FTP. Is it possible



  • Hi, I just changed my WRAP based firewall from monowall to pfsense, because i could not get a good working WIFI config and Pfsense has some cool extra features.

    But.. i can't get my FTP server to work. I've searched through the forum and tried the setup explained in the http://wiki.pfsense.com/wikka.php?wakka=IncomingFTPHow. I have found an article about some complicated setup with virtual ip, wich i don't understand.

    The FTP server is on my LAN and i have set a portforwarding rule for port 21 and a firewall rule for port 21 and the configured passive ports. This worked fine in M0n0wall, but the client and the server keep saying 425 can't open dataconnection.



  • Hello,

    //offtopic, couse it's my first post here. Thanks to team for a really great work!
    //ontopic

    I think you need to forward port 20 too, FTP data travels through  it.

    
    20=FTP-DATA - File Transfer Protocol [Default Data]
    21=FTP - File Transfer Protocol [Control]
    


  • Hi,

    It sounds like your connecting to your ftp server from outside of your network?

    @hellsblade:

    The FTP server is on my LAN and i have set a portforwarding rule for port 21 and a firewall rule for port 21 and the configured passive ports.

    You could try:
    Deleting all your currents rules and port forwards, disable the ftp helper on wan interface.  Then, create firewall rules and port forward rules, not only just for port 21, but also your passive ports as well for the ftp server.

    I am doing this in several environments, and have it running without a problem.



  • @cna:

    I think you need to forward port 20 too, FTP data travels through  it.

    
    20=FTP-DATA - File Transfer Protocol [Default Data]
    21=FTP - File Transfer Protocol [Control]
    

    I don't think so. I'm using passive mode. http://slacksite.com/other/ftp.html#pasvexample.

    But i've tried active also and got the same result.



  • @bgbearcatfan:

    It sounds like your connecting to your ftp server from outside of your network?
    @hellsblade:

    The FTP server is on my LAN and i have set a portforwarding rule for port 21 and a firewall rule for port 21 and the configured passive ports.

    You could try:
    Deleting all your currents rules and port forwards, disable the ftp helper on wan interface.  Then, create firewall rules and port forward rules, not only just for port 21, but also your passive ports as well for the ftp server.

    Yes i try to connect from the outside thats the whole idea of setting the firewall rules  ::).

    Can you or someone explain why one should all the firewall rules an port forwards first? the disable userland ftp proxy is set by default on all interfaces. I already tried enable and disable on both the lan and wan interface, but no results so far.



  • Sorry, i don't understand the wording of your question.  Using passive mode on your ftp server, your firewall rules should look like this:

    (Under the WAN tab in firewall: rules)

    Proto        Source        Port        Destination        Port        Gateway

    TCP            *              *          10.1.1.10          21              *

    TCP            *              *          10.1.1.10      7000-7020      *

    The above is when 10.1.1.10 is the private ip of ftp server, and ports 7000-7020 are the passive mode ports used by the firewall.

    Then port forward rules should be:

    If                Proto              Ext. Port Range              Nat IP                Int. Port Range

    WAN            TCP                        21                      10.1.1.10                    21

    WAN            TCP                  7000-7020                10.1.1.10              7000-7020

    This is also assuming that you have only one WAN interface.



  • @bgbearcatfan:

    Sorry, i don't understand the wording of your question.

    OK sorry  :'(
    "why one should all the firewall rules" i forgat the word delete. so it should say "why one should delete all the firewall rules". I thought that was not nessesary. And indeed it was'nt. I didn't have the forwarding rule for the passive ports  :-. Everything works fine now.
    Thanks for the help.
    Rgds,
    Hellsblade


Log in to reply