Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange FTP Behavior.

    Scheduled Pinned Locked Moved NAT
    10 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gordon
      last edited by

      I have two vsftpd servers running localy with ftps (SSL) enabled, both servers has listing port 21.

      I have port forwarded the ports in pfsense firewall.

      Server 1 = port 21 to port 21 on 192.168.1.2
      Server 2 = port 2121 to port 21 on 192.168.1.3

      Login from outside working great to server 2 on port 2121, but on server 1 on port 21 is stopping up and I got a error, please see attached screenshot.
      It must be something with Pfsense, because If I change from 21 to 990 in the firewall example, then it works…. strange?

      Pfsense handel something different with port 21 then other random ports?

      If something is not clear please ask, thank you for your time!

      Capture.PNG
      Capture.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Sure looks like 21 is just not getting to pfsense..  Blocking of port 21 would be a common isp thing for sure..  Validate traffic is getting to pfsense from the outside on 21, it can not forward what it does not see.

        https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • G
          gordon
          last edited by

          @johnpoz:

          Sure looks like 21 is just not getting to pfsense..  Blocking of port 21 would be a common isp thing for sure..  Validate traffic is getting to pfsense from the outside on 21, it can not forward what it does not see.

          https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

          21 port without encryption is working, so it only now when I try to use ftps.

          So phsense dosent do anyting different?

          I have used 21 with ftps eralier with same ISP.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            What version of pfsense are you using?  If OLDER version then it had the ftp helper/proxy – but that was removed many versions ago.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • G
              gordon
              last edited by

              @johnpoz:

              What version of pfsense are you using?  If OLDER version then it had the ftp helper/proxy – but that was removed many versions ago.

              okey, I have 2.1.5-RELEASE.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Why do people run such old versions… I just don't get it... Yes that version had a ftp proxy/helper that will modify stuff in the stream to allow users to use passive/active connections depending direction..  But when using ftps or ftpes where pfsense can not see the data in the control channel your going to have to do the port forwarding on your own.

                So are you running passive or active connection from outside?

                You want a simple solution that is SECURE.. switch to sftp... Why anyone still plays around with ftp be it using ssl or not just blows my mind..  With sftp your data and control over only 1 port, there is not this split control and data ports and none of the direction issue on who connects to who on the data port.. Just whatever port you want to use or just the standard ssh port of 22.

                If you want my advice I would say drop this antiquated/depreciated hold on ftp and just move to sftp..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • G
                  gordon
                  last edited by

                  @johnpoz:

                  Why do people run such old versions… I just don't get it... Yes that version had a ftp proxy/helper that will modify stuff in the stream to allow users to use passive/active connections depending direction..  But when using ftps or ftpes where pfsense can not see the data in the control channel your going to have to do the port forwarding on your own.

                  So are you running passive or active connection from outside?

                  You want a simple solution that is SECURE.. switch to sftp... Why anyone still plays around with ftp be it using ssl or not just blows my mind..  With sftp your data and control over only 1 port, there is not this split control and data ports and none of the direction issue on who connects to who on the data port.. Just whatever port you want to use or just the standard ssh port of 22.

                  If you want my advice I would say drop this antiquated/depreciated hold on ftp and just move to sftp..

                  Properly a old tradition :) As I see it is it safe to us, but running data transfer over ssl port 22 have some limitation on speed, when I`m testing I can see it slower… Any way I want o use FTPs for now :)

                  I tried to upgrade pfsense to latest version, same issue.....

                  It has to be something with port 21 and pfsense as I see it.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Dude are u using active or passive? I can tell u this takes all of 15 seconds to set up have u gone over port forwarding trouble shoot guide? I am on phone or would link.  Pfsense does nothing with port 21 especially when its encrypted and can not even tell its ftp

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • G
                      gordon
                      last edited by

                      @johnpoz:

                      Dude are u using active or passive? I can tell u this takes all of 15 seconds to set up have u gone over port forwarding trouble shoot guide? I am on phone or would link.  Pfsense does nothing with port 21 especially when its encrypted and can not even tell its ftp

                      passive.

                      Yes have tried a guide i found for faultfinding on internett…

                      The funny thing is it, when I change a random port from 21 on pfsense example WAN 850 to 21 on 192.168.1.2 its working... hehe so tis only happens with 21
                      on  WAN IP... so if you say that pfsense dosen`t do anything.. it has to be my ISP.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        In passive conection servers says come talk to me on port x
                        http://slacksite.com/other/ftp.html

                        So u have to forward those ports

                        But from what u were showing its not even making a control connection

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.