Access local FTP by public IP from LAN



  • Hello guys

    I'm really new to pfSense, and generally I wouldn't say that firewalls/routers etc is my strongest area.. But nevertheless I have been assigned to fix some problems where I work.

    And now I'm facing an issue that I think is actually pretty simple but I can't figure it out really.

    The thing is this:

    We have a FTP server on our lan with a 10.0.1.x IP. This is accessible externally, as I have configured a virtual IP and set up a nat rule to forward request to that external ip on port 21 (and the passive port range) to the server's lan IP. I also had to configure the FTP server to bind to it's external IP, otherwise I couldn't get the external connections to work properly.

    Now, this config has caused the access to the server to stop functioning if you access it from inside the LAN. And I'm pretty confident that this is because it binds to an IP that doesn't exist in the LAN range. So, how do I go about this really? Can I create some kind of firewall rule that allows access from LAN to the external IP or something like that?

    I'm not really sure if I should change settings in the firewall, or if I need to change the config for the FTP server - I don't know what is considered the "correct way".

    I hope someone here can help me clarify this, and I am glad to supply more info if nesseccary!

    Thanks,
    Kenny



  • Hi

    Seems like ftp-proxy issue. Can you try enable/disable it and see if anything happen?

    Dunno this helps or not but a link is; http://forum.pfsense.org/index.php/topic,7096.0.html

    cheers,



  • Have you tried to enable NAT-reflection?

    Also this thread might interrest you:
    http://forum.pfsense.org/index.php/topic,9440.0.html



  • Hey guys

    Thanks for the replies!

    I have enabled the NAT reflection now, and also unchecked (enabled) userland proxy app for both WAN and LAN if's.
    Something seems to have happened, now I get "connection closed" from my ftp client instead of nothing at all (before it was just timing out).

    I recreated the NAT rule after enabling the NAT reflection, and it added an extra firewall rule for me.
    I'm thinking maybe the problem was that it didn't add the passive port range as it is > 500, but I added it manually just as the rule for port 21 that was added automatically for me.. And it didn't seem to help much..

    Do you think it is an issue that I have manual outbound nat activated? The thing is that we have an external ip for the WAN interface, and to that we have a range of IP's routed in a totally different net from our ISP. So to get our outbound connections to act as out actual routed net, I had to set that up manually in the outbound NAT.

    I can honestly say that I am pretty confused with all the settings here, so I am absolutely not blaming anyone for the problems but myself. So I appreciate all help I can get!

    EDIT:

    So, I disabled userland proxy again, and left only the nat reflection active. And now I can actually connect to the server, but the file listings doesn't work. This is the problem I usually encounter when the passive port range isn't properly set up.. I'm just not sure what the problem is.. Do I need some outbound nat rule?

    Thanks,
    Kenny



  • How big and "where" is your passive range?
    There is a hardlimit of 1000 ports that can be reflected, and never more than 500 together (in a single rule).

    AoN shouldnt affect anything.

    Did you read the thread i posted above? his might be the easier solution for you :)

    Maybe you could post screenshots of the aliases/rules/config_of_your_server you created so far.



  • Hello

    Sorry for the late reply, lots of stuff going on. :)

    anyway, I solved the problem by configuring the ftp server with virtual hosts so that it responds to requests on both needed ip.

    Just wanted to mention it so we can consider this specific thread to be closed.

    I will look into the firewall settings more in details when I find the time, right now the problem is resolved. :)

    Thanks for all the help anyway guys!



  • Hi,
    That's good to hear, and could you describe what you did with a lil bit more for later visitors?
    Also helps me alot  ;D ;D ;D

    @kennylovrin:

    …by configuring the ftp server with virtual hosts...

    cheers,


Locked