Odd FTP behaviour

Gob · Oct 20, 2011, 11:08 AM

Hi

we are experiencing peculiar behaviour with FTP at one of our sites. They are running pfSense v2 stable with a fairly standard LAN, WAN & DMZ.
They have a filezilla FTP server sitting in the DMZ with a NAT Port Forwarding rule from WAN to DMZ.

Access to the FTP server works perfectly from the public internet.

we have a split dns for the FTP host using the DNS Forwarder on pfSense to redirect LAN access to the FTP server straight to the DMZ.

The following default rules are in place for LAN and DMZ:

LAN INTERFACE:
Proto: *
Source: LAN net
Port: *
Destination: *
Gateway: *

DMZ INTERFACE:
Proto: *
Source: DMZ net
Port: *
Destination: !LAN net
Gateway: *

When users on the LAN try to upload to the FTP server in the DMZ they are able to connect OK but after 18 seconds the connection drops and the uploaded file is corrupt.
As it works perfectly for traffic coming in on the WAN interface I think we can rule out any issues with the FTP server itself.

Any suggestions?

thanks
Gordon

podilarius · Oct 20, 2011, 11:25 AM

i would not rule out the server so quickly. Filezilla server has a option to respond with this public IP to passive requests, as well as setting the port range. There is an option to not use external IP for internal communications. If this is checked, then it might be a flaw in filezilla server that reads only the DMZ subnet as internal.

Gob · Oct 20, 2011, 2:43 PM

thanks for your response. I have just worked out what the problem is…

I have just learned that the FTP server has two nics in it - one in the DMZ and the other on the LAN!
So whilst I was routing traffic to the FTP server via the pfSense and DMZ interface, the Data stream I guess was coming back direct via the LAN nic.

::)