Port forwarding, two different IP's



  • Hi all,

    We have several IP addresses, 5 usable I believe. 
    I have one IP set up with port forwarding, port 21, to our ftp server. Works great.
    I'd like to set up another IP with port forwarding, port 21, to a different machine.

    So I created a virtual IP using one of our available IP addresses and then forwarded it to the proper machine.
    It does not work, cannot connect to the second ftp server.

    Should I be using a virtual IP for this?  Or am I completely on the wrong track?
    If anyone knows of a document about this could you let me know?

    Thanks,



  • FTP is tricky. Are you setting up Active or Passive FTP. Is you server configured like your first and has all the same rules?
    FTP is not NAT/Firewall friendly. You will have to make modifications to the FTP config to make it work properly, like knowing the external address it is going to hand out when doing passive connections.



  • Not looked into this much but PF seems to have an ftp-proxy "module" that deals with the new port and addition of rules. Not sure how/if pfsense deals with this.

    Maybe this: http://doc.pfsense.org/index.php/FTP_Troubleshooting



  • @podilarius:

    FTP is tricky. Are you setting up Active or Passive FTP. Is you server configured like your first and has all the same rules?
    FTP is not NAT/Firewall friendly. You will have to make modifications to the FTP config to make it work properly, like knowing the external address it is going to hand out when doing passive connections.

    I'm not sure about the Active or Passive.  The first ftp server with a straight port forward is a Linux Slackware machine.

    The second ftp server which is forwarded using the Virtual IP is a MS Windows server.

    This setup works with the current IPCop firewall.  (I'm trying to replace the IPCop with pfSense)

    On IPCop I used a "Alias IP".  I thought an IPCop "Alias" was the same as a pfSense "Virtual IP".  I may be wrong about that.



  • IPCop is based on linux and has a moduled call conntrack_ftp that helps active and passive FTP. There isn't something similiar in pfSense. You have to do a bit more FTP server and firewall config with pfsense. Don't fret though, pfSense is a lot stronger in my opinion.
    Alias IP on IPCop and the Alias IP in pfSense work very similarly.



  • @podilarius:

    IPCop is based on linux and has a moduled call conntrack_ftp that helps active and passive FTP. There isn't something similiar in pfSense. You have to do a bit more FTP server and firewall config with pfsense. Don't fret though, pfSense is a lot stronger in my opinion.
    Alias IP on IPCop and the Alias IP in pfSense work very similarly.

    All right, that's what I thought. I'll do a little more investigating on this.  Is there something on pfSense I need to do to get it to work with MS Windows ftp servers?

    I'm going to see if the MS Windows server works on the straight through port forward and the linux box works with virtual IP.  If so I can run it that way.



  • Well, if you use something like FileZilla Server, then you can have it set certain ports for passive and also use the external address.  The certain ports can then be allowed through the firewall.


  • Netgate Administrator

    Make sure you are using the correct Virtual IP type, you almost certainly want to use 'IP Alias'.

    Steve



  • Everyone,

    Thanks for the help.

    After much testing I have this going, it works just as it should.  However I couldn't get it to work with a particular IP.

    In summary:

    I have my main IP 1.2.3.121.  I created a virtual IP, 1.2.3.122 and tried to forward the ftp port 21 to one of our internal machines.  It didn't work.  No matter what I did.

    So finally I tried creating a virtual IP on 1.2.3.124 and forwarding that. Voila, it works.  I can't see any difference between the two virtual IPs.  I suspect somewhere deep in the setup of pfSense 1.2.3.122 is there with a rule or whatever and that's causing the problem.  Anyone know where I could look?

    Julien



  • @snoopy100:

    Anyone know where I could look?

    If I was looking to understand what was going on I would start with:
    1. What does "didn't work" really mean? Is too vague a problem description to be useful. A description along the lines of "I did … and I saw ... but I expected to see ..." is much more informative and may even give some hints that help resolve the mystery. Additional information might immediately answer some of the following questions.
    2. Is there another system on the network using 1.2.3.122? Perhaps the upstream router? 
    3. Does an ftp access to 1.2.3.122 actually arrive on the correct pfSense interface for the port forwarding? A packet capture can help verify this.
    4. Does the port forward go to the correct system? A packet capture could help answer the question.

    That is probably enough for now.



  • If I was looking to understand what was going on I would start with:
    1. What does "didn't work" really mean? Is too vague a problem description to be useful. A description along the lines of "I did … and I saw ... but I expected to see ..." is much more informative and may even give some hints that help resolve the mystery. Additional information might immediately answer some of the following questions.
    2. Is there another system on the network using 1.2.3.122? Perhaps the upstream router? 
    3. Does an ftp access to 1.2.3.122 actually arrive on the correct pfSense interface for the port forwarding? A packet capture can help verify this.
    4. Does the port forward go to the correct system? A packet capture could help answer the question.

    Wally Bob,

    Thanks for the help...

    To test this I used an on-line ftp tester, ftptest.net, which is really helpful.  I put in my external IPs, it either connected successfully or it didn't.  That's what I mean by "didn't work".

    I decided to wipe out my pfSense machine and reinstall from scratch.  So many changes have been made with all the testing and moving it in and out of production, etc., so I thought it might be best to start with a clean install.

    I just completed the reinstall.  First thing I tried was ftp coming in to two different IPs.  Not a surprise, it works fine.

    Thanks,

    Julien


Locked