Solved

Trouble accessing FTP sites via pfSense

Posted on 2014-10-28
10
6,264 Views
Last Modified: 2014-10-30
Hello,

I've been trying to access an external FTP site without success. Public FTP sites can't be reached either.  I've used Filezilla, IE, Chrome, Passive mode, and Active mode.  I'm convinced the problem lies with my router, specifically pfSense.

Does anyone here have experience in trying to configure pfSense so that they can access external FTP sites?
0
Comment
Question by:redbirdchief
  • 5
  • 5
10 Comments
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40409281
pfSense does not block FTP by default.  Do you have access to your pfSense box via the web console or otherwise?  Can you check the settings?  If so, have you taken a look at the outgoing tab on your firewall setup page?  Perhaps port 21 is being restricted to a certain group of originating IPs?
0
 

Author Comment

by:redbirdchief
ID: 40409312
asifbacchus,

Yes I have access to pfSense via the web console. If by outgoing you mean Outbound under Firewall->NAT->Outbound, there are no mappings, but the mode is set to "Automatic outbound NAT rule generation (IPsec passthrough included)". I've also thumbed through all the Firewall rule tabs and there's nothing already created for ports 21 or 20.

Will I need to add an Alias, or Port Forwarding under the NAT tab?
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40409379
No, those things would not apply in this case.  As I understand it, you are just trying to access an FTP site over the internet, correct?

If so, your outgoing NAT is correct.  Please have a look at Firewall > Rules, LAN tab and see if you are restricting outgoing communications on ports 20 or 21 and/or limiting them to originating from a particular source IP address.  For most people, they only have the 'Default allow LAN to any rule' and the 'Default allow LAN IPv6 to any rule', which means no outgoing communication (including FTP) is blocked.

Assuming your pfSense is not blocking things, as above, are you sure there are no other firewalls in play?  Perhaps the windows built-in firewall is active on your machine?

Have you tried using telnet?  Open a connection to the remote FTP via telnet using port 21 and see if that works.  If it does, then nothing is blocking FTP.  If it does not, perhaps your ISP is blocking FTP for some reason?

Let me know how these steps go.
0
 

Author Comment

by:redbirdchief
ID: 40413564
asifbacchus,

Yes, just trying to access FTP over the net.  Under Firewall>Rules>Lan, nothing's listed for Ports 20 or 21.  'Default allow LAN to any rule' and the 'Default allow LAN IPv6 to any rule' are both present but greyed out.

I've disabled the Windows firewall before to try accessing the FTP and that had no result. Pinging and telnetting to the FTP (both IP and host name) still doesn't let me connect.  Any blocked sites I've been able to allow through Open DNS, to which I've even added the FTP host name into the exceptions list.  

I appreciate your help, and look forward to further advice.
0
 

Author Comment

by:redbirdchief
ID: 40413597
Oh I forgot to comment on something- I don't know if my ISP is preventing access, that I"ll have to figure out.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40413610
Greyed out rules mean they are disabled.  This is a problem.  If the default rules are greyed out, then the ONLY traffic permitted must be explicitly listed.  As such, I imagine you have other rules which state allowed traffic, such as one that allows any LAN --> port 80 outgoing for web access, etc.?  

My standard rule-set looks like the attached picture, to give you an idea.  It allows any outgoing traffic by default (default rules not greyed out) but specifically blocks port 25 traffic unless it's from our mailserver (stops trojans on local computers acting as mailservers), and there is the anti-lockout rule also.  I imagine yours must look quite different?

Without the default rules, and if you have no explicit 'allow' rule for FTP ports 20 & 21, then such outgoing traffic definitely will be blocked by pfSense.

Does this make sense?  If not, I'll try to explain more clearly with more screenshots.
My standard outgoing LAN firewall rule setup
0
 

Author Comment

by:redbirdchief
ID: 40413696
asifbacchus,

On my list, Port 80 is listed in the Anti-Lockout Rule, and appears again in it's own rule. There are then 5 more rules, each with it's own port.  Yes this is starting to make more sense now.

What's next, enable the defaults? Create new rules for ports 20 and 21?
0
 
LVL 6

Accepted Solution

by:
Asif Bacchus earned 500 total points
ID: 40413732
Ok, now we're getting somewhere! :-)

Unless there is a specific reason to control all outgoing traffic (i.e. company policy, legal reasons, heightened security infrastructure, etc.) then going with the default outgoing rules will make your life MUCH easier.  You can re-enable the default rules (IPv6 is optional obviously for an IPv4 environment) and then disable and/or delete the 5 explicit rules.

Otherwise, simply create a new rule for your outgoing FTP.  Remember that FTP traffic is many times both TCP and UDP!  I've attached a screen shot to help you out.

HTH
FirewallFTPOutgoing.png
0
 

Author Comment

by:redbirdchief
ID: 40413756
asfibacchus,

You're a genius! Suddenly Filezilla starting pouring in with green text.  I can't thank you enough, I've struggled with this issue for too long!
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40413762
Glad I could help :-)  Enjoy pfSense and thanks for the points!  Have a good one.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The biggest nightmare for any Exchange Server Administrator is to keep the server running without any issue. But the problems often come and they need to be resolved efficiently and timely. Here are important troubleshooting points: Define the Pr…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now