Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access local FTP by public IP from LAN

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 3 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kennylovrin
      last edited by

      Hello guys

      I'm really new to pfSense, and generally I wouldn't say that firewalls/routers etc is my strongest area.. But nevertheless I have been assigned to fix some problems where I work.

      And now I'm facing an issue that I think is actually pretty simple but I can't figure it out really.

      The thing is this:

      We have a FTP server on our lan with a 10.0.1.x IP. This is accessible externally, as I have configured a virtual IP and set up a nat rule to forward request to that external ip on port 21 (and the passive port range) to the server's lan IP. I also had to configure the FTP server to bind to it's external IP, otherwise I couldn't get the external connections to work properly.

      Now, this config has caused the access to the server to stop functioning if you access it from inside the LAN. And I'm pretty confident that this is because it binds to an IP that doesn't exist in the LAN range. So, how do I go about this really? Can I create some kind of firewall rule that allows access from LAN to the external IP or something like that?

      I'm not really sure if I should change settings in the firewall, or if I need to change the config for the FTP server - I don't know what is considered the "correct way".

      I hope someone here can help me clarify this, and I am glad to supply more info if nesseccary!

      Thanks,
      Kenny

      1 Reply Last reply Reply Quote 0
      • N
        nocer
        last edited by

        Hi

        Seems like ftp-proxy issue. Can you try enable/disable it and see if anything happen?

        Dunno this helps or not but a link is; http://forum.pfsense.org/index.php/topic,7096.0.html

        cheers,

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          Have you tried to enable NAT-reflection?

          Also this thread might interrest you:
          http://forum.pfsense.org/index.php/topic,9440.0.html

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • K
            kennylovrin
            last edited by

            Hey guys

            Thanks for the replies!

            I have enabled the NAT reflection now, and also unchecked (enabled) userland proxy app for both WAN and LAN if's.
            Something seems to have happened, now I get "connection closed" from my ftp client instead of nothing at all (before it was just timing out).

            I recreated the NAT rule after enabling the NAT reflection, and it added an extra firewall rule for me.
            I'm thinking maybe the problem was that it didn't add the passive port range as it is > 500, but I added it manually just as the rule for port 21 that was added automatically for me.. And it didn't seem to help much..

            Do you think it is an issue that I have manual outbound nat activated? The thing is that we have an external ip for the WAN interface, and to that we have a range of IP's routed in a totally different net from our ISP. So to get our outbound connections to act as out actual routed net, I had to set that up manually in the outbound NAT.

            I can honestly say that I am pretty confused with all the settings here, so I am absolutely not blaming anyone for the problems but myself. So I appreciate all help I can get!

            EDIT:

            So, I disabled userland proxy again, and left only the nat reflection active. And now I can actually connect to the server, but the file listings doesn't work. This is the problem I usually encounter when the passive port range isn't properly set up.. I'm just not sure what the problem is.. Do I need some outbound nat rule?

            Thanks,
            Kenny

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              How big and "where" is your passive range?
              There is a hardlimit of 1000 ports that can be reflected, and never more than 500 together (in a single rule).

              AoN shouldnt affect anything.

              Did you read the thread i posted above? his might be the easier solution for you :)

              Maybe you could post screenshots of the aliases/rules/config_of_your_server you created so far.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • K
                kennylovrin
                last edited by

                Hello

                Sorry for the late reply, lots of stuff going on. :)

                anyway, I solved the problem by configuring the ftp server with virtual hosts so that it responds to requests on both needed ip.

                Just wanted to mention it so we can consider this specific thread to be closed.

                I will look into the firewall settings more in details when I find the time, right now the problem is resolved. :)

                Thanks for all the help anyway guys!

                1 Reply Last reply Reply Quote 0
                • N
                  nocer
                  last edited by

                  Hi,
                  That's good to hear, and could you describe what you did with a lil bit more for later visitors?
                  Also helps me alot  ;D ;D ;D

                  @kennylovrin:

                  …by configuring the ftp server with virtual hosts...

                  cheers,

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.