This post is for training. On the ISPConfig backend server with a private IP, assuming that your custom "Pure-FTP" port is: 1234 So, to set Pure-FTPd in the server behind the NAT, We have to do these steps: Set the custom port, ForcePassiveIP and PassivePortRange in Pure-FTP Code: echo ",1234" > /etc/pure-ftpd/conf/Bind // Change 1234 to the port you want echo "10.20.30.40" > /etc/pure-ftpd/conf/ForcePassiveIP // Replace 10.20.30.40 with the public IP address that clients shall use to connect to the FTP server echo "40110 40210" > /etc/pure-ftpd/conf/PassivePortRange systemctl restart pure-ftpd-mysql Now check the "Pure-FTPd" listening port Code: netstat -tnulp | grep pure-ftpd The output should be something like this Code: tcp 0 0 0.0.0.0:1234 0.0.0.0:* LISTEN 134789/pure-ftpd (S tcp6 0 0 :::1234 :::* LISTEN 134789/pure-ftpd (S You should add the Pure-FTP custom port and PassivePortRange in the ispconfig firewall, so after doing that, "Open TCP ports" should look something like this: 22,25,53,80,110,143,443,465,587,993,995,3306,4190,8080,8081,40110:40210,1234 Set a NAT rule for FTP connections I use the Mikrotik router, so use this command to create the NAT rule Rreplace 10.20.30.40 with your public IP address and 192.168.167.166 with your private IP address Code: /ip firewall nat add chain=dstnat dst-address=10.20.30.40 protocol=tcp dst-port=1234,40110-40210 action=dst-nat to-addresses=192.168.167.166
if you're binding pure-ftp to a custom port then you'll no longer need to keep port 21 open in the ispconfig firewall.