LAN to IPSEC FTP in version 2.3.2



  • Hi,

    I'm having some issues getting FTP to work in version 2.3.2 through IPSEC tunnels. The scenario is as such:

    • We have a 3rd party application running on a server connected to the LAN side on the PFSense firewall.

    • We have ~70 remote sites connected to pfsense using site-to-site IPSEC.

    • The firewall on both sides are configured to allow all traffic from the LAN to each of remote ipsec subnets

    • The firewall on both sides are configured to allow all traffic from the remote ipsec subnets to the LAN subnet

    • There is no NAT configured between the LAN and remote subnets, or the other way around

    • The application on both the remote and server side is only able to use active FTP

    • The application firewall on both the server and remote site are disabled for testing purposes

    The server attempts to ftp onto the remote sites and is able to establish the connection using port 21. When the server attempts to establish the data ports I receive a client data socket error 10060.

    The firewall logs show the connection being established on port 21 and then the connection back from the source port 20 to the data ports on the server.

    Using packet capturing i'm able to see that the FTP PORT command sends the correct IP and Port combination, and that it is responded to with a "200 Port command successful" however after that I just get a few TCP retransmissions from source port 20 until I get the 10060 data socket error.

    If I take pfsense out of the equation and connect to the FTP over the LAN side then it connects without issue.

    Anyone have any ideas? all the help i've been able to find using the search seems to relate to FTP over a NAT, but this is site to site without a NAT.

    Thanks,

    Nathan.



  • Just thought I'd reply to this to say that the issue was actually outside of PFSense. The network switch that connected the PFSense server to the LAN had a DoS rule called "tcp_syn_srcport_less_1024" that was causing the return data traffic from port 20 to be blocked.


Log in to reply