Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTP Server on Lan1 , access from Lan2 [SOLVED]

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    16 Posts 4 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bambos
      last edited by Bambos

      Hello to everyone,

      I'm setting up FTP Server based on windows 10 IIS, obviously i have open port 21 to FTP Server on Lan1 network 192.168.4.0/24. Mostly used for data acquisition for CSV files.

      For safety, I have Lan2 (dedicated interface - not Vlan) for the rest of application servers i need.192.168.5.0/24.

      What do you recommend for accessing Lan1 from Lan2, to transfer the incoming data from CSV files in Lan1 for further processing on application servers on Lan2 ?

      I'm not much experienced in networking but i already found something. I need your opinion.

      Possible Solutions:

      1. second ethernet card to all machines on Lan2, so they can access also Lan1. I don't know if this compromises security.
      2. Open VPN Access accounts to each machine in Lan 2 to LAN1. I know this compromises bandwidth because of the limit of each network card 1gbit.
      3. Static Route from specific IP's on Lan2 to Lan1 ? I don't know if this is possible.
      4. Is there any way to VPN the whole Lan2 to LAN1 ?
      5. Anything else i couldn't think of ?

      Thanks for your time reading this.

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @Bambos
        last edited by

        @Bambos

        How are those LANs connected? Are they both on some common router? Do they connect only to the Internet? Etc.?

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        B 1 Reply Last reply Reply Quote 0
        • B
          Bambos @JKnott
          last edited by

          @JKnott Hello Sir,

          Lan 1 and Lan 2 are 2 dedicated interfaces on same pfsense box.

          I did this because Lan1 has the port forward for FTP server (accepting files from WAN), so i move all the application servers and backup to Lan 2 for better safety.

          Now i'm looking how i can access LAN1 from LAN2 to pass the files in the safe network for processing by the application servers. That's why i though if we can do static routes between them, or permanent VPN between them, or something else.

          Thank you.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @Bambos
            last edited by JKnott

            @Bambos

            If both networks are connected to the same pfSense box, then it's just basic routing and rules. No need for VPNs. Also, when you mention port forwarding, I hope you mean from your Internet connection. You don't need it for internal routing.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            B 1 Reply Last reply Reply Quote 1
            • B
              Bambos @JKnott
              last edited by

              @JKnott ok Sir, this is clear, i will check out the routes and is the first thing to try. Thank you.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Why set up FTP? It's 2020.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                B 1 Reply Last reply Reply Quote 0
                • B
                  Bambos @Derelict
                  last edited by

                  @Derelict I know :) it's data acquisition method from low spec, industrial dataloggers. They send logs in CSV files. It's the main protocol they support. Some of them might support XML, most of them only CSV through FTP.

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @Bambos
                    last edited by

                    @Bambos

                    As I pointed out, you mentioned port forwarding, which usually implies NAT. If you have that, it may cause problems for FTP. Active mode FTP won't work through NAT without some assistance. Passive FTP works fine.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    B 1 Reply Last reply Reply Quote 0
                    • B
                      Bambos @JKnott
                      last edited by

                      @JKnott Yes Sir, port 21 forwarding from WAN to Lan1 specific IP for the FTP Server. I'm accepting CSV files from low spec dataloggers. Only this method is supported.
                      Lan1 = 192.168.4.0/24

                      Lan2 is a dedicated interface on the same pfSense box and i have all the application servers and backup there for more safety. (not to be exposed to the open port of LAN1.) (So the two LAN networks are isolated)
                      Lan2 = 192.168.6.0/24.

                      I'm looking for a way to pass the files landing on FTP Server LAN1: 192.168.4.100 to App.Server LAN2: 192.168.6.100, in order my application servers keep the processing,

                      To my understanding with the little experience i have, the servers on LAN2 must somehow have LAN1 IP Address in order to access the files on FTP Server (windows file share-SMB) , that's why i ask for permanent VPN way between the 2 LANS or VPN for each server or dual network cards on each server.

                      Any thoughts ? Am I missing something ?

                      Thanks for the replies.

                      JKnottJ 2 Replies Last reply Reply Quote 0
                      • JKnottJ
                        JKnott @Bambos
                        last edited by JKnott

                        @Bambos said in FTP Server on Lan1 , access from Lan2:

                        Yes Sir, port 21 forwarding from WAN to Lan1 specific IP for the FTP Server.

