is what sets the connection to be active or passive. Not pfsense, in an active connection your client tells the ftp server what port to connect to from port 20.
The ftp helper in pfsense will allow this traffic automatically for you once it has seen your ftp control connection send the command and will auto change the private IP your client normally sends to your wan IP.
I connect to in active mode to ftp servers on the public internet all the time.
You shouldn't have to do anything other than make the connection for ftp to work.
Now if you were running the server behind pfsense - then you have to configure port forward on 21 to it, and again you should be done.
here I just made an active connection to ftp server on public net from behind pfsense without any issues
Status: Resolving address of johnpoz.net Status: Connecting to 173.xxx.xxx.xxx:21... Status: Connection established, waiting for welcome message... Response: 220 snipped FTP Server Command: USER johnpoz Response: 331 Password required for johnpoz Command: PASS ********** Response: 230 User johnpoz logged in Command: SYST Response: 215 UNIX Type: L8 Command: FEAT Response: 211-Features: Response: MDTM Response: MFMT Response: TVFS Response: UTF8 Response: MFF modify;UNIX.group;UNIX.mode; Response: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; Response: LANG en-US;ko-KR.UTF-8;ko-KR;bg-BG;zh-CN;ja-JP.UTF-8;ja-JP;zh-TW;fr-FR Response: REST STREAM Response: SIZE Response: 211 End Command: OPTS UTF8 ON Response: 200 UTF8 set to on Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 "/" is the current directory Command: TYPE I Response: 200 Type set to I Command: PORT 192,168,1,100,26,102 Response: 200 PORT command successful Command: MLSD Response: 150 Opening ASCII mode data connection for MLSD Response: 226 Transfer complete Status: Directory listing successful
Now clearly that server could not connect back to me with that 192.168.1.100 IP - the helper changed it for me. See this is the directory pull
Response: 150 Opening ASCII mode data connection for MLSD
Response: 226 Transfer complete
Status: Directory listing successful
You should have nothing to do to connect to ftp outside your pfsense box.
What? your client is what sets the connection to be active or passive.
The external Ftp Server only allows active connections. And I can´t change this cause this is not my server.
I tried to connect to an other active ftp server and it´s working :o without changes
I think the problem is the ftp port. I have to connect on port 20740 for the server where it´s not working.
So what i have to change?
So – if not on 21, its likely the ftp helper does not see it as ftp to help you and open the port back open.
If that is the case, you can setup your client to only use specific ports, and then forward them on pfsense to your clients private ip.
So see below I could set filezilla to only use 6000 to 7000 as its active port to tell the server to connect to. Then on pfsense set 6000-7000 forward to that machine. It could be 6000 to 6100, 20000 to 20100, etc. Its up to you
So as you see when sends port command now
Command: PORT 192,168,1,100,26,184
Response: 200 PORT command successful
26*256+184 = 6840, which is between 6000-7000
Then look at second example where I set to 20000-20050
Command: PORT 192,168,1,100,78,69
Response: 200 PORT command successful
78*256 + 69 = 20,037
Ok, thx :)
But is there no possibility to change the ftp helper config so that he can see my specific port as ftp? On my ipcop it was very easy.. Only adding the port to /etc/rc.d/rc.network and it was working.
Maybe there is also a similar way with pfsense??
This would be better for me, cause i´m using the windows CLI FTP and i don´t think that i´m able to change the ports there.
Yeah its quite possible that is an option, off the top not sure where that would be done.. But sure I have to assume you could do that - which would be a better option. Let me see what I can find, I can always setup one of my external boxes ftp to listen on a nonstandard port for testing
Hope you can find something ;)