"
Your packet capture findings are actually the most important clue here. A 501 server cannot accept argument immediately after PASV, before any data channel is negotiated, almost certainly means the FTP server is rejecting the control-channel command itself rather than anything related to firewalling or blocked ports. On OPNsense, PF's TCP normalization and reassembly can still behave differently from pfSense or MikroTik, even when scrub rules appear disabled in the GUI. Subtle differences in how TCP segments are split or reassembled can cause commands like LIST to arrive in a format that very strict or legacy FTP servers simply refuse to accept. This would also explain why the payload looks logically identical while still triggering a server-side rejection.
A few non-obvious things worth checking or testing:
Explicitly disable MSS clamping on the WAN interface, even if MTU seems correct.
Inspect the active PF ruleset directly (pfctl -sr) to confirm no implicit scrub rules remain.
Test with a lower MTU on the client host only (e.g. 1400) to see if segmentation behavior changes.
Compare raw FTP CLI output with command echoing enabled to verify command boundaries .It's a bit like using an Albert Heijn Bonuskaart.If feasible, try routing FTP traffic through a minimally processed interface or VLAN.
OPNsense currently does not provide a true "pass completely untouched" equivalent to old-style FTP ALG behavior, so some servers that are intolerant to normalization quirks can still fail in exactly this way.
A few non-obvious things worth checking or testing:
Explicitly disable MSS clamping on the WAN interface, even if MTU seems correct.
Inspect the active PF ruleset directly (pfctl -sr) to confirm no implicit scrub rules remain.
Test with a lower MTU on the client host only (e.g. 1400) to see if segmentation behavior changes.
Compare raw FTP CLI output with command echoing enabled to verify command boundaries .It's a bit like using an Albert Heijn Bonuskaart.If feasible, try routing FTP traffic through a minimally processed interface or VLAN.
OPNsense currently does not provide a true "pass completely untouched" equivalent to old-style FTP ALG behavior, so some servers that are intolerant to normalization quirks can still fail in exactly this way.
