Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTP server behind firewall: additional public IP on WAN interface + NAT or existing public IP on WAN + NAT ?

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 4 Posters 974 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mauro.tridici
      last edited by

      Dear Users,

      it is the first time I need to create an FTP server behind my pfSense instance and some doubts come up.

      In your opinion, should I use the existing public IP defined on the WAN interface starting presenting the FTP service to internet using NAT or it is not a good practice?
      I read that you can add an additional public IP to the existing WAN interface and present the FTP service to internet using NAT.

      Please, note that we don't want to implement the FTP service in the DMZ (since it doesn't exists yet, at least in this first phase).

      Could you please give me some feedback/suggestion about this use-case?

      Many thanks in advance,
      Mauro

      NogBadTheBadN 1 Reply Last reply Reply Quote 0
      • NogBadTheBadN Offline
        NogBadTheBad @mauro.tridici
        last edited by NogBadTheBad

        @mauro-tridici You'd be better using sftp as it only uses port 22, pfB_SSH_PERMIT_v4 & pfB_SSH_PERMIT_v6 contain country codes to restrict access any further and h_ipv4_sftp is the non NAT address of the server.

        Screenshot 2023-06-12 at 12.37.36.png

        Screenshot 2023-06-12 at 12.38.08.png

        Screenshot 2023-06-12 at 12.38.41.png

        You can also block brute force attacks if the sftp server is running FreeBSD:-

        https://www.cyberciti.biz/faq/freebsd-openbsd-pf-stop-ftp-bruteforce-attacks/

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        M 1 Reply Last reply Reply Quote 1
        • M Offline
          mauro.tridici @NogBadTheBad
          last edited by

          @NogBadTheBad many thanks for your reply.
          I really appreciated your suggestions.

          Anyway, my question was related to the following choice:

          • use the existing public IP assigned to the WAN interface or assign an additional public IP to the WAN interface and use it for the port forward?

          Sorry if I didn't explain my needs clearly.
          Thanks,
          Mauro

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator @mauro.tridici
            last edited by johnpoz

            @mauro-tridici what does it matter? Not sure why it would make any difference.. Are these IPs going to be on the same connection, if they were different connections then it might be worth putting traffic A on connection A and traffic B on B for spreading load across your connections.

            But if on the same connection - what IP is used doesn't really matter, other than your state tables.. If you have so many sessions going to or from IP A, then using another IP for other traffic would give you more states to work with.. But this would really only matter if you were running into an issue with state exhaustion, or this new traffic might cause you issues with states..

            I would agree with sftp vs ftp as well - ftp should of died off 10 some years ago.. That it is still used blows my mind..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            NogBadTheBadN 1 Reply Last reply Reply Quote 1
            • NogBadTheBadN Offline
              NogBadTheBad @johnpoz
              last edited by

              @johnpoz Stupidly when my connection changed to ADSL I didn't take up my ISP offer for free extra public IP addresses, wish I'd have done it now 😖

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator @NogBadTheBad
                last edited by johnpoz

                @NogBadTheBad said in FTP server behind firewall: additional public IP on WAN interface + NAT or existing public IP on WAN + NAT ?:

                free extra public IP addresses

                If your isp is going to give you more IPs - then yeah for sure would take them, even if you currently have no use for them ;) Having more than 1 public IP can make it easier to run the same service you want going to different devices. www.domainx.tld goes to IPA and sent to 192.168.1.100.

                www.domainy.tld goes to IPB, and gets sent to 192.168.1.101 for example..

                This removes the need of having to use say a reverse proxy to accomplish that, or using different port, etc.

                But unless the OP is wanting to do something like that for multiple FTP servers, what public IP is used wouldn't really matter unless could be used for different connection and load distribution of traffic, or problem with state utilization.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by stephenw10

                  Yup, it really makes no difference what public IP you use here. I would probably use a different one if you have unused IPs though.

                  But be aware of the issues running FTP behind NAT. You will need to be sure the server is configured correctly for it.

                  https://docs.netgate.com/pfsense/en/latest/recipes/ftp-without-proxy.html

                  Steve

                  M 1 Reply Last reply Reply Quote 1
                  • M Offline
                    mauro.tridici @stephenw10
                    last edited by

                    @stephenw10 thank you for your reply and for the link you provided.

                    Thank you to all of you, guys, for sharing with me your experience.

                    Mauro

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.