Strange FTP Behavior.



  • I have two vsftpd servers running localy with ftps (SSL) enabled, both servers has listing port 21.

    I have port forwarded the ports in pfsense firewall.

    Server 1 = port 21 to port 21 on 192.168.1.2
    Server 2 = port 2121 to port 21 on 192.168.1.3

    Login from outside working great to server 2 on port 2121, but on server 1 on port 21 is stopping up and I got a error, please see attached screenshot.
    It must be something with Pfsense, because If I change from 21 to 990 in the firewall example, then it works…. strange?

    Pfsense handel something different with port 21 then other random ports?

    If something is not clear please ask, thank you for your time!



  • LAYER 8 Global Moderator

    Sure looks like 21 is just not getting to pfsense..  Blocking of port 21 would be a common isp thing for sure..  Validate traffic is getting to pfsense from the outside on 21, it can not forward what it does not see.

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • @johnpoz:

    Sure looks like 21 is just not getting to pfsense..  Blocking of port 21 would be a common isp thing for sure..  Validate traffic is getting to pfsense from the outside on 21, it can not forward what it does not see.

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    21 port without encryption is working, so it only now when I try to use ftps.

    So phsense dosent do anyting different?

    I have used 21 with ftps eralier with same ISP.


  • LAYER 8 Global Moderator

    What version of pfsense are you using?  If OLDER version then it had the ftp helper/proxy – but that was removed many versions ago.



  • @johnpoz:

    What version of pfsense are you using?  If OLDER version then it had the ftp helper/proxy – but that was removed many versions ago.

    okey, I have 2.1.5-RELEASE.


  • LAYER 8 Global Moderator

    Why do people run such old versions… I just don't get it... Yes that version had a ftp proxy/helper that will modify stuff in the stream to allow users to use passive/active connections depending direction..  But when using ftps or ftpes where pfsense can not see the data in the control channel your going to have to do the port forwarding on your own.

    So are you running passive or active connection from outside?

    You want a simple solution that is SECURE.. switch to sftp... Why anyone still plays around with ftp be it using ssl or not just blows my mind..  With sftp your data and control over only 1 port, there is not this split control and data ports and none of the direction issue on who connects to who on the data port.. Just whatever port you want to use or just the standard ssh port of 22.

    If you want my advice I would say drop this antiquated/depreciated hold on ftp and just move to sftp..



  • @johnpoz:

    Why do people run such old versions… I just don't get it... Yes that version had a ftp proxy/helper that will modify stuff in the stream to allow users to use passive/active connections depending direction..  But when using ftps or ftpes where pfsense can not see the data in the control channel your going to have to do the port forwarding on your own.

    So are you running passive or active connection from outside?

    You want a simple solution that is SECURE.. switch to sftp... Why anyone still plays around with ftp be it using ssl or not just blows my mind..  With sftp your data and control over only 1 port, there is not this split control and data ports and none of the direction issue on who connects to who on the data port.. Just whatever port you want to use or just the standard ssh port of 22.

    If you want my advice I would say drop this antiquated/depreciated hold on ftp and just move to sftp..

    Properly a old tradition :) As I see it is it safe to us, but running data transfer over ssl port 22 have some limitation on speed, when I`m testing I can see it slower… Any way I want o use FTPs for now :)

    I tried to upgrade pfsense to latest version, same issue.....

    It has to be something with port 21 and pfsense as I see it.


  • LAYER 8 Global Moderator

    Dude are u using active or passive? I can tell u this takes all of 15 seconds to set up have u gone over port forwarding trouble shoot guide? I am on phone or would link.  Pfsense does nothing with port 21 especially when its encrypted and can not even tell its ftp



  • @johnpoz:

    Dude are u using active or passive? I can tell u this takes all of 15 seconds to set up have u gone over port forwarding trouble shoot guide? I am on phone or would link.  Pfsense does nothing with port 21 especially when its encrypted and can not even tell its ftp

    passive.

    Yes have tried a guide i found for faultfinding on internett…

    The funny thing is it, when I change a random port from 21 on pfsense example WAN 850 to 21 on 192.168.1.2 its working... hehe so tis only happens with 21
    on  WAN IP... so if you say that pfsense dosen`t do anything.. it has to be my ISP.


  • LAYER 8 Global Moderator

    In passive conection servers says come talk to me on port x
    http://slacksite.com/other/ftp.html

    So u have to forward those ports

    But from what u were showing its not even making a control connection


Log in to reply