pfSense English Support > Firewalling

PFsense blocking FTP

(1/2) > >>

LIDHosting:
Hello,

Im using Pfsense 2.4.2.

So I have been trying for a month to get my FTP Server working.

I can connect to it using the land IP while inside the network..

When I try to use the wan IP , I get this error

Status:   Connecting to XX.XX.XX.XX:21...
Status:   Connection established, waiting for welcome message...
Status:   Insecure server, it does not support FTP over TLS.
Status:   Logged in
Status:   Retrieving directory listing...
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Error:   Connection timed out after 20 seconds of inactivity
Error:   Failed to retrieve directory listing


I have the NAt rule to allowed this port to the ftp server land Ip..

I dont know what Im doing wrong.

Could someone really give me a hand with this.

Here is a screen shot of the rules i have...

Thanks you in advance..

Grimson:
https://forum.pfsense.org/index.php?topic=15811.0

johnpoz:
In no scenario would you ever need to forward 20.. This is the source port of a server with an active client..

And your trying to access it from nat reflection?  Or are you trying to access it from outside your network?

Your trying to do a passive connection to a server behind pfsense.  Then you would have to forward the passive ports used that the server would send back

Understanding how ftp works is first step to fixing your issue.
http://slacksite.com/other/ftp.html

To allow for passive connections from outside pfsense to server inside pfsense.. You need to forward 21 or whatever port you want to use for control to this server, if your going to be using more than 1 ftp server behind pfsense - which it seems your trying to do.

You need to set this server to correctly hand back your public IP for the passive data connection to work.  And you need to set this server to use specific ports for the passive connections.  Say 5000 to 5100 and then forward those to the ftp server.

LIDHosting:
Hello yes thanks. Im trying to access the server inside pfsense. I can access it with the lan IP but when I try using wan of the website ftp,xxxxxx,com i cant,

I have the port fowards and passive set.
heres what i get,,,

Status:   Retrieving directory listing of "/public_html"...
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Response:   150 Accepted data connection
Response:   226-Options: -a -l
Response:   226 43 matches total
Error:   Connection timed out after 20 seconds of inactivity
Error:   Failed to retrieve directory listing


it coconnects but will not show the files then times out

Thanks

johnpoz:
"Status:   Server sent passive reply with unroutable address. Using server address instead."

So your server sent its actual RFC address vs its public IP..

And what was the pasv command sent so you can figure out what port the client got told to use?

So see attached... here I connected to server in active mode.. Sent PORT command that told server hey connect to me 64.53.x.x on port (197x256+70) = 50502

29.192.171.195.in-addr.arpa. 3600 IN    PTR     ftp.sophos.com.

See the 196,64 - that is telling me to connect on port (196 x 256)+64 or port 50240...  So where is this command?  If your server is passive behind then you would have to forward the passive ports your using.. What passive ports did you set up on the server?  I only see you forwarding 21..  Not the data ports...  See 2nd pic as example where you set specific passive ports to use on the server and the IP to send the client vs its local rfc1918 address


" I try using wan of the website ftp,xxxxxx,com i cant,"

Also if your trying to do that from inside your own network, that would be nat reflection and even more of PITA... You need to test your ftp server from outside exactly... If you send me your IP and username and password I will test it from outside for you.  But you need to correctly setup the server and firewall rules for passive behind pfsense if you ever expect anyone from outside on the internet to connect.. You really should use say sftp which is secure and only need to forward 1 port..


Navigation

[0] Message Index

[#] Next page

Go to full version