[solved] Outbound NAT with WAN DHCP IP Address
-
Thanks and you're exactly right.
-
Let us know how it turns out once you get your sg-1000..
-
Well, box came in. Part was easy and worked flawlessly, part I have to figure out.
HTTP works great.
FTP doesn't work. The client connects via port 21 just fine, commands and responses go back and forth between client and server. The FTP server is active only and the client issues the PORT command which includes a corporate LAN IP of the client that is not accessible to the server (since it has no gateway). So I gather I need to either configure pfsense to intercept the PORT command, change the values, and then pass it along or create some sort of FTP proxy on pfsense. Is that right? Any thoughts?
I'm looking to see if the server can be configured to support passive, but as of right now it returns "not implemented" when the client tries.
-
Where is FTP? On your server(iot device) behind pfsense? And your client is out on your wan? And the server only does active?
Your going to have a problem with that for sure… Since the server has NO gateway, and the client would be telling the server come connect to me on IP address 1.2.3.4 which is a problem...
Whatever this device is - to be honest I would get something else that supports a gateway!!!
-
FTP server is the 10.0.0.1 behind the pfSense LAN
Client is in the corporate LAN 172.16.x.x space (pfSense WAN).
It seems the server only does active, but I'm looking into this. Device is a product we are developing. It is never intended to be accessible on a larger network when in-use, I'm just trying to cheat to make things easier here to support development.
Am I correct that passive would solve the problem?
Are there any other pfSense options to support this? Intercept the PORT command? FTP proxy? Other ideas?
-
Passive could maybe fix the problem depending on the ftp client.. With passive the ftp server tells the client in the control channel, hey come connect to me - if it says 10.0.0.1 your out of luck!! But some clients will say that doesn't work I connected to you on 172.16.x.x I will use that and the port you gave me in the passive command.
If this something your developing and designed to only work on same network… Why are you putting it behind a firewall to try and test it?
I would suggest you drop ftp completely and use sftp!! FTP should of died of 10 years ago or longer - its CRAP!!! its not secure and as you can see a PITA across firewalls and nat..
I would also suggest your device have the ability to set a gateway so you can use it across segments. If this designed for home use, more and more homes are segmenting their networks because they don't want untrusted iot devices on the same network as their trusted devices, etc.
-
Good to know, any suggestions to try besides passive since not sure that will work?
The intended use is an air gapped, ~3 device network all with static IPs and directly connected via a switch. Think of it as a room level network.
I'm trying to connect it to the larger network so developers, some local and some remote, can make changes to the device, i.e. develop, without having to physically walk over and connect to the device. I had previously hooked up a 2 NIC desktop that could have 1 NIC attached to the device and and 1 NIC connected to the corporate network. That had some problems and I was hoping this pfSense solution would be an improvement.
The FTP is also intended for development only, it won't be in the product when released.
-
Connect a computer or few computers to this 10. network you have behind pfsense and let users access them.. Then from there they can ftp all they want since they would be on the 10 network and local to this iot device.
-
That is what I had done. There had been some annoyances, I was hoping pfSense would be an improvement.
-
It works fine for web access and would also work fine for say ssh/sftp but with FTP how it uses control channel and data channel its going to be a problem with out client/server being able to handle the ability to talk off the local network or even in passive the server being able to give out the specific NAT IP and set ports it will use.
If your ftp server running on the device could do passive and hand out the 172. address and use specific ports like 5000-6000 for the passive range then you could get it to work fine.
-
I'm marking this as solved since it had drifted into an FTP specific question.
I'm looking into if the device can support passive, not sure yet.
I did download the FTP Proxy package and a quick look makes it seem like it is not suitable since what I would really need is a transparent forwarding FTP proxy. (anyone correct me if I'm wrong).
Thanks.
-
The ftp package is for clients behind pfsense to go to active ftp servers on the internet.. It doesn't work with active servers behind pfsense, especially ones that would have not way to get to the clients IP anyway since it has no gateway.
What that package does is look in the control channel and see the port the client is telling the server to connect to, and then forwarding that port to the client.
