Im Stuck on FTPS need help please
-
Hi,
I have a client who is using a specialiazed program that uses FTPS to send/receive its edi information. Basically they told me to to allow ports 21,22 and the range 4000-5000 to the server that is hosting the app. I did this and the program does not work. I have spent about 8 hours on the phone with their tech support and we have tried udp/tcp and changing the NAT rules to manual. They told me they are at the end of their abilities and claim that when the above ports are opened it always works for the other customers. I am fairly sure I have something set wrong in pfsense. The vendor says when the user clicks "send" within a few seconds it should connect to their server yet it times out every time. Does anyone have any ideas here, I am totally stuck and the customer really needs to send some transactions to get paid.
Here are my rules on the WAN Tab:
TCP/UDP * * 192.168.0.105 21 - 22 * Test 1
TCP/UDP * * 192.168.0.105 4000 - 5000 * Test 2
Then on NAT Port Forward Tab I have:
WAN TCP/UDP 21 - 22 192.168.0.105
(ext.: wanip) 21 - 22WAN TCP/UDP 4000 - 5000 192.168.0.105
(ext.: wanip) 4000 - 5000 SFTP Access For SoftwareThey have two used interfaces WAN/LAN and the router/firewall they use
is hosting the openvpns for multiple other locations. -
Here's what did and found with setting up FTP on our pfSense recently.
-
Make aliases for your ports, that way you don't have to keep entering all the info.
-
Uncheck the box for "Disable the userland FTP-Proxy application" on the WAN.
-
Remove any WAN rules for FTP/SFTP and any Port Forwards for FTP/SFTP. Apply changes before moving on.
-
Create a NAT 1:1 on the WAN with your external IP pointing to your internal IP.
-
Create a NAT port forward for the interal IP, which will also create a firewall WAN rule to allow access to the internal ports.
Make sure you use port other and then type the first letter of the alias for your FTP/SFTP ports you specified. You can change the ports on the fly using the aliases section. Which is handy to lock down or open up.
On the WAN rule you should have the ANY : ANY for source and then internal IP with alias listed for ports.Hope this helps!
-
-
FTPS is much different from FTP so the last post isn't applicable for you (it's encrypted, so the FTP helper can't do anything with the traffic).
It sounds like your config is fine, though that depends on the server. I would get a packet capture of everything to/from the server in question, WAN-side and inside, and go from there. That'll tell you if you're blocking something it's trying to use, or if it's all getting through so it's a server issue of some sort.
-
Thanks for the replies. I did find a solution. I disabled the FTP Proxy on the LAN tab. I am unsure why but everything immediately started working. I then went in and modified the rules to allow only the vendors subnet instead of the entire world. I appreciate the help.