Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pureFtpd server on pfsense DMZ, cannot be acceed by LAN with passive port range set

    Scheduled Pinned Locked Moved NAT
    natpureftpdpassive
    6 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Maelvon
      last edited by Maelvon

      Hello,
      My setup is :
      WAN
      DMZ -- 192.178.0.1 (debian pureftpd server with PassivePortRange and ForcePassiveIP set)
      LAN -- 192.168.0.255

      I've done a NAT port forwarding for 21 and 40000:40100 with the WAN ip.

      The server is accessible from outside WAN, but I cannot connect to it from LAN. The connection is effective, but it hangs at directory listing.

      I've found some explanations, that the forwarding is not returning the correct port range, sending back a random range:

      https://forum.netgate.com/topic/45613/howto-ftp-server-behind-pfsense-not-working-listing-directories-due-to-nat

      That's my first explanation, but i cannot figure out how to solve this.

      Does anyone have an idea?

      Thanks in advance,

      Maelvon

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        So your hitting your wan IP to try and get to this server? Did you setup nat reflection.

        To get to the server just hit it via its rfc1918 IP

        Also your DMZ range is public? Your google?
        CIDR: 192.178.0.0/15
        NetName: GOOGLE

        IF that is not a typo and 192.168.. then your dmz and lan are the same network??

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        NogBadTheBadN M 2 Replies Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad @johnpoz
          last edited by

          @johnpoz said in pureFtpd server on pfsense DMZ, cannot be acceed by LAN with passive port range set:

          IF that is not a typo and 192.168.. then your dmz and lan are the same network??

          It's a broadcast address depending on the subnet mask

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • M
            Maelvon @johnpoz
            last edited by

            @johnpoz

            From outside I can connect to my Ftp server with my WAN IP as address. And I can list folder. It works like a charm.
            But when i connect from my LAN, I cannot list folder.
            I've done a NAT port forwarding, that seems to work for outside, but not from my LAN.

            NAT reflexion?

            My DMZ DHCP IP is 192.178.0.254 and the FTP server has 192.178.0.1 IP.

            Ok I understand. The DMZ network is not a private one. So I've modified it to 172.16.0.1!

            So, I'm using Filezilla as FTP browser, and it cannot list folder when connecting from LAN. I'm thinking it's my Firewall rules that's are miss configured. But if I connect from my LAN with a Linux ftp command it hang while listing..
            And the only difference is a:

            ftp: setsockopt: Bad file descriptor

            Perhpas an error due to NAT rules?

            How can I debug it?

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              @maelvon said in pureFtpd server on pfsense DMZ, cannot be acceed by LAN with passive port range set:

              So what are you rules from lan to dmz? You should hit the internal IP of this ftp server when your on your lan.

              Simple to setup a host override locally so that ftp.yourdomain.tld resolves to 172.16.0.1

              You will want to make sure that your ftp server hands out it private IP when hit from private IP, and your public IP when hit from public when doing passive.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              M 1 Reply Last reply Reply Quote 0
              • M
                Maelvon @johnpoz
                last edited by

                @johnpoz

                My configuration in:
                System / Advanced / Firewall & NAT / Network Address Translation / NAT Reflection mode for port forwards
                is set to "NAT + Proxy"
                and when I set to "Pure NAT", I can list the ftp content from LAN

                So, it seems a solution, as it works. But as I have set Squid Proxy, perhaps it's not a good idea to set "Pure NAT"?
                Otherwise, can I create a rule which simulate the "Pure NAT" setup with "NAT + Proxy"?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.