FTP Server reachable through OPT1

Tomba

First off; I absolutely LOVE pfSense because it allows me to do almost all I want with a router ;)
–-------------------------------------------------
I am using pfSense to 'load balance' 2 ADSL lines.
Line 1:
2/1 Mbit
Reliable, all server options allowed (port 25 not blocked etc)
Dedicated newsserver
Fixed ip through DHCP
ADSL modem in bridge modus
Connected to WAN interface
(expensive)

Line 2:
20/1 Mbit
Flaky DNS servers, port 25 blocked etc
Semi fixed ip through DHCP
ADSL Router in routing modus
Connected to OPT1 interface named WANADOO (which has a fixed ip in the range of the router)
(dirt cheap)

My loadbalancing consists of using Line 1 for SMTP/DNS/NNTP, while Line 2 is used with all other protocols + news over an alternative port (this was the easiest way too achieve this for me, lucky newshosting allows you to connect on tons of different ports)

Now for the problem. I have the following NAT settings in pfSense:
–--------------------------------------------------------------------------------
Firewall: NAT: Port Forward

WAN  TCP  443 (HTTPS)  192.168.3.254 (ext.: 212.238.144.132)  443 (HTTPS)  HTTPS Demon --> Remotely Anywhere

WANADOO  TCP  21 (FTP)  192.168.3.254 (ext.: 192.168.10.35)  21 (FTP)  FTP Wanadoo --> ServU

Firewall: NAT: Outbound

Enable IPSec passthru --> not checked

Enable advanced outbound NAT --> checked

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description 
Wanadoo    192.168.3.0/24  *  *  *  *  *  NO LAN --> Wanadoo

WAN    192.168.3.0/24  *  *  *  *  *  NO LAN --> Demon

Firewall: Rules: LAN

Proto Source Port Destination Port Gateway Description

TCP  LAN net  *  194.159.73.136  *  *  LAN DNS --> Demon

TCP  LAN net  *  *  119  *  LAN News --> Demon

TCP  LAN net  *  *  25 (SMTP)  *  LAN SMTP --> Demon

*  LAN net  *  *  *  192.168.10.1  Default LAN -> any

*  LAN net  *  *  *  *  Default LAN -> any   (disabled, I enable this when Wanadoo is down)

Firewall: Rules: WAN

Proto Source Port Destination Port Gateway Description

• RFC 1918 networks * * * * Block private networks   
  TCP  *  *  192.168.3.254  443 (HTTPS)  *  NAT HTTPS Demon --> Remotely Anywhere     
  TCP  *  *  192.168.3.254  21 (FTP)  *  NAT FTP Demon --> ServU     
  TCP  *  *  *  *  *  Block all

---

Firewall: Rules: Wanadoo

Proto Source Port Destination Port Gateway Description 
TCP  *  *  192.168.3.254  443 (HTTPS)  192.168.10.1  NAT HTTPS Wanadoo --> Remotely Anywhere     
TCP  *  *  192.168.3.254  21 (FTP)  192.168.10.1  NAT FTP Wanadoo --> ServU     
TCP  *  *  *  *  192.168.10.1  Block all on Wanadoo

192.168.3.254 is another router (ipCop) which has the ports forwarded to their correct servers.
When i connect from 192.168.4.x with FTP to 192.168.4.10 I can connect.
If I connect from the WAN side of the ipCop router I am able to connect to the FTP
If I connect from the WAN side on pfSense I am able to connect to the FTP (that is if I change the NAT: portforward page)
If I connect from the OPT1 side on pfSense I am UNABLE to connect to the FTP

How can I get my FTP server to run on the OPT1 side ? Can anyone help ?

sullrich

http://faq.pfsense.com/index.php?action=artikel&cat=1&id=142&artlang=en&highlight=ftp

Tomba

@sullrich:

http://faq.pfsense.com/index.php?action=artikel&cat=1&id=142&artlang=en&highlight=ftp

OK, defined 3 pasv ports (32100-32102) in ServU and forwarded them on my ipcop box, then added:

Firewall: NAT: Port Forward

If Proto Ext. port range NAT IP Int. port range Description
WANADOO  TCP  32100 - 32102  192.168.3.254 (ext.: 192.168.10.35)  32100 - 32102  PASV FTP

But still I just get a blinking cursor and then a time out:

C:\Documents and Settings\Administrator>ftp 192.168.10.35
Connected to 192.168.10.35.
Host disconnected

hoba

Did you disable the ftp helper? Also keep in mind that if the ftp server is announcing a private IP adress won't help you in the internet to find it's way back to the server. Check your FTP-Server settings if it has some kind of NAT settings and finally try active and passive ftp.

