Troubleshooting the disaster that is RFC959

First off, FTP will only work on the primary WAN until someone finishes pftpx-routeto integration. It is also NOT currently working in load balancing situations when the FTP helper is turned on.

Outgoing FTP (LAN -> Internet) *UPDATED PORTS, please check!*

1. Ensure that the FTP helper is not disabled on Interfaces, LAN
2. If you have a restrictive ruleset or are utilizing policy based routing for multiple-wans then ensure that you have permitted traffic to 127.0.0.1 / ports 8000-8030. IE: allow LAN subnet to 127.0.0.1 8000-8030. This rule should be on top of all other LAN rules that utilize policy based routing.
3. If you are running windows try turning off the windows firewall

Incoming FTP using 1:1 based

1. Ensure that the FTP helper is DISABLED on the WAN/OPT WAN interface
2. Allow port tcp/21 to the internal host
3. Allow the data port range used by your ftp server. This is generally a large range of ports and we suggest limiting the ports on the ftp server if possible to a could hundred or one thousand ports total.

Incoming FTP using Port Forwards (Internet -> LAN/OPT lan type interface ie. no gateway entered for the OPT interface)

1. Ensure that the FTP helper is enabled on the WAN/OPT interface
2. Delete any existing FTP port forwards or firewall rules that where created perviously for FTP
3. Add a new port forward for destination port 21 with the destination private NAT ip (example: 192.168.1.20) (this is even the case for 1:1 nat'd interfaces!)
4. If you are running windows try turning off the windows firewall

Alternatively for incoming FTP you can disable the FTP Helper on Interfaces -> WAN and simply port forward 21 and the data port range used by FTP. Generally this is definable on the FTP server (modern day implementations). You can easily restrict the data port range to a specific range and simply forward that.

Oh no, the above doesn't help. What can I do?

1. Use SCP/SFTP which only needs 1 port to traverse the firewall since its wrapped in SSH (yes a safe AND simple way of traversing a firewall!)
2. Don't use FTP
3. Turn off the FTP helper option in Interfaces -> LAN and Interfaces ->WAN or any optional interfaces in use.
4. Switch to an alternative firewalling system