How to bypass VPN for FTP

gregeeh

Hi all,

pfSense 2.4.4-RELEASE-p3

I have OpenVPN setup on my pfSense box and all LAN traffic to the internet goes via the VPN.

I now want FTP with TLS (Auth TLS - Explicit) port 21, passive mode (yes I know old protocol) to bypass the VPN for one client on the LAN. Done some searching but have not been able to find out how to do this or if it is even possible.

Any comments or suggestions are welcome.

TIA

Greg

conor

Policy Based Routing

Goto Firewall > Rules
Select LAN

Add a rule to allow traffic on port 21 and the server IP its going t.

Then scroll down and click 'display advanced' and scroll down to "Gateway"

Select the interface other than default that you want the FTP connection to exgress via.

gregeeh

@conor said in How to bypass VPN for FTP:

Policy Based Routing
Goto Firewall > Rules
Select LAN
Add a rule to allow traffic on port 21 and the server IP its going t.
Then scroll down and click 'display advanced' and scroll down to "Gateway"
Select the interface other than default that you want the FTP connection to exgress via.

Unfortunately that does not work. I think it has something to do with how FTP works with the control and data using different ports.

NogBadTheBad

Try using sftp if you can, that just uses a single port ans is more secure.

gregeeh

@NogBadTheBad said in How to bypass VPN for FTP:

Try using sftp if you can, that just uses a single port ans is more secure.

That's a great idea, except the FTP Servers I'm connecting to do not support SFTP, only FTP with TLS (Auth TLS - Explicit) port 21, passive mode.

johnpoz

So your problem is going to be especially with passive, is yes in the control channel it will tell your client with IP and port to connect to... So your policy route rule would really need to be for the dest IP and any port.. Unless you know the range of ports the server is going to give you for the passive connection..

But I doubt you also want to talk to this server on other ports through the vpn? So on your policy route - just use the IP of the server as the dest for any port..

Also with policy routing you really need to make sure you didn't grab routes from your vpn service..

Who runs this ftp server? I would bring up to them that you really want sftp to talk to their server.

gregeeh

@johnpoz said in How to bypass VPN for FTP:

So your policy route rule would really need to be for the dest IP and any port.. Unless you know the range of ports the server is going to give you for the passive connection..

That should work, thanks for the suggestion. Will give that a try.

marvosa

This post is deleted!