• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10229
  • Last Modified:

Trouble accessing FTP sites via pfSense

Hello,

I've been trying to access an external FTP site without success. Public FTP sites can't be reached either.  I've used Filezilla, IE, Chrome, Passive mode, and Active mode.  I'm convinced the problem lies with my router, specifically pfSense.

Does anyone here have experience in trying to configure pfSense so that they can access external FTP sites?
0
redbirdchief
Asked:
redbirdchief
  • 5
  • 5
1 Solution
 
Asif BacchusCommented:
pfSense does not block FTP by default.  Do you have access to your pfSense box via the web console or otherwise?  Can you check the settings?  If so, have you taken a look at the outgoing tab on your firewall setup page?  Perhaps port 21 is being restricted to a certain group of originating IPs?
0
 
redbirdchiefAuthor Commented:
asifbacchus,

Yes I have access to pfSense via the web console. If by outgoing you mean Outbound under Firewall->NAT->Outbound, there are no mappings, but the mode is set to "Automatic outbound NAT rule generation (IPsec passthrough included)". I've also thumbed through all the Firewall rule tabs and there's nothing already created for ports 21 or 20.

Will I need to add an Alias, or Port Forwarding under the NAT tab?
0
 
Asif BacchusCommented:
No, those things would not apply in this case.  As I understand it, you are just trying to access an FTP site over the internet, correct?

If so, your outgoing NAT is correct.  Please have a look at Firewall > Rules, LAN tab and see if you are restricting outgoing communications on ports 20 or 21 and/or limiting them to originating from a particular source IP address.  For most people, they only have the 'Default allow LAN to any rule' and the 'Default allow LAN IPv6 to any rule', which means no outgoing communication (including FTP) is blocked.

Assuming your pfSense is not blocking things, as above, are you sure there are no other firewalls in play?  Perhaps the windows built-in firewall is active on your machine?

Have you tried using telnet?  Open a connection to the remote FTP via telnet using port 21 and see if that works.  If it does, then nothing is blocking FTP.  If it does not, perhaps your ISP is blocking FTP for some reason?

Let me know how these steps go.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
redbirdchiefAuthor Commented:
asifbacchus,

Yes, just trying to access FTP over the net.  Under Firewall>Rules>Lan, nothing's listed for Ports 20 or 21.  'Default allow LAN to any rule' and the 'Default allow LAN IPv6 to any rule' are both present but greyed out.

I've disabled the Windows firewall before to try accessing the FTP and that had no result. Pinging and telnetting to the FTP (both IP and host name) still doesn't let me connect.  Any blocked sites I've been able to allow through Open DNS, to which I've even added the FTP host name into the exceptions list.  

I appreciate your help, and look forward to further advice.
0
 
redbirdchiefAuthor Commented:
Oh I forgot to comment on something- I don't know if my ISP is preventing access, that I"ll have to figure out.
0
 
Asif BacchusCommented:
Greyed out rules mean they are disabled.  This is a problem.  If the default rules are greyed out, then the ONLY traffic permitted must be explicitly listed.  As such, I imagine you have other rules which state allowed traffic, such as one that allows any LAN --> port 80 outgoing for web access, etc.?  

My standard rule-set looks like the attached picture, to give you an idea.  It allows any outgoing traffic by default (default rules not greyed out) but specifically blocks port 25 traffic unless it's from our mailserver (stops trojans on local computers acting as mailservers), and there is the anti-lockout rule also.  I imagine yours must look quite different?

Without the default rules, and if you have no explicit 'allow' rule for FTP ports 20 & 21, then such outgoing traffic definitely will be blocked by pfSense.

Does this make sense?  If not, I'll try to explain more clearly with more screenshots.
My standard outgoing LAN firewall rule setup
0
 
redbirdchiefAuthor Commented:
asifbacchus,

On my list, Port 80 is listed in the Anti-Lockout Rule, and appears again in it's own rule. There are then 5 more rules, each with it's own port.  Yes this is starting to make more sense now.

What's next, enable the defaults? Create new rules for ports 20 and 21?
0
 
Asif BacchusCommented:
Ok, now we're getting somewhere! :-)

Unless there is a specific reason to control all outgoing traffic (i.e. company policy, legal reasons, heightened security infrastructure, etc.) then going with the default outgoing rules will make your life MUCH easier.  You can re-enable the default rules (IPv6 is optional obviously for an IPv4 environment) and then disable and/or delete the 5 explicit rules.

Otherwise, simply create a new rule for your outgoing FTP.  Remember that FTP traffic is many times both TCP and UDP!  I've attached a screen shot to help you out.

HTH
FirewallFTPOutgoing.png
0
 
redbirdchiefAuthor Commented:
asfibacchus,

You're a genius! Suddenly Filezilla starting pouring in with green text.  I can't thank you enough, I've struggled with this issue for too long!
0
 
Asif BacchusCommented:
Glad I could help :-)  Enjoy pfSense and thanks for the points!  Have a good one.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now