pureFtpd server on pfsense DMZ, cannot be acceed by LAN with passive port range set



  • Hello,
    My setup is :
    WAN
    DMZ -- 192.178.0.1 (debian pureftpd server with PassivePortRange and ForcePassiveIP set)
    LAN -- 192.168.0.255

    I've done a NAT port forwarding for 21 and 40000:40100 with the WAN ip.

    The server is accessible from outside WAN, but I cannot connect to it from LAN. The connection is effective, but it hangs at directory listing.

    I've found some explanations, that the forwarding is not returning the correct port range, sending back a random range:

    https://forum.netgate.com/topic/45613/howto-ftp-server-behind-pfsense-not-working-listing-directories-due-to-nat

    That's my first explanation, but i cannot figure out how to solve this.

    Does anyone have an idea?

    Thanks in advance,

    Maelvon


  • LAYER 8 Global Moderator

    So your hitting your wan IP to try and get to this server? Did you setup nat reflection.

    To get to the server just hit it via its rfc1918 IP

    Also your DMZ range is public? Your google?
    CIDR: 192.178.0.0/15
    NetName: GOOGLE

    IF that is not a typo and 192.168.. then your dmz and lan are the same network??


  • Galactic Empire

    @johnpoz said in pureFtpd server on pfsense DMZ, cannot be acceed by LAN with passive port range set:

    IF that is not a typo and 192.168.. then your dmz and lan are the same network??

    It's a broadcast address depending on the subnet mask



  • @johnpoz

    From outside I can connect to my Ftp server with my WAN IP as address. And I can list folder. It works like a charm.
    But when i connect from my LAN, I cannot list folder.
    I've done a NAT port forwarding, that seems to work for outside, but not from my LAN.

    NAT reflexion?

    My DMZ DHCP IP is 192.178.0.254 and the FTP server has 192.178.0.1 IP.

    Ok I understand. The DMZ network is not a private one. So I've modified it to 172.16.0.1!

    So, I'm using Filezilla as FTP browser, and it cannot list folder when connecting from LAN. I'm thinking it's my Firewall rules that's are miss configured. But if I connect from my LAN with a Linux ftp command it hang while listing..
    And the only difference is a:

    ftp: setsockopt: Bad file descriptor

    Perhpas an error due to NAT rules?

    How can I debug it?


  • LAYER 8 Global Moderator

    @maelvon said in pureFtpd server on pfsense DMZ, cannot be acceed by LAN with passive port range set:

    So what are you rules from lan to dmz? You should hit the internal IP of this ftp server when your on your lan.

    Simple to setup a host override locally so that ftp.yourdomain.tld resolves to 172.16.0.1

    You will want to make sure that your ftp server hands out it private IP when hit from private IP, and your public IP when hit from public when doing passive.



  • @johnpoz

    My configuration in:
    System / Advanced / Firewall & NAT / Network Address Translation / NAT Reflection mode for port forwards
    is set to "NAT + Proxy"
    and when I set to "Pure NAT", I can list the ftp content from LAN

    So, it seems a solution, as it works. But as I have set Squid Proxy, perhaps it's not a good idea to set "Pure NAT"?
    Otherwise, can I create a rule which simulate the "Pure NAT" setup with "NAT + Proxy"?