Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Error FTP Server IIS 7 NAT ?

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nc13160
      last edited by

      Hi,

      I'am french and excuse me for my language

      On my lanin 192.168.1.0, I configured a iis 7 ftp server with windows 2008r2 because I need activedirectory's accounts users

      my ftp server is in 192.168.1.40 and my ip public is 36.58.63.200

      my problem is can't connection since internet (In lan it's OK).
      I wrote my error and my config pfsense.

      can you help me please :) ?

      connection's computer block here (with Filezilla in example) :

      "
      Statut :   Connexion à 36.58.63.200:21…
      Statut :   Connexion établie, attente du message d'accueil...
      Réponse :   220 Microsoft FTP Service
      Commande :   USER pierre.durand
      Réponse :   331 Password required for pierre.durand.
      Commande :   PASS *********
      Réponse :   230 User logged in.
      Commande :   SYST
      Réponse :   215 Windows_NT
      Commande :   FEAT
      Réponse :   211-Extended features supported:
      Réponse :    LANG EN*
      Réponse :    UTF8
      Réponse :    AUTH TLS;TLS-C;SSL;TLS-P;
      Réponse :    PBSZ
      Réponse :    PROT C;P;
      Réponse :    CCC
      Réponse :    HOST
      Réponse :    SIZE
      Réponse :    MDTM
      Réponse :    REST STREAM
      Réponse :   211 END
      Commande :   OPTS UTF8 ON
      Réponse :   200 OPTS UTF8 command successful - UTF8 encoding now ON.
      Statut :   Connecté
      Statut :   Récupération du contenu du dossier...
      Commande :   PWD
      Réponse :   257 "/" is current directory.
      Commande :   TYPE I
      Réponse :   200 Type set to I.
      Commande :   PASV
      Réponse :   227 Entering Passive Mode (36,58,63,200,199,117)
      Commande :   LIST
      Réponse :   150 Opening BINARY mode data connection.
      Erreur :   Délai d'attente expiré
      Erreur :   Impossible de récupérer le contenu du dossier
      "
      -------------------------------------> Here my config PfSense 2:  <--------------------

      --------------------------> Firewall > Virtuals IP > Edit <-------------------


      Virtual IP Address|Type|Description

      36.58.63.200/32  |PARP|IPWAN200

      Type         "Proxy ARP"

      Interface      "WAN"

      IP Address      Type   Single Address
      ----------      Address   36.58.63.200/32
      VirtualIP Password   (BLANK)
      VHID         1
      Advertising Frequency

      Description      IPWAN200

      ---------------------> Firewall > Aliases <---------------

      Liste des Objets :
      -> HTTP_HTTPS = 80,443
      -> Serveurs_Control = some IP with 192.168.1.40
      -> PortsServeursAD = 80,443,53,25,389

      ------------------------> Firewall > NAT <-------------------


      |IF    |PROTO  |Src.Addr|Srv.Ports|Dest.Addr    |Dest.Ports|NAT IP         |NAT Ports   |Descript. |

      |WAN|TCP/UDP|*             |*          |36.58.63.200|21 (FTP)  |192.168.1.40|21 (FTP)    |ServeurFTP|

      EN DETAILS

      Disabled      (BLANK)   Disable this rule

      No RDR (NOT)      (BLANK)   Enabling this option will disable redirection for traffic matching this rule.

      Interface            "WAN"      Choose which interface this rule applies to.

      Protocol          "TCP/UDP"   Choose which IP protocol this rule should match.

      Source               Advanced   (RIEN MIS) Show source address and port range

      Destination           (BLANK)    not
      -----------      Type      Public ip address  36.58.63.200    
              Address      x / x (RIEN MIS)

      Destination port range   from   "FTP"
      ----------------------   to   "FTP"    
      Redirect target IP   "192.168.1.40"

      Redirect target port   "FTP"

      Description       ServerFTP

      No XMLRPC Sync      (BLANK)

      NAT reflection      "ENABLE"

      Filter rule association   "PASS"

      -----------> Firewall > Rules > LAN <-------------------


      |ID|PROTO  |Source       |Port   |Destination|Ports      |Gateway |Queue|Schedule|Descript°


      Vert |  |*          |*                    |*    |LAN Address|80,443        |*       |none |        |Anti-Lockout Rule

      Vert |  |TCP/UDP|Servers_Control|*    |*               |PortsServAD|*       |none |        |

      Rouge|  |*        |*                     |*    |*               |*               |*       |none |        |Block All

      Thanks you very much

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        So I just tried ftp to that IP you posted 36.58.xxx.xxx, and it does not allow even control (21) ftp, nor does it answer pings even.

        Where were you connecting from when attempting to access it?  Are you trying to do nat reflection to access that public IP?  Ie from a box internal to your network hitting the public IP?

        ftp should work just fine out of the box - all you should have to do is forward 21 to your ftp server IP.  The firewall rule should be created auto, and your good to go.

        Since I can not hit your 21, either you put up a bogus IP for privacy reasons?  Or you got something in front of it blocking?  Or you removed the rules to allow it?  Why are you setting up proxy arp?

        Might be easier if you posted screenshots of your settings vs just the text.  Are you setting up virtual IP because you have a range of them on the wan interface of pfsense?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • N
          nc13160
          last edited by

          normal , I posted a wrong ip address for best security :)

          ok I post screen if easiest :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.