I would bet big money yours was R for RST!! Which is tcp for F off! ) You see in mine the (syn) and then the (syn,ack) back. I snipped out most of the info when you bump the verbosity up in your package capture - just to show the info you would be interested. Unless you setup some sort of reject rule on pfsense? It would of just been dropped, that you see 1 packet in response just screams RST from the client. If pfsense had not opened that port would not of gotten anything back to the syn from the ftp server to open the connection. That this shows my public IP and not the clients 192.168 address I know that the ftp proxy package is working and doing atleast that portion. you see the port commandĭo the math (206*256)+131 = port 52867 - which is the port that the data channel was sent to from source port 20.
![mac network settings proxies use passive ftp mode mac network settings proxies use passive ftp mode](https://www.howtogeek.com/wp-content/uploads/2017/02/img_589ce533ce7d2.png)
Here would be the handshake - you see the syn and syn,ack Or increase the verbosity of in the packet capture so you can at least see that response to that source port 20 traffic - which would be the opening of the data channel in active mode. You just need to open the packet capture up. Which sure it could be.īut your going to want to sniff both lan and wan side on pfsense to validate the ftp package is changing the IP of the client for the active to work. Sniff on the client other than for trying to figure out why its not resolving is going to be pretty useless, unless its local firewall blocking the return traffic on active. On the lan side sniff for the dest IP so you can see all traffic going there, then on the wan side of pfsense sniff on the dest IP. Well sniff it on pfsense, diagnostic packet capture. So you could have some random said in ftp client passive mode: So the ftp active proxy would have to change that for you and open the ftp port. The client told the server to connect to 192.168.9.100 port 23*256+121, but for starters the server couldn't connect to my local IP. Now when you connect via active mode the client will tell the server what port to connect too. Here connecting to your server in 2 different modes. Who makes the connection when in active or passive for the data connection. Understanding how the ftp protocol works is step one in trying to troubleshoot it. this would be the port your trying to connect to in passive mode. This default is any any lan rule, so all outbound traffic to the internet from lan is allowed. Unless your limiting what ports a client can talk outbound to the internet there should be no issues. There is zero to do with pfsense to connect to a ftp server on the internet in passive mode. That proxy is only need when you want to connect to internet ftp server via active mode.