I thought I would document what I had to do to enable a corporate FTP proxy through pfSense as this "just worked" with my previous router but with pfSense I was able to log in, but not do anything at all (the first stumbling block being the LIST command would just time out). I've also seen a number of "I can't get my FTP to work behind pfSense" posts with a number of "it works here" responses and those threads seem to have petered out without any response. Also, much of the discussion and descriptions have centred around v 1.x of pfSense and newer installations are using 2.x which has a different set of configurations.
What I did:
- Created an allow rule in pfBlocker to bypass the blocking of my companies IP addresses (I have quite a few pfBlocker rulesets installed and the IP address is in that list).
- Created a port forward of port 21 to my internal IP FTP server address, port 21.
- Created a set of 100 ports forwarded for passive FTP connections (as it turns out, these are not needed in my case).
- Configured the FTP server to use the external IP address and forwarded ports for passive connections.
Symptoms of the problem:
- A normal FTP client connected directly to the internet could access the FTP site using either active or passive mode
- An FTP client, proxied by my corporates point of presence will login but not allow me to do anything once logged in as everything just times out
After a lot of debugging involving packet captures etc.., I came to the conclusion that the reason the LISTing didn't work was quite simple. The corporate proxy uses an active FTP connection (I cannot change this and I guess it has the most compatibility) and due to outgoing NAT, the response on port 20 is mapped to a random port >1024 by pfSense. This was ignored by the corporate firewall/package as the response didn't come from the standard port 20, so the communication link was broken.
So, to make this work I had to do 2 things:
- In NAT->Outbound I had to switch to "Manual Outbound NAT rule generation" (which populated the mappings with 3 auto generated rules)
- Add a 4th rule for the WAN which has my servers internal address and port 20 as the source, destination as any with blank port (so any port) and translation as Static-port. This makes pfSense map anything sent from port 20 on my internal server appear to come from my external IP's port 20 which is what is needed to allow the corporate package to work.
Doing these two things and the FTP server burst into life for my FTP client behind the corporate proxy.
Hopefully this will prove useful to others - I haven't found a post with the description of the problem AND solution and I've spent quite a few hours over 2 weeks to try and track this down.