"
Hello,
I'm facing a specific issue with FTP (plain FTP, port 21) when using OPNsense, which does not occur on pfSense or MikroTik, and I'd like to know if anyone has seen something similar.
Scenario
Firewall: OPNsense (current version)
WAN: Single WAN
Client host: 172.16.10.250
FTP client: FileZilla (also tested via CLI)
Server: External FTP server in the cloud
Protocol: Plain FTP (no TLS)
Problem
FTP connection works
Login works
Initial commands work
On LIST / LS, the server immediately returns:
501 server cannot accept argument
This happens right after PASV, before any data connection is established (so it's not a timeout or blocked port).
Tests already done
Firewall rules allowing all traffic
Outbound NAT (auto, hybrid, manual)
MTU changes
Disable scrub / normalization (GUI + tunables)
Disable reply-to
IDS/IPS disabled
Single WAN
Active/passive mode tests
EPSV disabled
➡️ Issue persists only on OPNsense.
Comparison
pfSense: works
MikroTik: works
OPNsense: fails with 501 on LIST
Packet capture findings
PASV → server replies 227 Entering Passive Mode
Immediately after, server sends 501
Indicates command rejection, not blocked data channel
Payload is logically the same, but TCP segmentation/reassembly differs
FTP server appears not tolerant to normalized/fragmented commands
FTP Proxy plugin
Tested os-ftp-proxy, but:
It is not a transparent FTP helper
Requires changing client port/endpoint
Does not behave like the old FTP ALG
Not suitable without modifying clients
Question
Is this a known incompatibility between OPNsense PF TCP normalization and some FTP servers?
Is there any way to:
Fully disable TCP normalization for FTP?
Pass FTP traffic completely untouched?
Any known regression or workaround?
Thanks in advance for any insight.
I'm facing a specific issue with FTP (plain FTP, port 21) when using OPNsense, which does not occur on pfSense or MikroTik, and I'd like to know if anyone has seen something similar.
Scenario
Firewall: OPNsense (current version)
WAN: Single WAN
Client host: 172.16.10.250
FTP client: FileZilla (also tested via CLI)
Server: External FTP server in the cloud
Protocol: Plain FTP (no TLS)
Problem
FTP connection works
Login works
Initial commands work
On LIST / LS, the server immediately returns:
501 server cannot accept argument
This happens right after PASV, before any data connection is established (so it's not a timeout or blocked port).
Tests already done
Firewall rules allowing all traffic
Outbound NAT (auto, hybrid, manual)
MTU changes
Disable scrub / normalization (GUI + tunables)
Disable reply-to
IDS/IPS disabled
Single WAN
Active/passive mode tests
EPSV disabled
➡️ Issue persists only on OPNsense.
Comparison
pfSense: works
MikroTik: works
OPNsense: fails with 501 on LIST
Packet capture findings
PASV → server replies 227 Entering Passive Mode
Immediately after, server sends 501
Indicates command rejection, not blocked data channel
Payload is logically the same, but TCP segmentation/reassembly differs
FTP server appears not tolerant to normalized/fragmented commands
FTP Proxy plugin
Tested os-ftp-proxy, but:
It is not a transparent FTP helper
Requires changing client port/endpoint
Does not behave like the old FTP ALG
Not suitable without modifying clients
Question
Is this a known incompatibility between OPNsense PF TCP normalization and some FTP servers?
Is there any way to:
Fully disable TCP normalization for FTP?
Pass FTP traffic completely untouched?
Any known regression or workaround?
Thanks in advance for any insight.
