pureFtpd server on pfsense DMZ, cannot be acceed by LAN with passive port range set
-
Hello,
My setup is :
WAN
DMZ -- 192.178.0.1 (debian pureftpd server with PassivePortRange and ForcePassiveIP set)
LAN -- 192.168.0.255I've done a NAT port forwarding for 21 and 40000:40100 with the WAN ip.
The server is accessible from outside WAN, but I cannot connect to it from LAN. The connection is effective, but it hangs at directory listing.
I've found some explanations, that the forwarding is not returning the correct port range, sending back a random range:
https://forum.netgate.com/topic/45613/howto-ftp-server-behind-pfsense-not-working-listing-directories-due-to-nat
That's my first explanation, but i cannot figure out how to solve this.
Does anyone have an idea?
Thanks in advance,
Maelvon
-
So your hitting your wan IP to try and get to this server? Did you setup nat reflection.
To get to the server just hit it via its rfc1918 IP
Also your DMZ range is public? Your google?
CIDR: 192.178.0.0/15
NetName: GOOGLEIF that is not a typo and 192.168.. then your dmz and lan are the same network??
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz said in pureFtpd server on pfsense DMZ, cannot be acceed by LAN with passive port range set:
IF that is not a typo and 192.168.. then your dmz and lan are the same network??
It's a broadcast address depending on the subnet mask
-
From outside I can connect to my Ftp server with my WAN IP as address. And I can list folder. It works like a charm.
But when i connect from my LAN, I cannot list folder.
I've done a NAT port forwarding, that seems to work for outside, but not from my LAN.NAT reflexion?
My DMZ DHCP IP is 192.178.0.254 and the FTP server has 192.178.0.1 IP.
Ok I understand. The DMZ network is not a private one. So I've modified it to 172.16.0.1!
So, I'm using Filezilla as FTP browser, and it cannot list folder when connecting from LAN. I'm thinking it's my Firewall rules that's are miss configured. But if I connect from my LAN with a Linux ftp command it hang while listing..
And the only difference is a:ftp: setsockopt: Bad file descriptor
Perhpas an error due to NAT rules?
How can I debug it?
-
@maelvon said in pureFtpd server on pfsense DMZ, cannot be acceed by LAN with passive port range set:
So what are you rules from lan to dmz? You should hit the internal IP of this ftp server when your on your lan.
Simple to setup a host override locally so that ftp.yourdomain.tld resolves to 172.16.0.1
You will want to make sure that your ftp server hands out it private IP when hit from private IP, and your public IP when hit from public when doing passive.
-
My configuration in:
System / Advanced / Firewall & NAT / Network Address Translation / NAT Reflection mode for port forwards
is set to "NAT + Proxy"
and when I set to "Pure NAT", I can list the ftp content from LANSo, it seems a solution, as it works. But as I have set Squid Proxy, perhaps it's not a good idea to set "Pure NAT"?
Otherwise, can I create a rule which simulate the "Pure NAT" setup with "NAT + Proxy"?
