Rule for FTP need help still new in pfsense

  • Hello everyone

    I have few networks and I am trying to create a rule but now sure how

    My security cameras are on network OPT1 -
    I want them to upload records to an ftp server FREENAS on LAN interface
    I've created an alias called CAM_FTP_ACCESS_LIST including all my cameras IP address

    I tried the rule on OPT1 interface
    Source: single host or alias ___ CAM_FTP_ACCESS_LIST
    Destination : Single host or alias ____192.168.10.121
    PORT FTP(21)

    and it is not working

    thank you

  • Might need to also allow port 20 (FTP data) if "active mode" FTP is being used.

  • LAYER 8 Global Moderator

    As Nullity stated your going to need to understand what your using active or passive ftp.  And then you would have to create the rules on the specific interfaces to allow the traffic depending.  If active the server would create connection to high port from source port 20.  If passive then client would make connection to server to some high port the server told it to connect too.

    If your going to lock down traffic between vlans on your network and allow for ftp then your going to have to know what is being used active or passive and make the correct rules to allow.

    Here is great article that explains difference between active and passive.

    Could you post up your rules you have on each interface and which side is server and which side is client and if using active or passive.

  • hello thank you all for a quick replay

    OPT1 have an basic rules allow outbound to DNS on the OPT1 interface, HTTP. HTTPS and ICMP

    my LAN network have the same rules and one extra so I can access all my other networks within my private network

    I have my freeNAS on the LAN interface it is basic setup on freeNAS just user, group allowing users to connect with password only because opt1 by default cannot access lan or any other interfaces on the network I need it to allow on port 21 to upload video on my freeNAS ftp nothing fantasy just simple rule

    Thank you

  • LAYER 8 Global Moderator

    Please post a screen shot of your rules!!!  There is zero chance of helping you with you posting what you think you created and what you actually have and what order they are in, etc..

    So if opt1 is your client side.. How would it even get to your lan for control channel ftp 21?  And in passive mode how would it connect to lan on some high port that your ftpserver told it to connect to in passive mode.

    You state you have the same rules on lan, so if in active mode what rule would all it to connect to opt1 network from source port 20 to some high port your client told the server to connect too?

    So how is your ftp server on freenas configured?  Active or passive?  Both?  What is your client trying to use?  And then post up screenshot of your rules so we can SEE what you have vs what you think you have, etc. and then zero information on the order of the rules..

  • I don't know if I configured for active or passive I just followed some steps from you tube and it is working when I tried to connect from host on the LAN side ( when I setup a ftp section on one of my cameras on the OPT1 side ( cannot connect to the server I tried both passive and active none of them are working

    I tried to setup a rule on LAN Interface to pass port 21 source alias (all my camera IPs) destination my FTP server address still nothing

  • LAYER 8 Global Moderator

    Ok I take it the first is your lan where your server is.. And the alias lan to subnets would be your opt1 network and others.

    So that would allow for active connections..  Since in active connection the server from the lan side would create the data connection to your client on opt1 network.  To whatever random port your client said to connect too.

    But from your devnet interface I assume since you didn't include what interface those rules were on, and I am guessing this is your opt1 network.  you do not even allow 21 to your lan - so how would you even connect if to control on 21 be it active or passive for the data channel?  You would need to allow 21 to your freenas on lan on this opt1 interface rules…  Then if using active it would work.. But if passive it wouldn't since your rules on opt1 or devnet does not allow connections to lan on high ports that your server would say connect to me on in passive mode.

    So let me state this yet again.. If you want to troubleshoot ftp, you need to understand how ftp works both active and passive and you need to understand what your using.. What is the client your using?  filezilla?  Something else?
    Active FTP vs. Passive FTP, a Definitive Explanation

  • the last image is from my camera settings that's where I have to enter the ftp server information so all the camera records can be uploaded to my ftp server.

  • LAYER 8 Global Moderator

    Where did I ask anything about that image?  Dude I want to help you, but what are you not understanding about your rules are not going to work since you don't even have port 21 open on pfsense?

    Since your client doesn't list if active or passive it prob default to active.. But a simple sniff of the traffic on pfsense would show you exactly what commands are being sent in the control channel.. And from ther you can see if active or passive and what ports are being used, etc.

    But nothing is going to work at all until you open port 21 to your server IP on the client network firewall tab.

  • Just throwing out an idea…  if you can somehow enable and use SFTP instead of regular FTP then you only need to think about port 22 TCP.

  • LAYER 8 Global Moderator

    Yes that is a great idea, his nas most likely supports it.. But doubt the camera does.

  • I don't thing my camera support SFTP even my big SUNBA camera support sftp
    I just setup IPSec to a 3rd location and I will try to install here freenas and point my cameras to freenas ftp server here

  • LAYER 8 Global Moderator

    "But nothing is going to work at all until you open port 21 to your server IP on the client network firewall tab."

    Did you see this statement.. Your rules your posted do not allow 21, so no ftp is not going to work be it your using passive or active..  Since your client per your rules is not allowed to talk to the server on the other segment on 21 to even open the control channel.

    How you think ipsec to some remote site is going to solve the problem vs storing it local?

  • My IPSec interface have an any to any rule I believe it will solve the problem

    Thank you

  • LAYER 8 Global Moderator

    No sorry its not… Traffic is evaluated on the interface it enters pfsense.. Great that your connection for ipsec as any any..

    But your traffic doesn't enter pfsense there it enters the interface your client is connected too...

Log in to reply