Active mode ftp trouble

Lazer13

Hi,

I have this setup:
DMZ VLAN with ftp server behind SG-3100.
NAT rule to point port 21 and a couple of high ports for incoming passive mode ftp to said ftp server on the dmz vlan.
This is working as it should. Active mode and passive mode works from the internet to this server.

However. There is a server on the LAN VLAN interface that sends ftp to various ftp servers on the internet.
Some works and some dont. I narrowed it down to be the active mode ftp:s that don't work.

So i found the FTP Client proxy package and installed it and enabled it on the LAN interface with the "destination exception" of the ftp server on the DMZ as the LAN server sends files there too. It still doesn't work on this site.

I tried installing the package on my SG-1100 at home and active mode transfers started working as it should.

I have tried removing the FTP NAT to the DMZ and reinstalled the FTP Client Proxy but still no go and incoming ftp breaks (of course).

I found the "pfctl -sa | grep ftp" command but I'm not any wiser for it.

nat-anchor "ftp-proxy/" all
rdr-anchor "tftp-proxy/" all
rdr on mvneta2 inet proto tcp from any to "WAN IP" port = ftp -> "DMZ FTP Server IP"
rdr-anchor "ftp-proxy/" all
no rdr on mvneta1 inet proto tcp from any to "DMZ FTP Server IP" port = ftp
rdr pass on mvneta1 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
anchor "ftp-proxy/" all
pass in quick on mvneta2 reply-to (mvneta2 "Gateway IP") inet proto tcp from any to "DMZ FTP Server IP" port = ftp flags S/SA keep state label "USER_RULE: NAT FTP till VMGREENMAPP01"
anchor "tftp-proxy/*" all

When I try to connect with active mode I see in the state table that the proxy picks up and resends the traffic.

I'm out of ideas as to why it's not working on the SG-3100 but "just worked" on the SG-1100.
Both are at the 2.4.4-p3 version.

Regards, Lars

viktor_g

@Lazer13 Is there any specific firewall rules on SG-3100?
show firewalls rules difference

Lazer13

@viktor_g

Floating has no rules

WAN has this:

• Standard block private and bogon networks.
• Wan ip to DMZ ftp port 21
• wan ip to DMZ ftp port 40000-40500
• wan ip to DMZ ftp port 80 ( a web server also on the same VM as the ftp)
• wan ip to LAN mailserver port 443
• wan ip to LAN mailserver port 25
• wan ip to LAN mailserver port 465
• wan ip to LAN openvpn port 1194
• from our office to wan ip to web console of sg-3100 port 444
• drop all IPv4

LAN has this:

• standard antilockout rule port 444
• Default allow any anywhere ipv4

DMZ has this:

• Allow any anywhere ipv4 (For now. will lock this down further later)

GUEST has access to internet but not DMZ or LAN.

OpenVPN any anywhere ipv4

Lazer13

@Lazer13 said in Active mode ftp trouble:

Wan ip to DMZ ftp port 21

This one has been removed for testing but still no go.
I also removed the openvpn server.
No difference