Netgate Store

Author Topic: This is infuriating, FTP issues  (Read 260 times)

0 Members and 1 Guest are viewing this topic.

Offline nafeasonto

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
This is infuriating, FTP issues
« on: December 23, 2017, 04:01:10 pm »
PfSense for some reason is throwing me off as a firewall compared to ASA.

I am trying to set up a FTP server.

IN IIS, i set the data port range, to 25000-25020.  Attached it to the public IP address.

IN the FTP site, I did the same thing, except data port range is already set.

In the PFSENE firewall, I forwarded port 21, to the outside address of my ISP, and the PASSIVE range, to the 25000-25020 to the OUTSIDE address of my ISP. I used the PORT FORWARD feature on the firewall, and had it make an automatic NAT rule. 

I can connect to my FTP, but it fails directory listing, I know the FTP works, as locally it can get the directory, so it's setup right.

But why is PFSENSE STILL blocking the 25000-25020 range.

What am I missing.

Offline ptt

  • Hero Member
  • *****
  • Posts: 2406
  • Karma: +487/-48
    • View Profile
Re: This is infuriating, FTP issues
« Reply #1 on: December 23, 2017, 04:05:35 pm »

Offline nafeasonto

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: This is infuriating, FTP issues
« Reply #2 on: December 23, 2017, 04:31:34 pm »
I tried FileZilla server, it lists the directory maybe one or times then still fails.

There is something wrong on the PFSENSE failing to forward the ports for some reason, what else am I missing.

Online johnpoz

  • Hero Member
  • *****
  • Posts: 16026
  • Karma: +1529/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: This is infuriating, FTP issues
« Reply #3 on: December 24, 2017, 03:49:37 am »
"But why is PFSENSE STILL blocking the 25000-25020 range."

That is a pretty short range.. Lets see the ftp history where it shows that in your PASV command...  Troubleshoot your port forward issue if you say ftp server is using the correct range..

https://doc.pfsense.org/index.php/FTP_Troubleshooting

So you see here in simple connect to ftp I spun up local.. The PASV command returns 19,172 which = 19*256 + 172 or port 5036, which is great since have ftp server set to use port 5000-5100

Also you sure its giving out your public IP.. See mine gave out the 192.168 address since I just connected to it local..  If your going to be coming from public side it needs to give the public IP.. pfsense is not going to auto change that like it use to back in the day with the ftp helpler/proxy..  Your not trying to test this via nat reflection are you - your actually coming from the outside, not from some box on your network hitting your public IP hoping to get reflected back in.

My other suggestion would be to just use sftp.. Its secure and only 1 port ;)

Where is the client coming from?  Maybe the passive port is blocked on their side... This is why ftp with its 2 different channels and the active and passive modes through nat - normally on both sides and restrictions in firewall is such a PITA.. It should of died off 10+ years ago... Just use SFTP, one single port 22.. Its either open or its not.. easy peasy and your not sending the freaking username and password in clear text ;)

« Last Edit: December 24, 2017, 03:52:50 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10570
  • Karma: +1209/-324
    • View Profile
Re: This is infuriating, FTP issues
« Reply #4 on: December 24, 2017, 11:34:08 am »
Quote
In the PFSENE firewall, I forwarded port 21, to the outside address of my ISP, and the PASSIVE range, to the 25000-25020 to the OUTSIDE address of my ISP. I used the PORT FORWARD feature on the firewall, and had it make an automatic NAT rule. 

Post said port forward.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Online johnpoz

  • Hero Member
  • *****
  • Posts: 16026
  • Karma: +1529/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: This is infuriating, FTP issues
« Reply #5 on: December 24, 2017, 11:51:00 am »
Good catch Derelict - yeah "OUTSIDE address of my ISP" never going to work that way ;)
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)