Tomba

@hoba:

Did you disable the ftp helper? Also keep in mind that if the ftp server is announcing a private IP adress won't help you in the internet to find it's way back to the server. Check your FTP-Server settings if it has some kind of NAT settings and finally try active and passive ftp.

Should the FTP Helper be dis- or enabled ? (it doesnt work either way but it never hurts to know ;P)
I want to emphasize that all my Internet traffic except DNS, SMTP and NNTP goes through OPT1 not WAN and that the FTP server is perfectly reachable over WAN if I portforward (just) port 21 to the correct IP address, so Im still unsure as to why it doesnt work over OPT1. (an analogy: on my ipCop I also have a DMZ and am perfectly able to portforward from WAN –> DMZ and from DMZ --> LAN)

Any advise would be very helpfull !

Tomba

@hoba:

Did you disable the ftp helper? Also keep in mind that if the ftp server is announcing a private IP adress won't help you in the internet to find it's way back to the server. Check your FTP-Server settings if it has some kind of NAT settings and finally try active and passive ftp.

On another note, just to test I also forwarded port 443 (HTTPS) over OPT1 (which works perfectly over the WAN interface) and this doesnt work either ! So it seams to be an issue with (a setting of) the OPT1 interface and not related to FTP. Is Port forwarding supported on OPT1 ? (it could be me that did it wrong ;))

hoba

You have to disable the ftp helper at OPT and at WAN and portforward the ranges your ftp-server is using. I think you also have to use active mode in this scenario to connect to your ftp server and as I said before the ftp server usually has to know his public IP to announce it to the client. This might be a bit difficult in a multiwan setup as it has to deal with 2 different public IPs then. Chances are great that that a request from a client comes in one wan and the server answers to the other wan as the traffic happens on different ports and don't seem to belong to the same conversation seen from the firewall.

See http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html to understand why ftp is not that easy to implement in this situation.

Maybe setting up 2 ftp proccesses with different ranges serving the same data might be the easiest workaround. Use policybased routing and NAT to send everything of process1 out wan1 and everything of process2 out wan2.

hoba

@Tomba:

@hoba:

Did you disable the ftp helper? Also keep in mind that if the ftp server is announcing a private IP adress won't help you in the internet to find it's way back to the server. Check your FTP-Server settings if it has some kind of NAT settings and finally try active and passive ftp.

On another note, just to test I also forwarded port 443 (HTTPS) over OPT1 (which works perfectly over the WAN interface) and this doesnt work either ! So it seams to be an issue with (a setting of) the OPT1 interface and not related to FTP. Is Port forwarding supported on OPT1 ? (it could be me that did it wrong ;))

Sounds like a completely different story. HTTPS doesn't use different ports and directions to communicate like ftp does. You really might have something wrong then. I'll test this later when I get time to make sure.

Tomba

@hoba:

You have to disable the ftp helper at OPT and at WAN and portforward the ranges your ftp-server is using. I think you also have to use active mode in this scenario to connect to your ftp server and as I said before the ftp server usually has to know his public IP to announce it to the client. This might be a bit difficult in a multiwan setup as it has to deal with 2 different public IPs then. Chances are great that that a request from a client comes in one wan and the server answers to the other wan as the traffic happens on different ports and don't seem to belong to the same conversation seen from the firewall.

See http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html to understand why ftp is not that easy to implement in this situation.

Maybe setting up 2 ftp proccesses with different ranges serving the same data might be the easiest workaround. Use policybased routing and NAT to send everything of process1 out wan1 and everything of process2 out wan2.

