Configuring FTP

[SunnyG]

Hello experts,

hoping someone can help me out on a ftp setup issue that I am having.

I have enabled the FTP service in freenas, and opened port 21 in my router (pfsense).
On the internal network I am able to connect to the FTP site without issue from multple systems, however when I try to connect to it from a external network I get as far as being prompted for the username and password, but then get a time out, or Access Denied.

Is there anything i need to configure for external access on freenas ?

 

[Patrick M. Hausen]

FTP uses a control connection on port 21 and a dynamically negotiated data connection on a random port on one side. Initially it was the client opening the port and the server initiated a connection back with source port 20 outbound to the client on that random port.
Since this does not work too well with the client behind a NAT gateway most clients use passive mode. This means the server selects a random port and the client initiates the connection outbound through his NAT gateway.

Two options:

1. If pfsense comes with a proper FTP proxy that understands the protocol and can dynamically open the negotiated ports, use that. Does not work with TLS, though, since the control connection is encrypted in that case.
2. On your NAS go to Services --> FTP --> Advanced Options. Set Minimum Passive Port and Maximum Passive Port to a suitably narrow port range and open these on your firewall.

HTH,
Patrick

 

[Heracles]

Hi,

An even better option would be not to use FTP at all. Usernames and Passwords sent as clear text over the Internet is not a good idea. The data exchanged with the FTP will probably benefit from a bit of confidentiality too.

SFTP, WebDAV over HTTPS, Nextcloud, there are many options that should be preferred when compared to FTP. And that is above the nightmare described by @Patrick M. Hausen with the second channel FTP uses.

 

[SunnyG]

Hi,

An even better option would be not to use FTP at all. Usernames and Passwords sent as clear text over the Internet is not a good idea. The data exchanged with the FTP will probably benefit from a bit of confidentiality too.

SFTP, WebDAV over HTTPS, Nextcloud, there are many options that should be preferred when compared to FTP. And that is above the nightmare described by @Patrick M. Hausen with the second channel FTP uses.

Hi Heracles,

SFTP would be prefered, FTP however is just a tempory solution that I am looking at using to upload some files to GCP, currently the upload function in GCP is taking to long as the file is 1GB in size and all the free ftp sites that I have found all have a limit of 50Mb.

 

[SunnyG]

FTP uses a control connection on port 21 and a dynamically negotiated data connection on a random port on one side. Initially it was the client opening the port and the server initiated a connection back with source port 20 outbound to the client on that random port.
Since this does not work too well with the client behind a NAT gateway most clients use passive mode. This means the server selects a random port and the client initiates the connection outbound through his NAT gateway.

Two options:

1. If pfsense comes with a proper FTP proxy that understands the protocol and can dynamically open the negotiated ports, use that. Does not work with TLS, though, since the control connection is encrypted in that case.
2. On your NAS go to Services --> FTP --> Advanced Options. Set Minimum Passive Port and Maximum Passive Port to a suitably narrow port range and open these on your firewall.

HTH,
Patrick

Hi Patrick,

PfSense does make use of FTP Proxy, I have tried with it both on and off, TLS is not configured yet and the Minimum Passive Port and Maximum Passive Port I have set to 1024-1029, I am able to now login but cannot get a listing or if I try and download a file I know is on the ftp site it reports that the file does not exist, this is regardless of being in Passive mode or not.

Regards

Sunny