Cannot get Passive FTP to work in pfSense in any combination



  • Hello folks,

    At last I replaced our ancient and slow FortiGate-60 with pfSense 1.2-RELEASE and I'm very happy with it, thus far.
    I have a single problem left unresolved: passing in traffic for Passive FTP!

    The network is constructed as follows:

    WAN [static IP and gateway, no L2TP or DHCP]
    OPT1 [static IP, no gateway - left for default routing]
    LAN [static IP, no gateway - left for default routing]

    I added a VIP (external IP:internal IP) in OPT1, type: Other (not ARP or CARP)
    I added a 1:1 NAT with the same set of IP's
    Then I added the following rules:

    Proto: TCP
    Source: *
    Port: *
    Destination: <internal ip="">Port: 21
    Gateway: *

    Port: TCP
    Source: *
    Port: *
    Destination: <internal ip="">Port: 1024-65535
    Gateway: *

    both rules have keep-state set to normal.

    With the above configuration, only Active FTP is working. Passive FTP isn't working. I've attached the XML backup of the configuration, and removed private data.
    I've tried reading tons of documentations, including this (http://devwiki.pfsense.org/FTPTroubleShooting), using FTP Helper with no avail.

    Please assist!

    Thank you in advance.
    config-fw.pfsense.local-20080425235445.txt</internal></internal>



  • Do you expect 64000+ simultaneous data transfers to the FTP server?

    You might want to limit the port range to match your expected simultaneous number of clients.  Don't forget to set the same limits on the firewall and the FTP server.

    Did you read the sticky thread in the NAT section?

    http://forum.pfsense.org/index.php/topic,7096.0.html

    What works here with one wan with 6 proxy arp IPs and four lans is disable ftp helper on lans and create NAT rules from one of the proxy arp virtual IPs on the wan with limited passive port ranges to an ftp server on one of the lan interfaces.

    It didn't take long to test different toggle combinations.

    PS.  Test with a good FTP client, i.e. one of *BSD's ftp clients, on a non firewalled connection outside.



  • Thanks for replying.

    I read what you written and read the thread. Then, I did the following:

    1. switched the FTP helper off on both OPT1 and WAN.
    2. Replaced the "Other" VIP to "P-ARP" VIP for the same IP.
    3. Kept the 1:1 NAT mapping.
    4. Added a rule to allow ANY from WAN to OPT1 – just to check if this at all works.

    Still, the damn thing doesn't work! Why there's no simple way to do this??! Just point-and-click and it works.

    What do you suggest I do next?



  • Because fto is simply broken by design. It was never really meant to be used behind nat or firewalls.

    I guess your ftp server is handing out his private IP to the clients and the client this way can't find it through the internet. Check your manpages of your ftp server how to make it aware of it's public IP.



  • The FTP is IIS's and I've seen posts by others that have made this work with pfSense – I am following their advise and experience. But to no avail, as of now.
    By the way, I can connect using non-Passive connection...



  • I have an IIS ftp behind pfSense as well with zero issues. All that I needed to do was forwarding port 21 and additionally the passive portrange (I changed the passive portrange as the default setting that microsoft ships is plain stupid, see http://support.microsoft.com/?scid=kb%3Ben-us%3B555022&x=13&y=12 ).



  • OK, this problem is resolved now!!
    I was mistaken with my assumption; this is a FileZilla FTP server (and I am happy I made that decision long ago and switched off IIS) and in the Passive FTP section, I had an option to set the external IP address. Doing so fixed the problem instantly…

    Thank you all for the wonderful support and your time.



  • Good work. I just got your message, so sorry I couldn't help earlier.. But sounds like you didn't need it after all.

    FYI - I think you'll be VERY happy you went with PFSense. I had my little nightmare setting it up due to my FTP problems (which turned out to be completely MY user error on the set-up - LESSON: DON'T CLICK CHECKBOXES YOU DON'T UNDERSTAND  ;D ). Since then, these boxes have run flawlessly with amazing reliability. I'm serving millions of sessions a day with them and they run on a pair of 5-year-old desktops. No problems with FTP whatsoever.

    Really amazing stuff here. Can't say enough positive. Put in the time on set-up and see the rewards…


Locked