Ftp-proxy through dual WAN
-
hello
I randomly have timeout or "SECURITY VIOLATION" in proftpd logs during passive transfers to an FTP server.
Transfers are started from LAN and ftp-proxy, when enabled, makes data connections with two WAN IP origins…My configs:
FTP server on internet (proftpd)PassivePorts 65000 65500
Pfsense config (2.1.1-PRERELEASE (amd64) built on Wed Feb 5 14:09:54 EST 2014 FreeBSD 8.3-RELEASE-p14)
The default WAN is GW_ADSL
The second WAN is GW_SDSL
LAN interface is IFLAN10 and my routing policy is to use gateway "GW_SDSL" for FTP through GW failoverpass in quick on $IFLAN10 inet proto tcp from 172.16.64.0/19 to <negate_networks>port 21 flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination" pass in quick on $IFLAN10 $GWfailoverSDSL inet proto tcp from 172.16.64.0/19 to any port 21 flags S/SA keep state label "USER_RULE: FTP sortant" debug.pfftpproxy =0</negate_networks>
Filezilla config:
passive transfersWhy is ftp-proxy making connections with two originating IP? I thought it should create FTP data connections with the same IP as connection for FTP connect…
Now, if I add explicit rules and policy routing, it works:pass in quick on $IFLAN10 $GWfailoverSDSL inet proto tcp from 172.16.64.0/19 to any port $Ports_FTPdata flags S/SA keep state label "USER_RULE: FTP sortant"
Then IP for FTP data and IP for FTP connect are the same and my FTP server is happy :D
But ftpproxy doesn't help me anymore… since I have to add specific rules for each ftp server
I am missing something or is this the normal behaviour? Can I tune ftpproxy?thanks!
-
I'm a bit confused.. Where are the clients - are they public internet clients coming into your network. Or are they lan clients on your network talking to your ftp servers via a public IP to be forwarded back in?
-
sorry…
ftp clients are on my LAN where pfsense is installed. This pfsense box has two WAN IP.
they connect to an intenet FTP server