Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    LAN to IPSEC FTP in version 2.3.2

    Firewalling
    1
    2
    722
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nbegley last edited by

      Hi,

      I'm having some issues getting FTP to work in version 2.3.2 through IPSEC tunnels. The scenario is as such:

      • We have a 3rd party application running on a server connected to the LAN side on the PFSense firewall.

      • We have ~70 remote sites connected to pfsense using site-to-site IPSEC.

      • The firewall on both sides are configured to allow all traffic from the LAN to each of remote ipsec subnets

      • The firewall on both sides are configured to allow all traffic from the remote ipsec subnets to the LAN subnet

      • There is no NAT configured between the LAN and remote subnets, or the other way around

      • The application on both the remote and server side is only able to use active FTP

      • The application firewall on both the server and remote site are disabled for testing purposes

      The server attempts to ftp onto the remote sites and is able to establish the connection using port 21. When the server attempts to establish the data ports I receive a client data socket error 10060.

      The firewall logs show the connection being established on port 21 and then the connection back from the source port 20 to the data ports on the server.

      Using packet capturing i'm able to see that the FTP PORT command sends the correct IP and Port combination, and that it is responded to with a "200 Port command successful" however after that I just get a few TCP retransmissions from source port 20 until I get the 10060 data socket error.

      If I take pfsense out of the equation and connect to the FTP over the LAN side then it connects without issue.

      Anyone have any ideas? all the help i've been able to find using the search seems to relate to FTP over a NAT, but this is site to site without a NAT.

      Thanks,

      Nathan.

      1 Reply Last reply Reply Quote 0
      • N
        nbegley last edited by

        Just thought I'd reply to this to say that the issue was actually outside of PFSense. The network switch that connected the PFSense server to the LAN had a DoS rule called "tcp_syn_srcport_less_1024" that was causing the return data traffic from port 20 to be blocked.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense Plus
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy