FTP in transparent bridge

bob76535

I just installed a pfsense firewall in transparent bridge mode. In the setup instructions it had me disable both FTP helper options.

I want to use passive ftp but not have a lot of ports open. What are the correct rules to set up for this?

I have searched all through the forums here over the past 3 days and found a lot of conflicting information. I did find the info below but I don't know if it is right for my setup. All the machines behind the firewall have public ips. There is no port forwarding set up. I have port 21 open inbound and all traffic open outbound. I have multiple machines that have their own FTP server. All FTP servers have a separate public ips.

**1. Fire Wall -> NAT: add standard FTP rule, in my case:
WAN TCP 21 (FTP) 10.1.1.xx (ext.: 212.xx.xx.xx)

2. Fire Wall -> Rules: Beside the automatic rulles created by pfSense add one more.
TCP * * 127.0.0.1 8000 - 8020 * (permitted traffic to 127.0.0.1 on ports 8000-8020)

3. Interfaces -> LAN: Ensure that the FTP helper box is NOT checked.

4. Interfaces -> WAN: Ensure that the FTP helper box is NOT checked.**

Please help.

Thanks

Bob

GruensFroeschli

The ftp-helper is a proxy.
This proxy is running on pfSense itself, meaning pfSense actually is part of the connection and pfSense does stuff with the traffic.

In a transparent setup you dont want the users to even know that there is a firewall around.
The steps you took are to make sure that pfSense is able to accept traffic for the proxy.
–> You dont want that.

What should help:
1: Check on all interfaces the "Disable the userland FTP-Proxy application" checkbox (as i see it you currently have the helper activated --> disable it)

2: Find out which passive port-range your ftp-server is using.

3: Create a firewall rule allowing port 21 and all the ports out of your passive port-range to your server.

I'm not sure if you've set your transparent firewall correctly up, because

1. Fire Wall -> NAT: add standard FTP rule, in my case:
WAN TCP 21 (FTP) 10.1.1.xx (ext.: 212.xx.xx.xx)

indicates, that you have a private IP-range behind your pfSense.
In transparent mode you have the same subnet behind pfSense than you have before pfSense.
The IP on pfSense is purely to manage it and NOT for traffic to flow.

bob76535

The settings that I posted are not from my server, they are from the instructions I posted here. I haven't done anything with our FTP yet.

I would guess they are wrong for me then.

I do know the FTP helper things are off on both the lan and wan interfaces on our firewall.

I will add the standard port 21 rule and a pass for a range of ports.

How do you determine how many ports you need? I want minimal ports open in the firewall. I tried SFTP on port22 but the available cheap/free SFTP server software either is not stable or crashes under our load. The FTP is used by 20-40 users concurrently at any time and serves 700+ website accounts on that server. Filezilla server handles the load fine but does not do SFTP and I don't want a crazy amount of ports open for this. Any suggestions would be appreciated.

Thanks for the help.

Bob

GruensFroeschli

How do you determine how many ports you need? I want minimal ports open in the firewall.

More open ports doesnt mean less secure.
Just only forward the ports the server will actually listen on.
It's as secure as your ftp-server is.

@http://en.wikipedia.org/wiki/File_Transfer_Protocol:

Multiple TCP/IP connections are used, one for the control connection, and one for each download, upload, or directory listing. Firewalls may need additional logic and/or configuration changes to account for these connections.

So if you have about 20-40 concurrent users i would open about 120 ports and restrict each user to 3 concurrent connection (in the ftp-configuration).

bob76535

Thanks. I did that and it is working great. Now if someone can tell me how to get the webgui to work on the Wan side, I would be all set.

Thanks

Bob

bob76535

Tried this in the webgui forum and got no response. Maybe someone here will know.

I have searched here and found 2 different rule setups to do this but neither works.

I have my WebGUI set for https on port 81. It worked fine before I changed to transparent bridge mode. I can access it fine from the lan side but I need to access it from the WAN side too.

I have the correct IP (the one that was set to the wan side when I set up the bridge), I am using https://thecorrectip:81 but it does not work.

What am I doing wrong here?

Thanks

Bob

GruensFroeschli

What IP do you have on the WAN now?
Basically you can just create a firewall rule that allows access to the WAN-interface-IP on the GUI-port.

bob76535

@GruensFroeschli:

What IP do you have on the WAN now?
Basically you can just create a firewall rule that allows access to the WAN-interface-IP on the GUI-port.

I have the ip 66.153.204.254 on the wan and I have the webgui set for https on port 81. I am going to https://66.153.204.254:81 from the outside and it does not work. It works fine from the lan side.

I created a rule on the wan that allows access from any to port 81 but it does not work.

Any suggestions?

Thanks

Bob

GruensFroeschli

And you also have the same "allow any to 66.153.204.254" rule on the LAN?

Could you show a screenshot of all rules on the WAN?

bob76535

Here are screenshots of the rules

lanrules.png_thumb

natrules.png_thumb

wanrules1.png_thumb

wanrules2.png_thumb

webguilanrule.png_thumb

webguiwanrule.png_thumb

GruensFroeschli

What do you have NAT rules for?
This is after all a bridged setup.
Also why do you have a rule to allow the "lan subnet to anywhere"?

Do you have an IP on the LAN interface? You dont need an IP on the LAN interface –> It's part of the bridge.

Also the rules you have on the WAN are.... strange.
You should set as destination only the server on which a service is running.
Right now you open up your network on these ports to EVERY server which is probably not what you want.

bob76535

What do you have NAT rules for? - Whatever is there was created automatically from the instructions found in the PDF that tells how to change over to transparent bridge.

Also why do you have a rule to allow the "lan subnet to anywhere"? I believe it was created automatically when I followed the T.B changeover PDF.

Do you have an IP on the LAN interface? The instructions said to assign a different (than wan) IP to the lan side (I used 66.163.204.253) and then after the change it would just ignore the ip. So yes and then no.

Also the rules you have on the WAN are…. strange. Ok. they work for everything except the webgui to wan.

You should set as destination only the server on which a service is running. There are multiple servers all with various services running on them. For example the mail server has a webserver for webmail , an FTP server, and a DNS server along with the mail. There are 3 web servers all with FTP, one with DNS and mysql, and one with GIS apps. There is a MSSQL DB server that has websites on it and FTP. Since each machine does a little of everything, I leave the rules open instead of pointing to a specific machine. There are various other machines sitting behind this box. I inherited it and can't change anything yet. Maybe someday they will let me clean it up.

So what do you think is causing the webgui problem?