                        I'm not sure you understand the situation. Are you using NAT? If so, why? If that app uses active FTP, you will have problems with anything other than plain routing. In that situation, you do not want to use NAT or port forwarding.

                        Any thoughts ? Am I missing something ?

                        Yes, a basic understanding of how networks work. If you have 2 networks connected to the same router (pfSense) then you do not need NAT, port forwarding, VPN or anything other than plain routing. You route from one LAN to the other and back. You then set up the rules as appropriate for your needs, bearing in mind those rules may interfere with active FTP.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • JKnottJ
                          JKnott @Bambos
                          last edited by

                          @Bambos

                          Here's some info on the issue I'm referring to:

                          NAT and firewall traversal

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          B 1 Reply Last reply Reply Quote 0
                          • B
                            Bambos @JKnott
                            last edited by

                            @JKnott I'm very sorry for the inconvenience. :) As you understand I'm new to this heavy networking field. I'm coming from electrical engineering , my only experience was plug in a TP-Link for home internet, but last 3 months im using pfSense doing several tests and i really enjoy it. I setup on bare metal Pentium 4 3Ghz 1GB Ram SSD. I have also achieve high availability with success. Thanks for the help anyway, i really appreciate it.

                            I will try to make things clear.

                            I have checked on the dataloggers that sending log files to FTP Server through WAN They support Passive mode.
                            I do using NAT from WAN to LAN1. Port forward is 21 (listening port) and custom port range 21000-22000 for data channels, to my understanding this enables PASV mode. The same way i have configured the FTP Server Windows 10 IIS.

                            WAN -> LAN1 192.168.4.0/24 FTP is: 192.168.4.100 all ports are forwarded to 192.168.4.100

                            Isolated LAN2 : 192.168.6.0/24 App server must receive log file is 192.168.6.100.

                            The two Lans are dedicated network interfaces on the same pfSense box.

                            So finally , my question is how i can access from 192.168.6.100 the files on 192.168.4.100.

                            Thanks a lot !

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              Why are they on WAN not another LAN?

                              If you port forward from passive FTP clients on the outside to a passive FTP server on the inside you need to:

                              1. Port forward port 21 inbound on WAN to the FTP server
                              2. Port forward the configured passive ports on the server just like port 21
                              3. Be sure the FTP server is giving the WAN address, not its inside address, to the clients to connect to for the passive transfer session. This can sometimes be done on-the-fly by an application layer gateway (ALG) on a firewall. Such an ALG does not exist in the pfSense firewall so you must configure the FTP server correctly.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              B 1 Reply Last reply Reply Quote 0
                              • B
                                Bambos @Derelict
                                last edited by

                                @Derelict said in FTP Server on Lan1 , access from Lan2:

                                Why are they on WAN not another LAN?

                                If you port forward from passive FTP clients on the outside to a passive FTP server on the inside you need to:

                                1. Port forward port 21 inbound on WAN to the FTP server
                                2. Port forward the configured passive ports on the server just like port 21
                                3. Be sure the FTP server is giving the WAN address, not its inside address, to the clients to connect to for the passive transfer session. This can sometimes be done on-the-fly by an application layer gateway (ALG) on a firewall. Such an ALG does not exist in the pfSense firewall so you must configure the FTP server correctly.

                                Dear Mr. Derelict,

                                They are on WAN because the devices are dataloggers all over the country. they are industrial things supporting FTP Protocol. (They send CSV logs).

                                I follow your directions and everything is ok with FTP. Now what rules i need to have so LAN2 can communicate with windows share to LAN1 FTP server ? [ from 192.168.6.100 (lan2) to 192.168.4.100 (lan1) ]

                                Lan's are 2 interfaces on the same box, not VLANs.

                                Thank you.

                                1 Reply Last reply Reply Quote 0
                                • RicoR
                                  Rico LAYER 8 Rebel Alliance
                                  last edited by

                                  For SMB access you only need to allow port 445.

                                  -Rico

                                  1 Reply Last reply Reply Quote 0
                                  • B
                                    Bambos
                                    last edited by

                                    Thanks everyone guys.

                                    I have manage that. @Rico i did also inbound rule to windows firewall to work on 445.

                                    50e7dc3c-0d47-4592-9f13-bcb601e541ee-image.png

                                    Even if i am in 85 LAN, i can access files in 42 LAN. This is great stuff. Is very exciting for newbie like me.

                                    please close the thread.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.