Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forward in LAN / access from another LAN

    Scheduled Pinned Locked Moved NAT
    10 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bambos
      last edited by

      Hello everyone,

      Target & Issue.
      ..........................
      Accessing FTP Server on DMZ LAN 18 from App server on another LAN 8. with these settings below, while clients coming from different public IP's can. Diagram below.

      Status


      Pure NAT enabled and NAT Reflection. Added WAN ip to FTP_Allow Alias for port 21. Also tried to add allow rule alone without success. Any comments or suggestions appreciated for this.

      6d66db00-78a9-44c9-92fa-839005223d43-image.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Bambos
        last edited by

        @bambos said in Port Forward in LAN / access from another LAN:

        Added WAN ip to FTP_Allow Alias for port 21.

        Why WAN IP? The source IP is the App servers.

        johnpozJ B 2 Replies Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @viragomann
          last edited by johnpoz

          Yeah the wan IP doesn't belong at all.

          Why would your app server not just hit the 192.168.18.2 directly or via a fqdn that points to 192.168.18.2 host override if your wanting to use some public fqdn. Why would you want to bounce it of your nat reflection.. All that is going to do is slow down the connection.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • B
            Bambos @viragomann
            last edited by

            @viragomann when app server doing FTP connection to publicIP:21, doesn't this makes NAT translation going out to the internet ?
            So i thought going to internet and coming from internet, the IP is the public IP of WAN. At least when the clients FTP stor files, i see their public IP.

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @Bambos
              last edited by

              @bambos said in Port Forward in LAN / access from another LAN:

              when app server doing FTP connection to publicIP:21, doesn't this makes NAT translation going out to the internet ?

              No, nothing reaches the WAN interface indeed.

              NAT reflection virtually reproduces the NAT rule you've added to WAN to the other interfaces. So it behaves as if you have the same NAT rule on LAN as well.
              So if you add firewall rule for that you need to allow the App server to access the FTP.

              B 1 Reply Last reply Reply Quote 1
              • B
                Bambos @viragomann
                last edited by

                @viragomann ok Sir, now i got it (i think)
                all my configuration is having the exposed FTP network isolated because of the unsecured port 21 operation their. I guess that's why App server cannot go to FTP Lan, same goes for FTP Lan.

                So should i add a rule on the FTP Lan to allow source the app server ?
                Also add a rule on LAN 8 to allow destination to FTP Lan ?

                how this seem to you ? or maybe you suggest something else?

                V johnpozJ 2 Replies Last reply Reply Quote 0
                • V
                  viragomann @Bambos
                  last edited by

                  @bambos
                  For allowing the app server to access the FTP you only need a rule on LAN 8 for source 192.168.8.20 and destination 192.168.18.2.

                  1 Reply Last reply Reply Quote 1
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @Bambos
                    last edited by

                    @bambos said in Port Forward in LAN / access from another LAN:

                    So should i add a rule on the FTP Lan to allow source the app server ?
                    Also add a rule on LAN 8 to allow destination to FTP Lan ?

                    Depends, what you going to do active or passive? Which depends if the server makes the data connection or the client makes the data connection.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    B 1 Reply Last reply Reply Quote 1
                    • B
                      Bambos @johnpoz
                      last edited by

                      @johnpoz i use 21+passive ports, i have notice more performance and faster transfers on the small files (much faster actually). i have those ports on alias. As Viragomann stated, i think i will go with the inside routing way.

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @Bambos
                        last edited by

                        Well in passive the client makes connection to the server. So you would not need any rules on the interface server is on to allow the creation of the data port.

                        As to faster speed be it active or passive.. That make no difference. Its just who opens the connection.

                        Normally no firewall rules are needed on the client side for passive, since quite often the client side outbound rule is any, that is default of pfsense. If you are limiting the destination ports device can create outbound. Then yes you would need a rule on the clients interface to allow whatever ports your server is going to offer up for the passive data connection.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.