Trouble accessing FTP sites via pfSense


I've been trying to access an external FTP site without success. Public FTP sites can't be reached either.  I've used Filezilla, IE, Chrome, Passive mode, and Active mode.  I'm convinced the problem lies with my router, specifically pfSense.

Does anyone here have experience in trying to configure pfSense so that they can access external FTP sites?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Asif BacchusI.T. ConsultantCommented:
pfSense does not block FTP by default.  Do you have access to your pfSense box via the web console or otherwise?  Can you check the settings?  If so, have you taken a look at the outgoing tab on your firewall setup page?  Perhaps port 21 is being restricted to a certain group of originating IPs?
redbirdchiefAuthor Commented:

Yes I have access to pfSense via the web console. If by outgoing you mean Outbound under Firewall->NAT->Outbound, there are no mappings, but the mode is set to "Automatic outbound NAT rule generation (IPsec passthrough included)". I've also thumbed through all the Firewall rule tabs and there's nothing already created for ports 21 or 20.

Will I need to add an Alias, or Port Forwarding under the NAT tab?
Asif BacchusI.T. ConsultantCommented:
No, those things would not apply in this case.  As I understand it, you are just trying to access an FTP site over the internet, correct?

If so, your outgoing NAT is correct.  Please have a look at Firewall > Rules, LAN tab and see if you are restricting outgoing communications on ports 20 or 21 and/or limiting them to originating from a particular source IP address.  For most people, they only have the 'Default allow LAN to any rule' and the 'Default allow LAN IPv6 to any rule', which means no outgoing communication (including FTP) is blocked.

Assuming your pfSense is not blocking things, as above, are you sure there are no other firewalls in play?  Perhaps the windows built-in firewall is active on your machine?

Have you tried using telnet?  Open a connection to the remote FTP via telnet using port 21 and see if that works.  If it does, then nothing is blocking FTP.  If it does not, perhaps your ISP is blocking FTP for some reason?

Let me know how these steps go.
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

redbirdchiefAuthor Commented:

Yes, just trying to access FTP over the net.  Under Firewall>Rules>Lan, nothing's listed for Ports 20 or 21.  'Default allow LAN to any rule' and the 'Default allow LAN IPv6 to any rule' are both present but greyed out.

I've disabled the Windows firewall before to try accessing the FTP and that had no result. Pinging and telnetting to the FTP (both IP and host name) still doesn't let me connect.  Any blocked sites I've been able to allow through Open DNS, to which I've even added the FTP host name into the exceptions list.  

I appreciate your help, and look forward to further advice.
redbirdchiefAuthor Commented:
Oh I forgot to comment on something- I don't know if my ISP is preventing access, that I"ll have to figure out.
Asif BacchusI.T. ConsultantCommented:
Greyed out rules mean they are disabled.  This is a problem.  If the default rules are greyed out, then the ONLY traffic permitted must be explicitly listed.  As such, I imagine you have other rules which state allowed traffic, such as one that allows any LAN --> port 80 outgoing for web access, etc.?  

My standard rule-set looks like the attached picture, to give you an idea.  It allows any outgoing traffic by default (default rules not greyed out) but specifically blocks port 25 traffic unless it's from our mailserver (stops trojans on local computers acting as mailservers), and there is the anti-lockout rule also.  I imagine yours must look quite different?

Without the default rules, and if you have no explicit 'allow' rule for FTP ports 20 & 21, then such outgoing traffic definitely will be blocked by pfSense.

Does this make sense?  If not, I'll try to explain more clearly with more screenshots.
My standard outgoing LAN firewall rule setup
redbirdchiefAuthor Commented:

On my list, Port 80 is listed in the Anti-Lockout Rule, and appears again in it's own rule. There are then 5 more rules, each with it's own port.  Yes this is starting to make more sense now.

What's next, enable the defaults? Create new rules for ports 20 and 21?
Asif BacchusI.T. ConsultantCommented:
Ok, now we're getting somewhere! :-)

Unless there is a specific reason to control all outgoing traffic (i.e. company policy, legal reasons, heightened security infrastructure, etc.) then going with the default outgoing rules will make your life MUCH easier.  You can re-enable the default rules (IPv6 is optional obviously for an IPv4 environment) and then disable and/or delete the 5 explicit rules.

Otherwise, simply create a new rule for your outgoing FTP.  Remember that FTP traffic is many times both TCP and UDP!  I've attached a screen shot to help you out.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
redbirdchiefAuthor Commented:

You're a genius! Suddenly Filezilla starting pouring in with green text.  I can't thank you enough, I've struggled with this issue for too long!
Asif BacchusI.T. ConsultantCommented:
Glad I could help :-)  Enjoy pfSense and thanks for the points!  Have a good one.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet / Email Software

From novice to tech pro — start learning today.