Unable to establish FTP connection from one LAN to another since upgrading


  • Hello,

    I recently upgraded from 2.1.x to 2.2.4 and ever since then i have been unable to establish a passive FTP connection from one LAN subnet to another. Here is how i have everything setup:

    LAN1: 192.168.10.x
    LAN2: 10.0.10.x

    FTP server: 10.0.10.16

    IPv4 * LAN1 net * 10.0.10.16 * * none

    As you can see i have a general allow any traffic rule to that specific server. and i can ping it and etc. I can also open an ftp connection to it, the results are attached.

    Additionally, i can confirm it is indeed pfsense that is blocking this because if i move the ftp server to LAN1 i have no issues.

    Does anyone know how to fix this? Or why this may be happening?

    Thanks in advance!

    EDIT: I have tried establishing the same FTP connection on multiple computers on LAN1 as well.

    EDIT2: Forgot to clarify that i am needing to use passive mode in windows command line for legacy applications.

  • Banned

  • LAYER 8 Global Moderator

    "Additionally, i can confirm it is indeed pfsense that is blocking this because if i move the ftp server to LAN1 i have no issues."

    That doesn't really prove anything - who says its not the local firewall on the ftp server blocking connections from no local segments?

    Yes ftp helper/proxy has been removed in pfsense from a few version back.  That should have nothing to do with connections between machines on local networks.  So understanding ftp is your best bet.

    http://slacksite.com/other/ftp.html

    With a passive connection your client connects to a port that the server sends it.. So you see in your pasv command its connecting to (39x256) + 108  = 10092

    So if your rule from lan1 to lan2 allows that you should not have any issues.  Unless software firewall on the ftp server saying hey your coming from something other than 10.0.10 network.  In an active connection your client says via port command come and connect to me on some Port it would give..  So your rules on lan2 would have to allow that connectivity.

    In this sort of setup you have no need of helper or proxy on pfsense unless you you were doing nat between these lan1 and lan2 networks?