Multiple FTP Hosts behind PFSense



  • Good night PFSense experts,

    My objective
    Serve 2 different FTPs, on two different machines behind PFSense Firewall.

    What I did to Achieve

    Machine A: Uses Microsoft IIS FTP running on port 21, has passive ports 2010 to 2020 and points to the firewall. Folders protected with username/password.

    Machine B: Uses Microsoft IIS FTP running on port 51, has passive ports 2030 to 2050 and points to the firewall. Folders protected with username/password.

    PFSense for Machine A: Redirection rules for WAN port 21 to Machine A's 21  and respective passive ports 2010 to 2020. Permissions granted succesfully.

    PFSense for Machine B: Redirection rules for WAN port 51 tp Machine B's 51 and respective passive ports 2010 to 2020. Permissions granted succesfully.

    What I did achieve
    Machine A's FTP works perfectly, username and passwords run normally and FTP is used properly.
    Machine B's FTP just give timeout response after login. It's possible to see on IIS log that it does start and close connections, also PFSense shows it's properly going through 51 but after that nothing happens.

    Is this something possible to achieve with PFSense + IIS? Do I have to enable something else on pfsense to make Machine B's FTP to work properly?

    Thank you very much!


  • Rebel Alliance Global Moderator

    You have typo looks like your sending 2010 - 2020 to both A and B..

    Is your IIS actually sending your public IP to the client for the passive connection?  Any decent ftp client should show you what the server sends for the passive connection which would be the IP and the ports..

    1.2.3.4,#,#

    Where port = #x256+ 2nd X



  • Hi johnpoz,

    Sorry about the typo, I meant Machine B using  2030 to 2050.

    Here's what happens when I try to use it on File Zilla, it does enter in passive mode. Sorry about my ignorance, but ,232,78 is the passive port part of the address? I couldn't understand well "Where port = #x256+ 2nd X", is it 232*256 + 78? 59399 is the port it's trying to reach?

    Estado: Conectando <ip>:PORT…
    Estado: Conexão estabelecida, esperando mensagem de boas-vindas...
    Estado: Servidor sem segurança, não suporta FTP sobre TLS
    Estado: Identificado
    Estado: Obtendo lista de pastas...
    Comando: PWD
    Resposta: 257 "/" is current directory.
    Comando: TYPE I
    Resposta: 200 Type set to I.
    Comando: PASV
    Resposta: 227 Entering Passive Mode (<ip>,232,78).
    Comando: LIST
    Resposta: 150 Opening BINARY mode data connection.
    Erro: Conexão expirou após 20 segundos de inatividade
    Erro: Falha na obtenção da lista de pastas

    Estado: Desconectado do servidor
    Estado: Conectando<ip>:51…
    Estado: Conexão estabelecida, esperando mensagem de boas-vindas...
    Estado: Servidor sem segurança, não suporta FTP sobre TLS
    Estado: Identificado
    Estado: Obtendo lista de pastas...</ip></ip></ip>

    The bold part means that connection expired after 20 seconds of inactivity when trying to list the folders. So the problem occurs after connection right?

    Thank you very much for replying!


  • Rebel Alliance Global Moderator

    exactly 232x256 + 78 would be port server telling it to go too.  Is the IP your public wan or was it your rfc1918 address.

    So since that is not in the range 2030-2050 it would never work.

    You need to fix your ftp server to hand out the correct ports your forwarding for the client to connect too.

    On a side note - I really do not understand why anyone continues to use ftp.. Why would you not just use sftp??  This is one port that defaults to 22 (ssh).. Now your username and password would not be in the clear and way more secure, etc..  And so much easier to use via natted connections since there is not control channel and then data channel that is either active or passive using other ports, etc.

    Also to be honest active server behind nat is easier for the server admin, since now falls on the client side to tell the server which IP to connect to and what port to use.  So in that case all you have to do is open up 21 in a forward.  And not limit what ports your server can create outbound connections on.



  • Hi johnpoz,

    I'm ashamed to tell you this, but Machine B started to serve FTP perfectly after restarting the windows' service. Thank  you very much for your time and effort.

    I'll study how SFTP works to suggest my users this more viable solution, thanks again.



  • From what I've seen SFTP isn't supported native on Windows and IIS right?

    Thanks!


  • Rebel Alliance Global Moderator

    What version of windows are you running?  Windows added sftp while back.  And you can always just install openssh to get it on any windows product..

    https://github.com/PowerShell/openssh-portable

    https://arstechnica.com/gadgets/2017/12/microsoft-quietly-snuck-an-ssh-client-and-server-into-the-latest-windows-10/

    or just install this
    https://www.mls-software.com/opensshd.html

    This is what I run on my windows machines for ssh client.

    Microsoft Windows [Version 6.1.7601]
    Copyright © 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\System32>ssh -V
    OpenSSH_7.6p1, OpenSSL 1.0.2k  26 Jan 2017

    C:\Windows\System32>ssh user@uc.local.lan
    Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)

    7 packages can be updated.
    7 updates are security updates.

    Last login: Mon Apr 23 10:42:50 2018 from 192.168.9.100
    user@uc:~$

    Even use public key auth with it as you can see.

    So there is zero cost to running this for both the client or the server side.. FTP should of died off 10+ years ago if you ask me... I just do not get why it is still around.. It is NOT secure and is just a PITA with nat ;)

    Which I should update.. But I normally do not use it on this work machine - since they provide secureCRT as client ;)  Off to update to 7.7p1 now - hehee