Personal tools

Howto setup ftp server behind pfsense

From PFSenseDocs

Jump to: navigation, search
This article is part of the HOWTO series.

Contents

Forum thread(s) to this page:

http://forum.pfsense.org/index.php/topic,15811.html

Option 1. Use the proxy helper application.

  • 1. The IP address used for ftp connections externally must be the WAN IP of the PFsense box (unconfirmed)
  • 2. Enable Proxy helper (by unchecking) on the WAN interface.
  • 3. Setup port forward rule using the FTP option to your FTP servers internal LAN IP.
  • 4. Watch the logs within your FTP server, if you have this setup correctly you will see sessions from the ip address of your PFsense box, NOT THE IP ADDRESS OF THE FTP CLIENT. If you are seeing sessions from the FTP clients public IP then the proxy helper is not working or not setup correctly.

Advantages

  • 1. Simple setup
  • 2. Does not require passive IP response on the FTP server.
  • 3. More secure since only subsequent ports are allowed instead of the entire passive range.

Disadvantages

  • 1. A bit glitchy in the scripts that setup the rules within PFsense. I have seen the setup become currupt if you tinker too much with these settings back and forth and require a full reinstall and resetup of PFsense. (start from scratch, DO NOT use a backup config)
  • 2. Logs on your FTP server will show connections from the PFsense box, so any blacklisting, throttling etc features will not work since the FTP server will see all public connections as the PFsense box when based on IP, any user based FTP server settings will all function.


Option 2. Simple Port Forward to FTP Server.

  • 1. Delete any FTP rules and ensure that you have the FTP helper disabled on the wan interface (Checked) Again if you have been enabling and disabling FTP etc through the PFsense GUI you may have a corrupt config. If you are not working try a fresh config!
  • 2. Setup your FTP server to have a narrow range for passive ports. Keep enough based on usage and FTP server requirements but as low as you can go for security reasons, this may take some experimenting and tweaking. Exactly how to do this will vary based on the FTP server software.
  • 3. Set your FTP servers passive IP response to respond with the PUBLIC IP address you will forward in PFSENSE. Again how to do this will vary based on FTP server and some do not have the capability.
  • 4. Set up a virtual CARP IP address for the public IP on the Pfsense Box. (ARP may work however I have not tested)
  • 5. Set up a forward rules to forward BOTH port 21 and the passive range you specified on the FTP server to your local LAN IP of the FTP server.
Retrieved from "http://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense"