Solved

Trouble accessing FTP sites via pfSense

Posted on 2014-10-28
10
7,031 Views
Last Modified: 2014-10-30
Hello,

I've been trying to access an external FTP site without success. Public FTP sites can't be reached either.  I've used Filezilla, IE, Chrome, Passive mode, and Active mode.  I'm convinced the problem lies with my router, specifically pfSense.

Does anyone here have experience in trying to configure pfSense so that they can access external FTP sites?
0
Comment
Question by:redbirdchief
  • 5
  • 5
10 Comments
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40409281
pfSense does not block FTP by default.  Do you have access to your pfSense box via the web console or otherwise?  Can you check the settings?  If so, have you taken a look at the outgoing tab on your firewall setup page?  Perhaps port 21 is being restricted to a certain group of originating IPs?
0
 

Author Comment

by:redbirdchief
ID: 40409312
asifbacchus,

Yes I have access to pfSense via the web console. If by outgoing you mean Outbound under Firewall->NAT->Outbound, there are no mappings, but the mode is set to "Automatic outbound NAT rule generation (IPsec passthrough included)". I've also thumbed through all the Firewall rule tabs and there's nothing already created for ports 21 or 20.

Will I need to add an Alias, or Port Forwarding under the NAT tab?
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40409379
No, those things would not apply in this case.  As I understand it, you are just trying to access an FTP site over the internet, correct?

If so, your outgoing NAT is correct.  Please have a look at Firewall > Rules, LAN tab and see if you are restricting outgoing communications on ports 20 or 21 and/or limiting them to originating from a particular source IP address.  For most people, they only have the 'Default allow LAN to any rule' and the 'Default allow LAN IPv6 to any rule', which means no outgoing communication (including FTP) is blocked.

Assuming your pfSense is not blocking things, as above, are you sure there are no other firewalls in play?  Perhaps the windows built-in firewall is active on your machine?

Have you tried using telnet?  Open a connection to the remote FTP via telnet using port 21 and see if that works.  If it does, then nothing is blocking FTP.  If it does not, perhaps your ISP is blocking FTP for some reason?

Let me know how these steps go.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:redbirdchief
ID: 40413564
asifbacchus,

Yes, just trying to access FTP over the net.  Under Firewall>Rules>Lan, nothing's listed for Ports 20 or 21.  'Default allow LAN to any rule' and the 'Default allow LAN IPv6 to any rule' are both present but greyed out.

I've disabled the Windows firewall before to try accessing the FTP and that had no result. Pinging and telnetting to the FTP (both IP and host name) still doesn't let me connect.  Any blocked sites I've been able to allow through Open DNS, to which I've even added the FTP host name into the exceptions list.  

I appreciate your help, and look forward to further advice.
0
 

Author Comment

by:redbirdchief
ID: 40413597
Oh I forgot to comment on something- I don't know if my ISP is preventing access, that I"ll have to figure out.
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40413610
Greyed out rules mean they are disabled.  This is a problem.  If the default rules are greyed out, then the ONLY traffic permitted must be explicitly listed.  As such, I imagine you have other rules which state allowed traffic, such as one that allows any LAN --> port 80 outgoing for web access, etc.?  

My standard rule-set looks like the attached picture, to give you an idea.  It allows any outgoing traffic by default (default rules not greyed out) but specifically blocks port 25 traffic unless it's from our mailserver (stops trojans on local computers acting as mailservers), and there is the anti-lockout rule also.  I imagine yours must look quite different?

Without the default rules, and if you have no explicit 'allow' rule for FTP ports 20 & 21, then such outgoing traffic definitely will be blocked by pfSense.

Does this make sense?  If not, I'll try to explain more clearly with more screenshots.
My standard outgoing LAN firewall rule setup
0
 

Author Comment

by:redbirdchief
ID: 40413696
asifbacchus,

On my list, Port 80 is listed in the Anti-Lockout Rule, and appears again in it's own rule. There are then 5 more rules, each with it's own port.  Yes this is starting to make more sense now.

What's next, enable the defaults? Create new rules for ports 20 and 21?
0
 
LVL 6

Accepted Solution

by:
Asif Bacchus earned 500 total points
ID: 40413732
Ok, now we're getting somewhere! :-)

Unless there is a specific reason to control all outgoing traffic (i.e. company policy, legal reasons, heightened security infrastructure, etc.) then going with the default outgoing rules will make your life MUCH easier.  You can re-enable the default rules (IPv6 is optional obviously for an IPv4 environment) and then disable and/or delete the 5 explicit rules.

Otherwise, simply create a new rule for your outgoing FTP.  Remember that FTP traffic is many times both TCP and UDP!  I've attached a screen shot to help you out.

HTH
FirewallFTPOutgoing.png
0
 

Author Comment

by:redbirdchief
ID: 40413756
asfibacchus,

You're a genius! Suddenly Filezilla starting pouring in with green text.  I can't thank you enough, I've struggled with this issue for too long!
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40413762
Glad I could help :-)  Enjoy pfSense and thanks for the points!  Have a good one.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
iptables ubuntu BLOCK all 2 84
Junk folder 23 171
Run Internet Explorer as an administrator from CMD 20 139
Sending mail to invalid recipient address 7 74
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question