Remote ftp access to device



  • Hi everyone.
    I have a vuplus in my lan network (behind my pfsense). I would like to be albe to access it through ftp from remote, so i have port forwarded port 21 to my vuplus ip. While trying to access from wan i get this error on filezilla:

    Response:220 Welcome to the vuplus FTP service!
    Command:USER root
    Response:331 Please specify the password.
    CommandASS ********
    Response:230 Login successful.
    Command:OPTS UTF8 ON
    Response:200 Always in UTF8 mode.
    Status:Connected
    Status:Retrieving directory listing…
    CommandWD
    Response:257 "/"
    Command:TYPE I
    Response:200 Switching to Binary mode.
    CommandASV
    Response:227 Entering Passive Mode (192,168,10,10,194,171).
    Status:Server sent passive reply with unroutable address. Using server address instead.
    Command:LIST
    Error:Connection timed out

    The thing is that on the old router (linksys with tomato firmware) i had i was able by just forwarding port 21 to enter to the vuplus through ftp.
    What should i do?

    Thank you.



  • After reading many posts i have also port forwarded ports 1024-2025 and 50000-60000 to the ip of the vuplus.
    Still the same error, can't access it from wan.

    Are there any other ports to forward?



  • Maybe it is not a pfSense problem. And pfSense is not Tomato!
    Are you really connecting from outside or from your LAN? Which version of pfSense. How did you port forward?

    Try to Google: "Server sent passive reply with unroutable address. Using server address instead"



  • Thank you for the reply. Obviously i did not mean that pfsense has to do anything with tomato at all. What i wanted to mean it seemed strange that a simple router port forward worked but i could not manage to make it work with pfsense. I have pfsense 2.0.3, the port forwarind i have made it on the NAT option of firewall to the WAN ADDRESS and forwarding the tcp ports i mentioned (21, 1024-2025, and 50000-60000) to the ip address of the vuplus. I created 3 rules in the nat section.

    I have also created a forward rule for the 80 port of the vuplus (so i enter the web interface) that works correctly. I can enter the interface but on the ftp side i get this error.

    Regards.



  • You almost don't need pfSense with all those open ports ;)

    Do not open your port 80 for security reasons. If you don't know why then educate yourself about network security.

    I don't have FTP open for those security reasons, but my first google search gave some answers about server settings and active versus passive ftp. As far as I know you only have to make a NAT rule on pfSense for port 21. The rest will be handled automatically with your version of pfSense.



  • Hi. I know that i should not open all those ports… I forwarded that many so in case that was the problem at least i could understand it.
    The fact is that only forwarding port 21 like in a simple router pfsense does not handle the connection and i get the error above. Yes i can live without setting up a remote ftp access, but i can't understand why not be able to use it if needed.

    Thank you for your replies



  • Okay found solution to my problem. I have tried and changed the passive ftp port range of the vuplus and forwarded these ports to the ip of it.
    Access to ftp from wan side succeded completely!

    In pfsense, why isn't there such an option like [ Tracking / NAT Helpers - FTP nat helper ], that takes care of opening the rest of the ports needed when there is an ftp connection/data tranfser going on? For security reasons since it's a firewall?

    Thank you.



  • When using FTP behind a NAT Firewall, I've always forwarded the passive ports.  Unless the firewall dynamically monitors FTP connections and opens ports dynamically when it detects a passive FTP connection, which I'm guessing is what the FTP helper is trying to achieve.

    From -> http://doc.pfsense.org/index.php/2.0_New_Features_and_Changes:

    FTP helper now in kernel

    So, maybe it's a kernel bug or the "FTP Helper" has been deprecated.  If someone has a more official explanation, feel free to chime in.



  • @marvosa:

    When using FTP behind a NAT Firewall, I've always forwarded the passive ports.  Unless the firewall dynamically monitors FTP connections and opens ports dynamically when it detects a passive FTP connection, which I'm guessing is what the FTP helper is trying to achieve.

    From -> http://doc.pfsense.org/index.php/2.0_New_Features_and_Changes:

    FTP helper now in kernel

    So, maybe it's a kernel bug or the "FTP Helper" has been deprecated.  If someone has a more official explanation, feel free to chime in.

    I think you are correct. I have not disabled it so maybe there is some kind of bug on the FTP helper since although enabled i have to port forward the passive ports my self.
    Except if the FTP helper on pfsense is not supposed to do this as the [ Tracking / NAT Helpers - FTP nat helper ] i said.

    Who knows.

    Regards


Log in to reply