Hi, Problem accesing FTP behind pfsense firewall
-
I think that u forgot that the purpose of this forum is not to educate people , but to trying to help,
even if you helped before the same Q.anyway,
have a good day , and Happinessdvir.
-
I think that u forgot that the purpose of this forum is not to educate people, but to trying to help,
OH RLY? You can purchase support for that.
-
Hi again,
So , i decided today to give a second chance , configured my ftp to work with the passive ports 5500-5700 and added that rule to the firewall.
still the command LIST didnt work.here is a screenshot (attached) , what do u think could be the mistake here:
-
Your firewall rule looks good. What about the corresponding NAT rule? How did you configure your FTP server? I run Filezilla Server behind pfSense 2.2.4 without any problems.
-
I set a 1:1 NAT between the internal IP (192.168.0.9) and the external (213.8.246.209)
here is the passive ports range at the FTP server :
-
Why are you doing 1:1 NAT? That isn't necessary. Just have a NAT for port 21 to that system and another for the passive port range. Two firewall rules, two NAT rules and you're done.
-
what do u mean ?
I have a pool addresses, and i dont want the clients to use my external IP of the firewall to connect to the FTP, but an explicit IP address (213.8.246.209) direct to my FTP server.
Without the 1:1 NAT setting , they will not reach anything by typing that address !
So i have to set 1:1 NAT , so when they access 213.8.246.209 it will be route to the internal address of the ftp in our LAN (192.168.0.9)
-
what do u mean ?
A port-forward is a type of NAT where you bind a LAN IP to a WAN IP, and provide a mapping of the specific ports that you want to be open. 1:1 NAT does a complete mapping of all ports from the WAN IP to LAN IP. It's overkill for your needs here. You only need 2 firewall rules and two port-forwards. You haven't posted a screen of your NAT rules.
-
thank u body, for your time and energy.
here is the NAT rules :
-
For Dest. addr, you need to put the WAN IP address of the server, so 213.8.246.209 in your case.
-
well , i did it , and even delete the 1:1 NAT (now that i understand i dont need it)
now the clients can access the ftp and succesfuly LOG ON , but cant do any command like LIST, PUT …
do you think Is it still something with my ftp server?
-
now the clients can access the ftp and succesfuly LOG ON
Making progress…
do you think Is it still something with my ftp server?
Perhaps. Check your logs. Anything in your pfSense Firewall log? Anything in your FTP server log?
-
well you passive ports sure and the hell are not UDP?? Are you sure ftp server is handing out your PUBLIC IP and not its private? If you send me a login I will validate what server is sending for IP and port when i try and do a passive connection.
-
wait a sec…
After i deleted the 1:1 NAT (follow by KOM idea) , the ftp server is not using it's public IP anymore when it go out . (it start using our "general" network IP NAT)
I know that when i used the checkpoint router i was bind the internal IP to the Public IP through its MAC address.
I guess i need to do the same thing here , but how? -
Do you have a Virtual IP alias (Firewall - Aliases) for your public IP used by your FTP server?
-
Hey, I'm not so familiar with this setting,
What should I do there? -
What should I do there?
Well, that depends on whether or not you have more than one public IP address. If you have more than one, you use Virtual IPs to let pfSense handle them, and you use those IPs in your NAT rules as destinations. I don't want to confuse the issue though. This shouldn't be that hard:
-
1 NAT port forward for port 21 to your ftp server
-
1 NAT port forward for the passive port space you are using to your ftp server
-
1 firewall rule to allow the port 21 traffic to your ftp server
-
1 firewall rule to allow the passive port space traffic to your ftp server
That's it. This assumes that your ftp server works properly and is configured properly.
-
-
First , i'd like to thank you for your help.
second , for all those who will have the same problem like me :
I installed FileZilla server at the FTP server , and things began to work just fine!
-
I was starting to suspect that it was your FTP server. Glad to hear you got it working. Which server were you running before, so that we know to avoid it?
-
Yeah would be curious to what ftp server you were using as well, most likely it was not sending out its correct public IP but its private IP when doing passive connections. Filezilla makes it quite easy to manipulate using private or public and even offer solutions for your public to be looked up by the ftp server, etc.
While you stated you set the passive to a limited range, I have to assume any ftp server that allowed for that would also allow for use of public IP vs its local private IP.
