Error FTP Server IIS 7 NAT ?

nc13160

Hi,

I'am french and excuse me for my language

On my lanin 192.168.1.0, I configured a iis 7 ftp server with windows 2008r2 because I need activedirectory's accounts users

my ftp server is in 192.168.1.40 and my ip public is 36.58.63.200

my problem is can't connection since internet (In lan it's OK).
I wrote my error and my config pfsense.

can you help me please :) ?

connection's computer block here (with Filezilla in example) :

"
Statut :   Connexion à 36.58.63.200:21…
Statut :   Connexion établie, attente du message d'accueil...
Réponse :   220 Microsoft FTP Service
Commande :   USER pierre.durand
Réponse :   331 Password required for pierre.durand.
Commande :   PASS *********
Réponse :   230 User logged in.
Commande :   SYST
Réponse :   215 Windows_NT
Commande :   FEAT
Réponse :   211-Extended features supported:
Réponse :    LANG EN*
Réponse :    UTF8
Réponse :    AUTH TLS;TLS-C;SSL;TLS-P;
Réponse :    PBSZ
Réponse :    PROT C;P;
Réponse :    CCC
Réponse :    HOST
Réponse :    SIZE
Réponse :    MDTM
Réponse :    REST STREAM
Réponse :   211 END
Commande :   OPTS UTF8 ON
Réponse :   200 OPTS UTF8 command successful - UTF8 encoding now ON.
Statut :   Connecté
Statut :   Récupération du contenu du dossier...
Commande :   PWD
Réponse :   257 "/" is current directory.
Commande :   TYPE I
Réponse :   200 Type set to I.
Commande :   PASV
Réponse :   227 Entering Passive Mode (36,58,63,200,199,117)
Commande :   LIST
Réponse :   150 Opening BINARY mode data connection.
Erreur :   Délai d'attente expiré
Erreur :   Impossible de récupérer le contenu du dossier
"
-------------------------------------> Here my config PfSense 2:  <--------------------

--------------------------> Firewall > Virtuals IP > Edit <-------------------

---

Virtual IP Address|Type|Description

36.58.63.200/32  |PARP|IPWAN200

Type         "Proxy ARP"

Interface      "WAN"

IP Address      Type   Single Address
----------      Address   36.58.63.200/32
VirtualIP Password   (BLANK)
VHID         1
Advertising Frequency

Description      IPWAN200

---------------------> Firewall > Aliases <---------------

Liste des Objets :
-> HTTP_HTTPS = 80,443
-> Serveurs_Control = some IP with 192.168.1.40
-> PortsServeursAD = 80,443,53,25,389

------------------------> Firewall > NAT <-------------------

---

|IF    |PROTO  |Src.Addr|Srv.Ports|Dest.Addr    |Dest.Ports|NAT IP         |NAT Ports   |Descript. |

|WAN|TCP/UDP|*             |*          |36.58.63.200|21 (FTP)  |192.168.1.40|21 (FTP)    |ServeurFTP|

EN DETAILS

Disabled      (BLANK)   Disable this rule

No RDR (NOT)      (BLANK)   Enabling this option will disable redirection for traffic matching this rule.

Interface            "WAN"      Choose which interface this rule applies to.

Protocol          "TCP/UDP"   Choose which IP protocol this rule should match.

Source               Advanced   (RIEN MIS) Show source address and port range

Destination           (BLANK)    not
-----------      Type      Public ip address  36.58.63.200    
        Address      x / x (RIEN MIS)

Destination port range   from   "FTP"
----------------------   to   "FTP"    
Redirect target IP   "192.168.1.40"

Redirect target port   "FTP"

Description       ServerFTP

No XMLRPC Sync      (BLANK)

NAT reflection      "ENABLE"

Filter rule association   "PASS"

-----------> Firewall > Rules > LAN <-------------------

---

|ID|PROTO  |Source       |Port   |Destination|Ports      |Gateway |Queue|Schedule|Descript°

---

Vert |  |*          |*                    |*    |LAN Address|80,443        |*       |none |        |Anti-Lockout Rule

Vert |  |TCP/UDP|Servers_Control|*    |*               |PortsServAD|*       |none |        |

Rouge|  |*        |*                     |*    |*               |*               |*       |none |        |Block All

Thanks you very much

johnpoz

So I just tried ftp to that IP you posted 36.58.xxx.xxx, and it does not allow even control (21) ftp, nor does it answer pings even.

Where were you connecting from when attempting to access it?  Are you trying to do nat reflection to access that public IP?  Ie from a box internal to your network hitting the public IP?

ftp should work just fine out of the box - all you should have to do is forward 21 to your ftp server IP.  The firewall rule should be created auto, and your good to go.

Since I can not hit your 21, either you put up a bogus IP for privacy reasons?  Or you got something in front of it blocking?  Or you removed the rules to allow it?  Why are you setting up proxy arp?

Might be easier if you posted screenshots of your settings vs just the text.  Are you setting up virtual IP because you have a range of them on the wan interface of pfsense?

nc13160

normal , I posted a wrong ip address for best security :)

ok I post screen if easiest :)