passive port range lines commented out # Port range for passive connections - keep it as broad as possible. #PassivePortRange 30000 50000 # Force an IP address in PASV/EPSV/SPSV replies. - for NAT. # Symbolic host names are also accepted for gateways with dynamic IP # addresses. #ForcePassiveIP 176.236.135.163 should i uncomment,change 30000-50000 to 40110&40210 and give it a try? and if this config file manages the passive ftp why are we creating "/etc/pure-ftpd/conf/PassivePortRange" & "/etc/pure-ftpd/conf/ForcePassiveIP" files ?
I believe all the required ports ARE open on the firewall. I can telnet to 176.236.135.163 21 and it connects straight away, I've tried ports 40110, 40140, and 40210, and after a second or two, I get the connection refused message, I also tried port 40211, which shouldn't be available, and after around 20 seconds I get: telnet: Unable to connect to remote host: Resource temporarily unavailable so that all seems ok. I think we might be missing something more obvious here. since you said it worked when you tried connecting from home. what exactly did you do? just copy the vm to your home pc and connect to it locally? or connect to it on the same public ip from home? it just seems odd you need to configure port forwarding for it to work in the office, but not from home. where exactly is this pfsense firewall and where is the ispconfig vm? i'm wondering now if they're both on your local office network. may be if you can attach a simple topological network diagram of it as you connected from home, and how it is now trying to connect from the office.
ok how my office's system works --I have 10Mb metro ethernet,which connected to switch (provided by ISP) --PfSENSE is both gateway & firewall, it's connecting to internet through metro switch and sharing it's connection to clients --All incoming & outgoing connections handling by PfSENSE --Switch has 48ports on it and 30 of them can connect to internet with different WAN ip adresses(so we have 30 different wan ip addresses),each port sharing 10Mb bandwith, i configured PfSENSE's load balance module so it's deciding who needs more bandwith dynamically --Switch's 1st port connected to PfSENSE's(METRO_1) 1st ethernet,it's wan ip address is different than 176.236.135.163 --1st port sharing it's internet connection to clients (to department workers for their daily tasks) --Switch's 2nd port connected to PfSENSE's 2nd ethernet(METRO_3), 2nd ethernet defined as different gateway and it's ip address is 176.236.135.163 --ISPCONFIG connected to LAN switch, with firewall rule on PfSENSE i'm forcing ISPCONFIG to connect to internet through PfSENSE's 2nd ethernet,by this rule ISPCONFIG connecting to internet through switch's 2nd port and uses 176.236.135.163 as wan ip on internet --When an incoming connection detected to 176.236.135.163 by PfSENSE it looks it's database if this wan ip assigned to a local ip address,if it is assigned then it's running related firewall rules for it. --All firewall rules (port forwardings) defined to METRO_3 gateway for ISPCONFIG,this is important for PfSENSE because if you accidentally define rule to METRO_1 it won't work, so i've triple checked the rules and it's defined to which gw,so i'm %100 sure it's defined to right gw, on the other hand all ports except passive ftp works just fine. What i did when i said it works at home: --First i've installed Ubuntu 18.04 & ISPCONFIG to a virtual machine,which created on Oracle VmWare --Exported virtual machine to my USB HDD before leave the office --When i get home installed Oracle VmWare to my home pc and imported virtual machine --Started vm, it's started without any error --Defined the same LAN ip as it's given by the DHCP at the office which was :192.168.1.16 --Restarted --It's rebooted without any error --Downloaded & Installed Filezilla client --Defined connection parameters to 192.168.1.16 as plain ftp --When i clicked to connect button,it connected without any problem and listed directories --After that i did tests on vm,i've installed ubuntu 18.04 to a physical machine, and installed ispconfig afterward --Forwarded all necessary ports to physical machine --Defined 3 domains and defined DNS records --Forwarded DNS records to my public ip through domains panels (godaddy) --approximately 4 hours later ISPCONFIG was replying all DNS requests and domains were working on my server --SFTP through port 22 was working on both LAN & WAN,i mean i was accessing to server from port 22 through lan and wan without any problem --I've requested help from forum and did search on google to find out why passive ftp is not working. --After couple of hours i gave up ( strong stomach pain wasn't helped much ) Disabled all port forwarding rules temporarily and defined 1:1 NAT rule for 176.236.135.163 on PfSENSE and after that plain FTP started work from WAN. What 1:1 NAT does on PfSENSE : 1:1 NAT option basically saves you time when you need to forward all ports to a local pc, instead of defining all ports as firewall rule you are defining 1:1 NAT and PfSENSE forwarding all known ports to your PC, but also it's stopping to apply protective firewall rules, so you are sitting duck on the battlefield,all protection you have is ISPCONFIG's built-in firewall.(I don't say anything bad about ISPCONFIG's firewall,i'm sure it does it's best what as they said in my country TRUST TO GOD BUT LOCK YOUR DOOR). Also i want to mention that i don't have any commercial plans for ISPCONFIG i'll just host my own domains (i have 4 personal domains), i'll increase my skills on linux servers and ispconfig, after that i'll talk with boss to buy ispconfig to host our company websites,because ispconfig deserves every cent of it. Today i did many tests, to find out why it's not working, so due to 1:1NAT definition plain FTP works from WAN connections but it still doesn't work on LAN, when i configure filezillat as below; --Server : server's LAN ip --Connection type : plain ftp --authentication type : plain ftp --username : my test username --password : my test password When i click to connect button, it's getting stuck on retrieving directroy list step,waiting 20 seconds and returns error. Second test variation : --Server : server's WAN ip --Connection type : plain ftp --authentication type : plain ftp --username : my test username --password : my test password When i click to connect button, it's getting stuck on retrieving directroy list step,waiting 20 seconds and returns error. Conclusions : --I can ping server's both LAN and WAN ip adresses from my office pc (which connected to same LAN) --I can confirm that all forwarded ports accessible from LAN(tested with advanced ip scanner&port scanner) & WAN (tested with http://www.ping.eu) --From LAN : when i test open ports between 40110 & 40210 program confirms it's reachable but it gave me different port between 40110 & 40210 with every test, for example it gaves 40160 or 40201 and so on. I believe pureftpd assings a random port between 40110 & 40210 on every check. --I can not connect to server as plain ftp through LAN IP --I think i'm missing a very obvious/easy thing to fix this problem and can not debug the problem due to lack of my linux knowledge. --My PfSENSE is licenced and i already submited a ticket to pfsense waiting for response to check everything is ok on PfSENSE's side because everything really seems ok on it.
hmm. may take me a while to read through that and make sense of it all. but from the gist of it, with 1:1NAT plain ftp from external clients is working. plain ftp from internal clients, it logs in, but gets stuck on directly listings, on both WAN and LAN ip's. have you tried setting your FileZilla connection to active mode and testing that?
sorry my English is not good for this kind of technical explanations. Just tried with active mode and it worked,active mode is working without any problem.
ok, so the internal clients are using metro_1 to access the internet, which I assume has the ip 176.236.135.161 so the client's ftp data channel traffic is basically going 192.168.1.* -> pfsense internal ip -> 172.236.135.161 -> 172.236.135.163 -> pfsense internal ip (different?) -> 192.168.1.16 and the response packets from the ftp server should be taking the route in reverse. so what outbound firewall rules to you have on the 172.236.135.161 interface, does that interface allow inbound connections from 172.236.136.163 source ports 40110-40210? I don't know if pfsense has conn_tracking, which should allow that, assuming a blocking rule isn't taking precedence. also, not knowing the pfsense firewall, it might have separate inbound/outbound rules on every interface, so allowing ports 40110-40210 inbound on 172.236.135.163 doesn't automatically mean that ports 40110-40210 are allowed outbound on interface 192.168.1.253 it might be like the vyatta firewall, where you can specify different inbound/outbound/local rules on every single interface, though that's not usual for firewalls, and I guess you would already know if pfsense required anything like that.