(Disable FTP Helper on both WAN/OPT1 –> Check)

OK maybe Im not being clear. When and if I ONLY forward port 21 from WAN to 192.168.3.254 everything works, why then do I need to forward other ports aswell when I want to use the OPT1 interface ? (as said before I have a rule telling pfSense to put all traffic except DNS/SMTP/NNTP over OPT1 not WAN) I dont want to use FTP on WAN, just on OPT1 so setting up different ranges isnt necesary as far as I can see. Also I dont even get a banner from the OPT1 side + my FTP server logs no connections so as far as I can see the traffic doesnt even pass the pfSense box...

Also; note that HTTPS refuses to work aswell, so as far as I can see pfSense seems to be unable to port forward from OPT1 to LAN ?

(again maybe I dont understand pfSense ;P)

Tomba

@hoba:

@Tomba:

@hoba:

Did you disable the ftp helper? Also keep in mind that if the ftp server is announcing a private IP adress won't help you in the internet to find it's way back to the server. Check your FTP-Server settings if it has some kind of NAT settings and finally try active and passive ftp.

On another note, just to test I also forwarded port 443 (HTTPS) over OPT1 (which works perfectly over the WAN interface) and this doesnt work either ! So it seams to be an issue with (a setting of) the OPT1 interface and not related to FTP. Is Port forwarding supported on OPT1 ? (it could be me that did it wrong ;))

Sounds like a completely different story. HTTPS doesn't use different ports and directions to communicate like ftp does. You really might have something wrong then. I'll test this later when I get time to make sure.

Ok hoba, thanks very much for your input upto this point ! I look forward to any help on this :)

hoba

Just tested with a port 80 forward at my Dual WAN Setup at the office. Works like expected. Maybe the connection gets stuck in your Router in front of the pfsense? I have a similar setup using an adsl router in front of my WAN2 to fake a static gateway IP for loadbalancing. I have set the pfSense WAN2 IP as DMZ IP at the adsl router so everything gets forwarded automatically.

What version are you running btw?

Tomba

@hoba:

Just tested with a port 80 forward at my Dual WAN Setup at the office. Works like expected. Maybe the connection gets stuck in your Router in front of the pfsense? I have a similar setup using an adsl router in front of my WAN2 to fake a static gateway IP for loadbalancing.

So you are able to port forward on both WAN and OPT1 ? The router in front of pfSense doesnt get into play because im testing with a laptop connected to the OPT1 interface ATM.

I dont understand:
@hoba:

I have set the pfSense WAN2 IP as DMZ IP at the adsl router so everything gets forwarded automatically.

What do you mean by this (and how do I do this ?)

@hoba:

What version are you running btw?

Was running 1.0 Beta 3 uograded to Beta 4 yesterday.

Thanks for the help so far !!

Tomba

@Tomba:

I dont understand:
@hoba:

I have set the pfSense WAN2 IP as DMZ IP at the adsl router so everything gets forwarded automatically.

What do you mean by this (and how do I do this ?)

I understand what youre saying now ;) As I am connectly directly from OPT1 this is not an issue I guess.

hoba

@Tomba:

@hoba:

Just tested with a port 80 forward at my Dual WAN Setup at the office. Works like expected. Maybe the connection gets stuck in your Router in front of the pfsense? I have a similar setup using an adsl router in front of my WAN2 to fake a static gateway IP for loadbalancing.

So you are able to port forward on both WAN and OPT1 ? The router in front of pfSense doesnt get into play because im testing with a laptop connected to the OPT1 interface ATM.

I dont understand:
@hoba:

I have set the pfSense WAN2 IP as DMZ IP at the adsl router so everything gets forwarded automatically.

What do you mean by this (and how do I do this ?)

@hoba:

What version are you running btw?

Was running 1.0 Beta 3 uograded to Beta 4 yesterday.

Thanks for the help so far !!

Most of the simple modemrouters out there have an option to specify a DMZ IP. This basically means: forward all ports, all protocols incoming at wan to this DMZ IP and allow all Traffic to this IP. Of course, this IP isn't firewalled anymore then but as the pfSense WAN2 has it's won firewall it eliminates the double administration you would have to do without it (portforward from modemrouter to pfsense and from pfsense to internal host). Check your modemrouters manual, it might be called different.

