pfSense Gold Subscription

Author Topic: How to set up FTP? (client behind pfSense, active mode)  (Read 95 times)

0 Members and 1 Guest are viewing this topic.

Offline e4ch

  • Newbie
  • *
  • Posts: 5
  • Karma: +1/-1
    • View Profile
How to set up FTP? (client behind pfSense, active mode)
« on: December 16, 2017, 07:38:01 pm »
I understand how FTP works in all modes (see http://slacksite.com/other/ftp.html) and I have the following scenario:
I want all clients on the LAN to be able to connect to random FTP servers on the Internet, mainly to download software, usually not even a login is required. Mostly by following links on web pages.
I do understand that FTP is an old technology and should no longer be used, but unfortunately it is.
When following links in browsers, I assume we are talking about Active FTP here. If I'm wrong, let me know.
Passive FTP would work "out-of-the-box", but not with browsers and not when all upper ports are closed by default, so that's not an option.
My previous router with DD-WRT supported this without configuring anything (maybe the browser was switching to passive FTP and of course outgoing traffic is always open there).
Then I had a ZyWALL, where I had to enable FTP ALG to get this working.
Now I have pfSense and don't know how to configure this. I understand that older versions had FTP ALG, but this is no longer included or something.
I heard there are "packages" to install this FTP proxy. I know FTP is crap, but as long as it is used (=forever) pfSense should provide some support for it.
The help page for this (https://doc.pfsense.org/index.php/FTP_without_a_Proxy) also doesn't tell anything how to set this up (except "will not work"). There's a link to a command-line tool though. Is there any documentation on how to set this up? I mean this must be something that everyone needs, so it should be fairly common. I see a lot of questions, but no real answers to this.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9257
  • Karma: +1054/-308
    • View Profile
Re: How to set up FTP? (client behind pfSense, active mode)
« Reply #1 on: December 16, 2017, 08:37:15 pm »
Look at the FTP Client Proxy package.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline e4ch

  • Newbie
  • *
  • Posts: 5
  • Karma: +1/-1
    • View Profile
Re: How to set up FTP? (client behind pfSense, active mode)
« Reply #2 on: Yesterday at 06:17:19 am »
Look at the FTP Client Proxy package.

Thanks for your reply Derelict. Unfortunately I already knew that I probably needed to install a package or something (see my question). As I'm new to pfSense, I was looking for instructions. Anyway, after some more hours of googling, I found the solution myself. For anyone else reading this thread, here's the solution. It always is easy or even trivial after you know the solution.

I found the thread https://forum.pfsense.org/index.php?topic=89841.0 where user jimp in this forum explains that he implemented this package. The link goes to GitHub (https://github.com/pfsense/pfsense-packages/commit/a868b2522ef865f117c892a07ae3507686783ff3), to a specific commit, and the post is from 2015, but looking at the GitHub repository, there are 12112 commits, with the latest from 12 Oct 2015.
Anyway, there is no need to work with GitHub, or compile anything, here are the simple instructions:

1. Remove all FTP-related firewall rules you have already added while trying around.
2. In pfSense, go to System / Package Manager / Available Packages and install "FTP_Client_Proxy"
3. Go to Services / FTP Client Proxy and select the following options:
- Check "Enable the FTP Proxy"
- Local Interface = LAN
- Check "Early Firewall Rule" (only if you have a "block all" rule at the end)
- Save

I tested with pfSense version 2.4.2-RELEASE-p1 (amd64) and it works fine from the browser.

Very simple and straightforward - if you know how.