Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ipsec rules not working

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 847 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z Offline
      zaber01
      last edited by

      hello , I have one concern . Actually I created the ipsec vpn between two pfsense and every thing is working fine. My one local network in 192.168.2.0/24 behind of firewall A and other is 192.168.1.0/24 behind firewall B. They are accessable to each other and working good.
      Now the problem is that , I have to give the access of FTP only in my ipsec tunnel so that PC of firewall A can only take the FTP of PC of firewall B .
      Whenever I am manipulating the rules in under ipsec tab like:

      Protocol- TCP
      Source-192.168.1.2/24 (PC of firewall A)
      Destiation-192.168.2.2/24(PC of firewall B)
      D.Port-21

      then the issue get created and I am not able to take the ftp connection.I tried every possible variation but rule only work if I do all thing to any.
      Note(This is rule is created at Firewall B only ; where I want to take FTP).
      I only want to allow FTP service in my ipsec tunnel
      Any one can help me please.

      1 Reply Last reply Reply Quote 0
      • stephenw10S Online
        stephenw10 Netgate Administrator
        last edited by

        What sort of FTP is it?

        You probably need to pass the data port range the server is using as well as port 21.

        Steve

        Z 1 Reply Last reply Reply Quote 0
        • Z Offline
          zaber01 @stephenw10
          last edited by zaber01

          @stephenw10 I am using vsftp on ubunut system. And according my knowledge data port used by ftp in 20 and for connection it uses 21.
          So u you mean i have to allow only 20 and 21 port number for only FTP.

          Z 1 Reply Last reply Reply Quote 0
          • Z Offline
            zaber01 @zaber01
            last edited by zaber01

            @zaber01 I allowed both port and able to take ftp but not able to transfer the file to the target machine.

            stephenw10S 1 Reply Last reply Reply Quote 0
            • stephenw10S Online
              stephenw10 Netgate Administrator @zaber01
              last edited by

              Nope in addition to port 21 you need to pass the passive port range, for eaxmple 10000-20000 but that that could be anything depending on how you've configured it.
              Also vsftp seems to use ftps so needs port 990 also for the encryption.

              See: https://www.howtoforge.com/tutorial/ubuntu-vsftpd/

              You should be able to see that traffic blocked in the firewall log though when you try to connect and it fails.

              Steve

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.