pfSense

Interesting because i'm getting reports from vendors who refuse to change away from FTP that PASV mode is not working either ... can that even be possible ?

Chris Buechler wrote:

check out the info here:
https://doc.pfsense.org/index.php/FTP_without_a_Proxy

it's always possible to support passive mode without a proxy, though it can require some additional configuration.

ohh... okay, so just by switching from Active Mode ( that requires the proxy ) to Passive doesn't make the clients behind NAT able to connect to an FTP server on the internet ?

Chris Buechler wrote:

check out the info here:
https://doc.pfsense.org/index.php/FTP_without_a_Proxy

it's always possible to support passive mode without a proxy, though it can require some additional configuration.

NO wait ... i just read that page, it clearly says that a CLIENT behind pfsense router should be able to connect just fine unless there is a restrictive outbound policy ? is there a restrictive outbound policy by default on pfsense ?

In a completely default config, passive FTP clients will work fine. The default LAN rule permits what's necessary.

Please post to the forum or mailing list with info on your LAN firewall rules and specifics about what you're seeing if you have any further questions.

Chris Buechler wrote:

In a completely default config, passive FTP clients will work fine. The default LAN rule permits what's necessary.

Please post to the forum or mailing list with info on your LAN firewall rules and specifics about what you're seeing if you have any further questions.

Confirmed Passive FTP working just fine ... Looks like quite a few of software vendors liked to use Active FTP it seems ... finding new "road blocks" every time I upgrade a router at a different client's location.

As a stop gap measure for the time being, I created a basic FTP Client Proxy package using ftp-proxy(8) from FreeBSD to help local clients connect to remote FTP servers using active FTP. It's available in packages now for testing.

Thanks man! I'll test it. On forum a lot of people criticized the use of FTP, but as a legacy measure, we must keep it while legacy systems still in use.

If it suffices, please explain to me how I am supposed to setup pfsense / vsftpd so that :

- One FTP server is behind a PFSense
- This FTP server is accessible via WAN, and several other VLANs, via different IP addresses.
- The FTP server only has one real IP address, and the IP addresses as seen by the clients are NAT'ed by PFSense

The obvious issue here without FTP helper : the FTP server PASV reply always sends the same IP to connect to.

Please do not reply that FTP should not be used, I obviously agree that this pile of $*%! should have never been invented in the first place, but I also have to deal with obligations beyond my wills.

You're talking about the "FTP Client Proxy" package in the related section of the latest version of PFSense, right ?

It only suffices for those in need of a FTP proxy as a client.
For those of us using PFSense as something more than a home firewall, with a slightly complex network, there is a real need to bring a proper FTP proxy back to PFSense, even if it is disabled by default.

I agree with Jérémy R. The FTP proxy is still needed to properly handle communication with an FTP server sitting behind a pfSense firewall.