Beta4 is pretty old though the last official posted version on the mirrors. I'm running a version very close to RC1 (maybe even what will become RC1). I strongly recommend upgrading. If you have a full hdd install run "cvs_sync.sh RELENG_1" from the shell or via ssh after leaving the shellmenu by choosing option 8. This will update your box against the CVS Codetree and you will be running the most recent version after this. This process takes some time on the first run and might appear stuck somewhere in the middle. Just be patient and give it time. Reboot after it went through.
Another option is to wait for the RC1 update or new image which should be available pretty soon (we are doing some final tests atm).

Tomba

@hoba:

@Tomba:

@hoba:

Just tested with a port 80 forward at my Dual WAN Setup at the office. Works like expected. Maybe the connection gets stuck in your Router in front of the pfsense? I have a similar setup using an adsl router in front of my WAN2 to fake a static gateway IP for loadbalancing.

So you are able to port forward on both WAN and OPT1 ? The router in front of pfSense doesnt get into play because im testing with a laptop connected to the OPT1 interface ATM.

I dont understand:
@hoba:

I have set the pfSense WAN2 IP as DMZ IP at the adsl router so everything gets forwarded automatically.

What do you mean by this (and how do I do this ?)

@hoba:

What version are you running btw?

Was running 1.0 Beta 3 uograded to Beta 4 yesterday.

Thanks for the help so far !!

Most of the simple modemrouters out there have an option to specify a DMZ IP. This basically means: forward all ports, all protocols incoming at wan to this DMZ IP and allow all Traffic to this IP. Of course, this IP isn't firewalled anymore then but as the pfSense WAN2 has it's won firewall it eliminates the double administration you would have to do without it (portforward from modemrouter to pfsense and from pfsense to internal host). Check your modemrouters manual, it might be called different.

I understood in the mean time ;) I am talking directly to OPT1 with my laptop so the ADSL router is no issue (besides that I allready did the DMZ IP thing, its just called different. Besided that if I enable the firewall on this router the througput takes a big hit)

@hoba:

Beta4 is pretty old though the last official posted version on the mirrors. I'm running a version very close to RC1 (maybe even what will become RC1). I strongly recommend upgrading. If you have a full hdd install run "cvs_sync.sh RELENG_1" from the shell or via ssh after leaving the shellmenu by choosing option 8. This will update your box against the CVS Codetree and you will be running the most recent version after this. This process takes some time on the first run and might appear stuck somewhere in the middle. Just be patient and give it time. Reboot after it went through.

Here I was thinking I was running the latest version, but off course there are the CVS builds ;) Ill try this when I am home. All my firewall rules will be retained when I do this ?
Another question: is the way I specified my rules correct (see my first post) ?

@hoba:

Another option is to wait for the RC1 update or new image which should be available pretty soon (we are doing some final tests atm).

I have no problem installing the pre-RC1 version, because I just want it to work (TM) ;P (the router is used @Home so no problem if my internet is down a bit)

hoba

You'll keep your configuration and the downtime will only be during the reboot. However making a backup of your config.xml is always recommended.

Tomba

@hoba:

You'll keep your configuration and the downtime will only be during the reboot. However making a backup of your config.xml is always recommended.

Tx for the input hoba. What is the easiest way to backup my config.xml ?

I didnt have time yesterday to upgrade to the newest build, will probably do this tomorrow.

hoba

Simply download it via webgui at diagnostics>backup/restore.

Tomba

I realise it has been some time, but I didn't come around to installing an update to my pfSense router. I installed RC2 last week and still no portforwards on OPT1 seem to work. Currently I am using my WAN interface but since this is a slower link than OPT1 I'd like to be able to use forwards on OPT1 as well. Can anyone help me ?
(I am currently testing with HTTPS (because FTP is more difficult when it comes to NATting –> the portforward works on WAN, but not on OPT1)

Tomba

Kick, I'm still having this problem, no port forwards on OPT1 work, so I'm still stuck with having to publish all my servers on the WAN interface…