Hi, Problem accesing FTP behind pfsense firewall
-
Our company use that Old fashion protocol just because it is a safe and simple way to transfer files betwe
ROFL. Look, it's neither simple (badly broken with NAT both client- and server-side), nor secure (since, apparently you don't use encrypted FTP, otherwise there would be nothing changed for you b/w 2.1.x and 2.2.x, since the helper of course never worked with encrypted traffic.)
-
so they were using active ftp to grab a license file? Be cause in passive ftp you have to do nothing for it to work.. Only if you were running a passive server behind pfsense would you have to do anything on the firewall.
if they were using the built in ftp in windows that would use active ftp..
So this company had no website to pull the file, and they thought ftp was better in pulling a lic than just plain http? Makes no sense at all..
Agreed it makes no sense at all; but that's what I had to do and noone understood what I was talking about.
-
So your the admin, and you made the move to pfsense from checkpoint? Why are you involved with this and don't know how to create a firewall rule to allow public access to your ftp server??
Maybe you should hire someone.. You can hire services from pfsense if you can not figure it out..
So what ports is your ftp server using for its passive range? You would need to forward this to the firewall, just like you do with the port 21 control channel. So in your ftp server set the ftp passive range to be say 5000 to 6000, then forward those tcp ports to your server. You will also need to make sure the server uses its actual public IP and not its private IP.
You really should understand how ftp works if your going to be doing the firewall rules for your company..
excellent write up http://slacksite.com/other/ftp.htmlIf the clients were using active should work unless you block your ftp server from talking to the public net?? So you have rules limiting your network to say 80, 443, etc.. In an active connection you have no idea what port the client will tell your server to connect too..
-
OK guys , Apparently none of you really can not read and understand both time(2 operations that is quite complicated)
I didn't say that i don't know how to create a rule , mr johnpoz ,
If you will read it again u'll figure i just need to know what extra rule do i miss ,
And all of that in assumuing that the same rules and configuration from the checkpoint were works just fine.I guess none of you is really an IT proffesional person and can understand that in the REAL world of IT, sometimes u need to compromise on the technology to make the connection with your clients easier.
Here, we are working with activeX , very simple connection and control. u need to consider time , and Time to market elements, in avery apsect of your work.and That was a litlle monologue of 20 secs on how things works.
Of course the ftp server using it's public ip , as i already say i was set a NAT 1:1 between the private and public ip.
I also configure the ftp server to use a narrow range of passive ports , someting like 5500-5700.
I guess the only thing i have miss is that explicit port forward of these passive ports i mention above.
If anything i just say is incrorrect u are very welcome to repsonde.
-
I guess the only thing i have miss is that explicit port forward of these passive ports i mention above.
Because configuring things as documented is much more difficult than producing 3 days worth of incessant rants. Right.
-
I think that u forgot that the purpose of this forum is not to educate people , but to trying to help,
even if you helped before the same Q.anyway,
have a good day , and Happinessdvir.
-
I think that u forgot that the purpose of this forum is not to educate people, but to trying to help,
OH RLY? You can purchase support for that.
-
Hi again,
So , i decided today to give a second chance , configured my ftp to work with the passive ports 5500-5700 and added that rule to the firewall.
still the command LIST didnt work.here is a screenshot (attached) , what do u think could be the mistake here:
-
Your firewall rule looks good. What about the corresponding NAT rule? How did you configure your FTP server? I run Filezilla Server behind pfSense 2.2.4 without any problems.
-
I set a 1:1 NAT between the internal IP (192.168.0.9) and the external (213.8.246.209)
here is the passive ports range at the FTP server :
-
Why are you doing 1:1 NAT? That isn't necessary. Just have a NAT for port 21 to that system and another for the passive port range. Two firewall rules, two NAT rules and you're done.
-
what do u mean ?
I have a pool addresses, and i dont want the clients to use my external IP of the firewall to connect to the FTP, but an explicit IP address (213.8.246.209) direct to my FTP server.
Without the 1:1 NAT setting , they will not reach anything by typing that address !
So i have to set 1:1 NAT , so when they access 213.8.246.209 it will be route to the internal address of the ftp in our LAN (192.168.0.9)
-
what do u mean ?
A port-forward is a type of NAT where you bind a LAN IP to a WAN IP, and provide a mapping of the specific ports that you want to be open. 1:1 NAT does a complete mapping of all ports from the WAN IP to LAN IP. It's overkill for your needs here. You only need 2 firewall rules and two port-forwards. You haven't posted a screen of your NAT rules.
-
thank u body, for your time and energy.
here is the NAT rules :
-
For Dest. addr, you need to put the WAN IP address of the server, so 213.8.246.209 in your case.
-
well , i did it , and even delete the 1:1 NAT (now that i understand i dont need it)
now the clients can access the ftp and succesfuly LOG ON , but cant do any command like LIST, PUT …
do you think Is it still something with my ftp server?
-
now the clients can access the ftp and succesfuly LOG ON
Making progress…
do you think Is it still something with my ftp server?
Perhaps. Check your logs. Anything in your pfSense Firewall log? Anything in your FTP server log?
-
well you passive ports sure and the hell are not UDP?? Are you sure ftp server is handing out your PUBLIC IP and not its private? If you send me a login I will validate what server is sending for IP and port when i try and do a passive connection.
-
wait a sec…
After i deleted the 1:1 NAT (follow by KOM idea) , the ftp server is not using it's public IP anymore when it go out . (it start using our "general" network IP NAT)
I know that when i used the checkpoint router i was bind the internal IP to the Public IP through its MAC address.
I guess i need to do the same thing here , but how? -
Do you have a Virtual IP alias (Firewall - Aliases) for your public IP used by your FTP server?
