Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTP over OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Ja5266
      last edited by

      Hi

      Iv tried to set up a basic setup to my vu+ but I cant get ftp to run with float rule.

      Iv followed many tutorials and iv got pia working fine and port forward port 21 and 20 that i read i needed to. It works fine and can have no problems,
      but soon as i add a killswitch with a floating rule it kills the ftp !! Iv read many ways round but i can see to have a simple ftp working with a killswitch.

      I read the forum for days looking and reading but hoping someone could explain what i need to do.

      Thanks

      Jason

      1 Reply Last reply Reply Quote 0
      • J
        Ja5266
        last edited by

        So no one can help  :o From what i read there was a bug with the floating rule blocking the ftp many years ago, but can see anything lately.

        Tried to make a floating rule to allow the ftp but nope doesnt work,

        Just trying to connect one pc on network not outside to connect to ftp in my vu+

        Hopefully some kind person will find the time to help, or point me in the right direction.

        Thanks

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Splitting this into a new thread for your specific problem. Going to need a much better description. Things like where are the FTP server and the FTP client in relation to pfSense and what kind of server is it (passive or active).

          In the meantime: https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • J
            Ja5266
            last edited by

            Hi Derelict

            Thanks for replying

            Its a very basic setup really, My  satelite box vu+ solose has ftp telent etc and would like to have access to ftp, i cant seem away to change port settings.

            So a simple setup of pfsense working fine, setup port forwarding and got the ftp working fine too. setup my Pia vpn and both ftp and Pia vpn working.
            Tried to add a kill switch using the floating rules my ftp stops dead.

            If i follow the https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-setup-pia-on-pfsense-2-4-2

            and use https://www.privateinternetaccess.com/forum/uploads/editor/92/w00wmc2lq7yt.png

            Then i get no ftp anway

            On the bottom of the post i read
            Disabling NAT'ing for the WAN is AN ABSOLUTE HORRIBLE IDEA and DOES NOT STOP TRAFFIC ROUTING.

            Disabling NAT address translation rules does not stop traffic from being routed out an interface if the VPN is down.  It only prevents the IP addressing from being translated when traffic is routed out that interface, which can result in routing RFC1918 addressing onto the WAN.

            The only way this blocks traffic is that an upstream router is most likely blocking non-internet routeable RFC1918 addresses, but at that point your traffic has already been leaked onto the WAN interface.

            The better solution is to make sure unintended traffic never leaves the WAN by creating pfSense float rules that allow only DNS and OpvenVPN traffic out the WAN and block everything else going out the WAN.  Such rules would only have affect when the VPN link is down and the WAN is the default route, to allow DNS lookup of the PIA host, and creating the VPN link, all other outbound traffic out the WAN should be blocked or rejected.  Once the VPN link is up and becomes the default route traffic will route unblocked over the VPN link.

            Thanks

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.