FTP Server on Lan1 , access from Lan2 [SOLVED]

Bambos

@JKnott ok Sir, this is clear, i will check out the routes and is the first thing to try. Thank you.

Derelict

Why set up FTP? It's 2020.

Bambos

@Derelict I know :) it's data acquisition method from low spec, industrial dataloggers. They send logs in CSV files. It's the main protocol they support. Some of them might support XML, most of them only CSV through FTP.

JKnott

@Bambos

As I pointed out, you mentioned port forwarding, which usually implies NAT. If you have that, it may cause problems for FTP. Active mode FTP won't work through NAT without some assistance. Passive FTP works fine.

Bambos

@JKnott Yes Sir, port 21 forwarding from WAN to Lan1 specific IP for the FTP Server. I'm accepting CSV files from low spec dataloggers. Only this method is supported.
Lan1 = 192.168.4.0/24

Lan2 is a dedicated interface on the same pfSense box and i have all the application servers and backup there for more safety. (not to be exposed to the open port of LAN1.) (So the two LAN networks are isolated)
Lan2 = 192.168.6.0/24.

I'm looking for a way to pass the files landing on FTP Server LAN1: 192.168.4.100 to App.Server LAN2: 192.168.6.100, in order my application servers keep the processing,

To my understanding with the little experience i have, the servers on LAN2 must somehow have LAN1 IP Address in order to access the files on FTP Server (windows file share-SMB) , that's why i ask for permanent VPN way between the 2 LANS or VPN for each server or dual network cards on each server.

Any thoughts ? Am I missing something ?

Thanks for the replies.

JKnott

@Bambos said in FTP Server on Lan1 , access from Lan2:

Yes Sir, port 21 forwarding from WAN to Lan1 specific IP for the FTP Server.

I'm not sure you understand the situation. Are you using NAT? If so, why? If that app uses active FTP, you will have problems with anything other than plain routing. In that situation, you do not want to use NAT or port forwarding.

Any thoughts ? Am I missing something ?

Yes, a basic understanding of how networks work. If you have 2 networks connected to the same router (pfSense) then you do not need NAT, port forwarding, VPN or anything other than plain routing. You route from one LAN to the other and back. You then set up the rules as appropriate for your needs, bearing in mind those rules may interfere with active FTP.

JKnott

@Bambos

Here's some info on the issue I'm referring to:

NAT and firewall traversal

Bambos

@JKnott I'm very sorry for the inconvenience. :) As you understand I'm new to this heavy networking field. I'm coming from electrical engineering , my only experience was plug in a TP-Link for home internet, but last 3 months im using pfSense doing several tests and i really enjoy it. I setup on bare metal Pentium 4 3Ghz 1GB Ram SSD. I have also achieve high availability with success. Thanks for the help anyway, i really appreciate it.

I will try to make things clear.

I have checked on the dataloggers that sending log files to FTP Server through WAN They support Passive mode.
I do using NAT from WAN to LAN1. Port forward is 21 (listening port) and custom port range 21000-22000 for data channels, to my understanding this enables PASV mode. The same way i have configured the FTP Server Windows 10 IIS.

WAN -> LAN1 192.168.4.0/24 FTP is: 192.168.4.100 all ports are forwarded to 192.168.4.100

Isolated LAN2 : 192.168.6.0/24 App server must receive log file is 192.168.6.100.

The two Lans are dedicated network interfaces on the same pfSense box.

So finally , my question is how i can access from 192.168.6.100 the files on 192.168.4.100.

Thanks a lot !

Derelict

Why are they on WAN not another LAN?

If you port forward from passive FTP clients on the outside to a passive FTP server on the inside you need to:

1. Port forward port 21 inbound on WAN to the FTP server
2. Port forward the configured passive ports on the server just like port 21
3. Be sure the FTP server is giving the WAN address, not its inside address, to the clients to connect to for the passive transfer session. This can sometimes be done on-the-fly by an application layer gateway (ALG) on a firewall. Such an ALG does not exist in the pfSense firewall so you must configure the FTP server correctly.

Bambos

@Derelict said in FTP Server on Lan1 , access from Lan2:

Why are they on WAN not another LAN?

If you port forward from passive FTP clients on the outside to a passive FTP server on the inside you need to:

1. Port forward port 21 inbound on WAN to the FTP server
2. Port forward the configured passive ports on the server just like port 21
3. Be sure the FTP server is giving the WAN address, not its inside address, to the clients to connect to for the passive transfer session. This can sometimes be done on-the-fly by an application layer gateway (ALG) on a firewall. Such an ALG does not exist in the pfSense firewall so you must configure the FTP server correctly.

Dear Mr. Derelict,

They are on WAN because the devices are dataloggers all over the country. they are industrial things supporting FTP Protocol. (They send CSV logs).

I follow your directions and everything is ok with FTP. Now what rules i need to have so LAN2 can communicate with windows share to LAN1 FTP server ? [ from 192.168.6.100 (lan2) to 192.168.4.100 (lan1) ]

Lan's are 2 interfaces on the same box, not VLANs.

Thank you.

Rico

For SMB access you only need to allow port 445.

-Rico

Bambos

Thanks everyone guys.

I have manage that. @Rico i did also inbound rule to windows firewall to work on 445.

Even if i am in 85 LAN, i can access files in 42 LAN. This is great stuff. Is very exciting for newbie like me.

please close the thread.