Not working port forwarding

dam034 · Mar 11, 2019, 3:34 PM

Dear users,

I can't forward the port 21 to the FTP server in my LAN. Using the old router, it has worked fine, but using pfsense it doesn't work.
I attach the screenshots showing the configuration:
login-to-view
login-to-view
login-to-view

I want to specify that with old router it has worked fine, the problem is in this configuration.
I think the error is in the destination field in WAN rules, I can't write a private IP there, I should set WAN address, but I can't change it because that is a linked rule.

How can I fix this issue?

Thanks

Derelict · Mar 11, 2019, 3:44 PM

https://docs.netgate.com/pfsense/en/latest/nat/setup-ftp-server-behind-pfsense.html

Your NAT rule looks fine.

You might want to expand on what you are actually seeing instead of saying it doesn't work.

Rico · Mar 11, 2019, 3:46 PM

And remember to set NAT reflection to Enable (Pure NAT) when testing from the inside of your network.

-Rico

dam034 · Mar 11, 2019, 4:19 PM

I'm trying from inside and outside pfsense network, using private (LAN) and public (WAN) IP address.

inside network, using private IP address, it works normally;
inside network, using public IP address, I can't reach the FTP server, even I selected "Enable (Pure NAT)";
outside network, using public IP address, I can connect but I can't start any transfer, even I forwarded the passive ports range.

These are now NAT and Rules:
login-to-view
login-to-view
login-to-view

With old router, I didn't need to decide a passive ports range and forward it, and from LAN I could reach the FTP server normally, I want to do the same rules and operation.
Always in old router, in my server the logs were like this:

(000014)11/03/2019 17:02:45 - anonymous (87.4.171.84)> 227 Entering Passive Mode (10,78,32,12,195,167)

and in the clients (like fz client) this:

227 Entering Passive Mode (87,4,171,84,201,4)

There was an automatic switch of IP address and ports in the FTP commands, but now (with pfsense), from outside the network I can see in clients the same IP and ports I see in the server:

227 Entering Passive Mode (10,78,32,12,195,167)

How can I set this feature? Not only for FTP, also when I'll forward the web server.

Thanks

Derelict · Mar 11, 2019, 4:22 PM

Set your WAN IP address in the FTP server.

pfSense does not include an FTP ALG for your situation. You have to set it in the server.

It's right here and is described in the document I linked:

login-to-view

dam034 · Mar 11, 2019, 4:37 PM

I tried to write WAN IP, but I had to uncheck "Don't use external IP for local connections" to make it work.

And now connections from outside work, but the connections on the WAN IP from the inside don't work.

How can fix?

Grimson · Mar 11, 2019, 4:53 PM

https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html this is the last time I link you to the documentation, try to read it for a change.

I'm now blocking you.

dam034 · Mar 11, 2019, 5:11 PM

@grimson Now the values are these:
login-to-view
And now it works! Don't block me, I'm a little stubborn, but in the end I succeed!

@derelict said in Not working port forwarding:

pfSense does not include an FTP ALG for your situation. You have to set it in the server.

In order to reply to you, is there a way to include this feature, so I won't need to decide a port range, as in old router?

And to forward web, ssh, and samba server, I will need to do anything more like FTP server?

Thanks

Derelict · Mar 11, 2019, 5:38 PM

There almost certainly is never going to be an FTP ALG added to pfSense.

pfSense is a security product.

FTP is insecure and outdated and the general consensus is that nobody should be using it in production any more.

If a security layer WAS added, as in FTP/S, then an ALG would be useless because it could neither see nor manipulate the inside of the protocol.

SFTP works, is secure, and doesn't require any of this nonsense.