FTP Server on Lan1 , access from Lan2 [SOLVED]

Bambos

Hello to everyone,

I'm setting up FTP Server based on windows 10 IIS, obviously i have open port 21 to FTP Server on Lan1 network 192.168.4.0/24. Mostly used for data acquisition for CSV files.

For safety, I have Lan2 (dedicated interface - not Vlan) for the rest of application servers i need.192.168.5.0/24.

What do you recommend for accessing Lan1 from Lan2, to transfer the incoming data from CSV files in Lan1 for further processing on application servers on Lan2 ?

I'm not much experienced in networking but i already found something. I need your opinion.

Possible Solutions:

1. second ethernet card to all machines on Lan2, so they can access also Lan1. I don't know if this compromises security.
2. Open VPN Access accounts to each machine in Lan 2 to LAN1. I know this compromises bandwidth because of the limit of each network card 1gbit.
3. Static Route from specific IP's on Lan2 to Lan1 ? I don't know if this is possible.
4. Is there any way to VPN the whole Lan2 to LAN1 ?
5. Anything else i couldn't think of ?

Thanks for your time reading this.

JKnott

@Bambos

How are those LANs connected? Are they both on some common router? Do they connect only to the Internet? Etc.?

Bambos

@JKnott Hello Sir,

Lan 1 and Lan 2 are 2 dedicated interfaces on same pfsense box.

I did this because Lan1 has the port forward for FTP server (accepting files from WAN), so i move all the application servers and backup to Lan 2 for better safety.

Now i'm looking how i can access LAN1 from LAN2 to pass the files in the safe network for processing by the application servers. That's why i though if we can do static routes between them, or permanent VPN between them, or something else.

Thank you.

JKnott

@Bambos

If both networks are connected to the same pfSense box, then it's just basic routing and rules. No need for VPNs. Also, when you mention port forwarding, I hope you mean from your Internet connection. You don't need it for internal routing.

Bambos

@JKnott ok Sir, this is clear, i will check out the routes and is the first thing to try. Thank you.

Derelict

Why set up FTP? It's 2020.

Bambos

@Derelict I know :) it's data acquisition method from low spec, industrial dataloggers. They send logs in CSV files. It's the main protocol they support. Some of them might support XML, most of them only CSV through FTP.

JKnott

@Bambos

As I pointed out, you mentioned port forwarding, which usually implies NAT. If you have that, it may cause problems for FTP. Active mode FTP won't work through NAT without some assistance. Passive FTP works fine.

Bambos

@JKnott Yes Sir, port 21 forwarding from WAN to Lan1 specific IP for the FTP Server. I'm accepting CSV files from low spec dataloggers. Only this method is supported.
Lan1 = 192.168.4.0/24

Lan2 is a dedicated interface on the same pfSense box and i have all the application servers and backup there for more safety. (not to be exposed to the open port of LAN1.) (So the two LAN networks are isolated)
Lan2 = 192.168.6.0/24.

I'm looking for a way to pass the files landing on FTP Server LAN1: 192.168.4.100 to App.Server LAN2: 192.168.6.100, in order my application servers keep the processing,

To my understanding with the little experience i have, the servers on LAN2 must somehow have LAN1 IP Address in order to access the files on FTP Server (windows file share-SMB) , that's why i ask for permanent VPN way between the 2 LANS or VPN for each server or dual network cards on each server.

Any thoughts ? Am I missing something ?

Thanks for the replies.

JKnott

@Bambos said in FTP Server on Lan1 , access from Lan2:

Yes Sir, port 21 forwarding from WAN to Lan1 specific IP for the FTP Server.

I'm not sure you understand the situation. Are you using NAT? If so, why? If that app uses active FTP, you will have problems with anything other than plain routing. In that situation, you do not want to use NAT or port forwarding.

Any thoughts ? Am I missing something ?

Yes, a basic understanding of how networks work. If you have 2 networks connected to the same router (pfSense) then you do not need NAT, port forwarding, VPN or anything other than plain routing. You route from one LAN to the other and back. You then set up the rules as appropriate for your needs, bearing in mind those rules may interfere with active FTP.

JKnott

@Bambos

Here's some info on the issue I'm referring to:

NAT and firewall traversal

Bambos

@JKnott I'm very sorry for the inconvenience. :) As you understand I'm new to this heavy networking field. I'm coming from electrical engineering , my only experience was plug in a TP-Link for home internet, but last 3 months im using pfSense doing several tests and i really enjoy it. I setup on bare metal Pentium 4 3Ghz 1GB Ram SSD. I have also achieve high availability with success. Thanks for the help anyway, i really appreciate it.

I will try to make things clear.

I have checked on the dataloggers that sending log files to FTP Server through WAN They support Passive mode.
I do using NAT from WAN to LAN1. Port forward is 21 (listening port) and custom port range 21000-22000 for data channels, to my understanding this enables PASV mode. The same way i have configured the FTP Server Windows 10 IIS.

WAN -> LAN1 192.168.4.0/24 FTP is: 192.168.4.100 all ports are forwarded to 192.168.4.100

Isolated LAN2 : 192.168.6.0/24 App server must receive log file is 192.168.6.100.

The two Lans are dedicated network interfaces on the same pfSense box.

So finally , my question is how i can access from 192.168.6.100 the files on 192.168.4.100.

Thanks a lot !

Derelict

Why are they on WAN not another LAN?

If you port forward from passive FTP clients on the outside to a passive FTP server on the inside you need to:

1. Port forward port 21 inbound on WAN to the FTP server
2. Port forward the configured passive ports on the server just like port 21
3. Be sure the FTP server is giving the WAN address, not its inside address, to the clients to connect to for the passive transfer session. This can sometimes be done on-the-fly by an application layer gateway (ALG) on a firewall. Such an ALG does not exist in the pfSense firewall so you must configure the FTP server correctly.

Bambos

@Derelict said in FTP Server on Lan1 , access from Lan2:

Why are they on WAN not another LAN?

If you port forward from passive FTP clients on the outside to a passive FTP server on the inside you need to:

1. Port forward port 21 inbound on WAN to the FTP server
2. Port forward the configured passive ports on the server just like port 21
3. Be sure the FTP server is giving the WAN address, not its inside address, to the clients to connect to for the passive transfer session. This can sometimes be done on-the-fly by an application layer gateway (ALG) on a firewall. Such an ALG does not exist in the pfSense firewall so you must configure the FTP server correctly.

Dear Mr. Derelict,

They are on WAN because the devices are dataloggers all over the country. they are industrial things supporting FTP Protocol. (They send CSV logs).

I follow your directions and everything is ok with FTP. Now what rules i need to have so LAN2 can communicate with windows share to LAN1 FTP server ? [ from 192.168.6.100 (lan2) to 192.168.4.100 (lan1) ]

Lan's are 2 interfaces on the same box, not VLANs.

Thank you.

Rico

For SMB access you only need to allow port 445.

-Rico

Bambos

Thanks everyone guys.

I have manage that. @Rico i did also inbound rule to windows firewall to work on 445.

Even if i am in 85 LAN, i can access files in 42 LAN. This is great stuff. Is very exciting for newbie like me.

please close the thread.