Passive FTP connections rely of the server being able to offer a range of ports to the user. The quantity of ports you need is relative to the number of concurrent users you are expecting to serve. To allow passive FTP, we must first tell vsftpd which ports to use, and then edit the firewall rules to allow connections to those ports.

Edit: /etc/vsftpd/vsftpd.conf

And add:

pasv_enable=Yes
pasv_min_port=12000
pasv_max_port=12100

We then need to modify the firewall to open a range of ports. Ideally, you would restrict access to your own IP address for extra security. On web1 I did this:

-A INPUT -s 12.34.56.78 -p tcp -m tcp -m multiport --dports 12000:12100 -m state --state NEW -j ACCEPT