FTP over OpenVPN

Ja5266 · Mar 15, 2018, 1:34 PM

Hi

Iv tried to set up a basic setup to my vu+ but I cant get ftp to run with float rule.

Iv followed many tutorials and iv got pia working fine and port forward port 21 and 20 that i read i needed to. It works fine and can have no problems,
but soon as i add a killswitch with a floating rule it kills the ftp !! Iv read many ways round but i can see to have a simple ftp working with a killswitch.

I read the forum for days looking and reading but hoping someone could explain what i need to do.

Thanks

Jason

Ja5266 · Mar 16, 2018, 12:23 PM

So no one can help :o From what i read there was a bug with the floating rule blocking the ftp many years ago, but can see anything lately.

Tried to make a floating rule to allow the ftp but nope doesnt work,

Just trying to connect one pc on network not outside to connect to ftp in my vu+

Hopefully some kind person will find the time to help, or point me in the right direction.

Thanks

Derelict · Mar 17, 2018, 6:59 PM

Splitting this into a new thread for your specific problem. Going to need a much better description. Things like where are the FTP server and the FTP client in relation to pfSense and what kind of server is it (passive or active).

In the meantime: https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense

Ja5266 · Mar 20, 2018, 2:25 PM

Hi Derelict

Thanks for replying

Its a very basic setup really, My satelite box vu+ solose has ftp telent etc and would like to have access to ftp, i cant seem away to change port settings.

So a simple setup of pfsense working fine, setup port forwarding and got the ftp working fine too. setup my Pia vpn and both ftp and Pia vpn working.
Tried to add a kill switch using the floating rules my ftp stops dead.

If i follow the https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-setup-pia-on-pfsense-2-4-2

and use https://www.privateinternetaccess.com/forum/uploads/editor/92/w00wmc2lq7yt.png

Then i get no ftp anway

On the bottom of the post i read
Disabling NAT'ing for the WAN is AN ABSOLUTE HORRIBLE IDEA and DOES NOT STOP TRAFFIC ROUTING.

Disabling NAT address translation rules does not stop traffic from being routed out an interface if the VPN is down. It only prevents the IP addressing from being translated when traffic is routed out that interface, which can result in routing RFC1918 addressing onto the WAN.

The only way this blocks traffic is that an upstream router is most likely blocking non-internet routeable RFC1918 addresses, but at that point your traffic has already been leaked onto the WAN interface.

The better solution is to make sure unintended traffic never leaves the WAN by creating pfSense float rules that allow only DNS and OpvenVPN traffic out the WAN and block everything else going out the WAN. Such rules would only have affect when the VPN link is down and the WAN is the default route, to allow DNS lookup of the PIA host, and creating the VPN link, all other outbound traffic out the WAN should be blocked or rejected. Once the VPN link is up and becomes the default route traffic will route unblocked over the VPN link.

Thanks