Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Passive FTP Setup

    Firewalling
    3
    7
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ambientIT
      last edited by

      I'm sure that everyone is sick of the FTP questions by now. I've been reading up on this for about 3 days and haven't found a solution that works. Here's my setup…

      I'm running v1.0.1.
      I have dual WAN's but I'm not doing any load balancing on them. The second WAN is simply a backup line and is only used in emergencies.
      I also have CARP setup and that is working fine. Every other protocol is working fine just not passive FTP.

      I have a CARP VIP setup for the web server that needs FTP.
      I then have 1:1 NAT pointing from the external VIP to the internal LAN IP of the server.
      The FTP-Proxy helper is disabled on all interfaces.

      In the firewall rules I have

      WAN    TCP    *    *    192.168.1.10 (servers ip)  FTP(21)    *
          WAN    UDP    *    *    192.168.1.10                  20            *

      Active works fine at this point.

      I then setup MSFTP to use the passive ports  6100-6200 then added the following rule

      WAN    UDP    *    *    192.168.1.10  6100-6200    *

      I've tested the FTP from outside the local network and the active works fine but the passive freezes on the PASV command.
      I've tried turning the FTP-proxy app on and off and it seems to make no difference.

      What am I missing here? I am somewhat new to custom firewalling so please bear with me.  ???

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        You allow only UDP. I'm not sure if it's that, but could it be that you need to put TCP there?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • A
          ambientIT
          last edited by

          I have also tried allowing TCP/UDP and it doesn't seem to help. From my limited knowledge I believe that the data ports only require UDP.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            nope. i just looked it up. it's TCP
            –> http://en.wikipedia.org/wiki/Ftp

            if you look at the firewall log. do you see anything blocked?

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • A
              ambientIT
              last edited by

              I checked the logs and nothing is being blocked that I can see.

              1 Reply Last reply Reply Quote 0
              • A
                ambientIT
                last edited by

                Any other thoughts?

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  1.0.1 is not recommended for new installs. Try 1.2RC2. Also see http://devwiki.pfsense.org/FTPTroubleShooting

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.