HOW DID I SOLVE FTP PROBLEM FOR INCOMING CONNECTIONS…



  • My situation:

    PF has wan interface with pubblic static IP address and two lans, Lan and Opt. On Lan if there is a FTP server running Filezilla Server on port 21, it should be reach from internet (wan) trought port 2121 and not 21.
    Prior to these actions external client get the message "can't open data connection".

    My Solution:

    On Filezilla Server –> Settings --> Passive Mode Settings, Uncheck Default IP address and check Use the following address typing my external one, uncheck Don't use external IP for  local connections and check Use custom port range", then define a range (I did 20000 to 20050)

    On PFSense --> INTERFACES --> WAN, Uncheck Disable the userland FTP-Proxy application
        PFSense --> INTERFACES --> LAN,  Uncheck Disable the userland FTP-Proxy application
        PFSense --> FIREWALL --> Nat, create the rule "if WAN, proto TCP, ext port 2121, nat
                                                    address 192.168.169.10, int port 21"
        PFSense --> FIREWALL --> Nat, create the rule "if WAN, proto TCP/UDP, ext port
                                      20000-20050, nat address 192.168.169.10, int port 20000-20050"
        PFSense --> FIREWALL --> Rules, automatically created by system during NAT config

    NO More actions on server side.

    From Outside, using Filezilla client or Explorer in Passive mode all is working.

    Now I'll monitor for the next few days if it is stable or not and if necessary I'll update this post.

    I hope this is usefull for someone.

    ciao...gigi



  • Thanks gigi!

    It was usefull.  I did have to make some modifications to your how-to to make it work for my situation/setup.

    Here's what I found (my solution)…

    My FTP client is Transmit (Mac OS X).  My FTP site is running on a Mac OS X Server running PureFTPD, (an extremely excellent FREE program that makes running a customized FTP server on the Mac a cinch--highly recommended) on the LAN side.

    On PFSense --> INTERFACES --> WAN, CHECK Disable the userland FTP-Proxy application (I could not make a connection with it enabled)
        PFSense --> INTERFACES --> LAN,  CHECK Disable the userland FTP-Proxy application (I could not make a connection with it enabled)
        PFSense --> FIREWALL --> Nat, create the rule "if WAN, proto TCP, ext port 21, nat
                                                    address 192.168.169.10 (or whatever your FTP server's LAN address is), int port 21"
        PFSense --> FIREWALL --> Nat, create the rule "if WAN, proto TCP/UDP, ext port
                                      20000-20050, nat address 192.168.169.10, int port 20000-20050"
        PFSense --> FIREWALL --> Rules, automatically created by system during NAT config

    Now after doing this, I could connect, but I would get an error message regarding the directory list not being retrieved.  ???  At this point I took a look at the settings for the passive port range on my FTP server.  They were blank, so I entered "From: 20000" and "To: 20050", restarted my FTP service, and attempted to connect again with Transmit.  It worked!  ;D

    So the key seems to be setting your FTP server's passive mode range and creating a matching TCP/UDP rule in pfsense.

    Hopefully other members will add to this thread when they find what works for them.  I was about to give up on pfsense before I discovered this post.

    Here's some keywords to help folks find this message in a search:  cannot connect ftp problem connection solution



  • Here is an update to my last message…

    Unfortunately, what worked from my house to my employer's location did not work for 5 out of 10 employees who rely on sending their work in via FTP.

    I tried an number of port ranges, blah, blah, blah.

    Here's what worked for getting everyone in my company access (and it is a small compromise):

    IF you want to use a VIP for your outside address AND you are not using a backup pfsense router with CARPing--GIVE UP.  Use the WAN address of your pfsense-based unit with the FTPuserland proxy enabled.  Perhaps there is a way to use a CARP VIP on a single unit with another NIC installed, but I could not locate any how-to's regarding this.

    Follow the instructions listed here:

    http://wiki.pfsense.com/wikka.php?wakka=IncomingFTPHowTo&show_comments=1#comments

    Hopefully this link will automatically show the comments, because it is very important to establish your NAT rules for FTP routing AFTER you have enabled the FTPuserland Proxy helper.

    I hope this at least helps somebody.



  • This is not working for me. I have deleted and recreated my NAT rules and VIP several times, I deleted them, turned off the helper, saved, turned the helper back on and recreated with no change.

    All other services work wonderfully through the VIPs mapped to internal servers using port forwarding. I can connect to the servers internally with the internal addresses, but connecting to the external address results in an instant connection closed message.

    The VIPs are all part of our /27 address range. Our main FTP server is also our main webserver, and using the port forwarding and VIPs the server serves webpages perfectly. The NAT rule looks like this:

    WAN  TCP  21 (FTP)  192.168.xx.xx (ext.: xx.xx.xx.35) 21 (FTP)

    and I allowed it to create it's own rules.

    If anyone has a suggestion or needs more info let me know. Thanks  :)



  • For some reason, I am not able to access my FTP server from outside my network unless I use port 2121.  It worked fine until I changed my ISP.  Everything else works fine (http, https, etc..).  I can access the ftp inside my firewall (ftp://192.168.0.106) so I know it has to be something with the router firewall.  Any ideas would be very much appreciated.

    Thanks…



  • DISABLE  FTP Helper on ALL interfaces

    Interfaces -> Lan/Wan - >

    FTP Helper [CHECK]  Disable the userland FTP-Proxy application


Log in to reply