Passive FTP Port Range

Question

We have an FTP application that is using Port 9021 for the incoming FTP Port.  Once this is established with the backend FTP Application, the application then opens up a random FTP Passive Port from the range 10022 through 10032.  I have these configured as VIPs on the F5 and they are also opened on the firewall.  When we attempt to connect via Filezilla, we see the initial connection, and the application sends back what Passive FTP port should be used, but its always sending it back to the IP Address of the F5 itself as the application believes that is the initial source IP.  How can we have the client source IP be sent through the F5 so the application send back to it with the correct Port for it to connect to?&nbsp;
Thanks.
Dave&nbsp;

kevin_stewart · Answer

Typically you'd just disable SNAT on the VIP to get the client's true source to the backend server, but then you have to make sure the server isn't capable of routing back around the F5. What I think you're looking for is addressed by an FTP profile configuration applied to the VIP. Take a look at this SOL:&nbsp;
sol6831: Configuring FTP Profile to work with an alternate FTP Control and Data port&nbsp;

sysadmin_209494 · Answer

That looks like it would work with one Passive port, but I have a range of 11 ports from 10022 to 10032.  I can't see how to have it use that range of ports.&nbsp;
Dave&nbsp;

eskindir_27991 · Answer

The below should work for both FTP or FTPS. If your server does not support Active transfer mode you can ignore the SNAT configuration section. If you have only one server behind the F5 you may not need the source address based configuration. Finally as the virtual server is listening in all ports you may want to add irule to drop packets destined to ports that your FTP server is not listening to both control and the passive data range.&nbsp;
https://support.f5.com/kb/en-us/solutions/public/9000/300/sol9347.html&nbsp;

syedimam_147051 · Answer

Can you please advise if it works? I have same problem and it works with TCP profile but failed after receiving PASV entrance from server.

Forum Discussion

Passive FTP Port Range

4 Replies

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

F5 Big-IP Trust Internal CA Chain certificates for Web Servers

Expired client-certificate

Need to make 2 Virtual Appliance in r4600 F5

SOLVED: sending IsCompliant, IsKnown and IsManaged via SAML (SSO)

BIG-IP methods to Fix the “421 Misdirected Request” Error

Related Content

Policy to forward to a range of ports

Assistance with iRule using port ranges

Especial Load Balancing Active-Passive Scenario (I)

Especial Load Balancing Active-Passive Scenario (II)

iRule [string range...] not chunking data properly

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS