Error FTP Server IIS 7 NAT ?



  • Hi,

    I'am french and excuse me for my language

    On my lanin 192.168.1.0, I configured a iis 7 ftp server with windows 2008r2 because I need activedirectory's accounts users

    my ftp server is in 192.168.1.40 and my ip public is 36.58.63.200

    my problem is can't connection since internet (In lan it's OK).
    I wrote my error and my config pfsense.

    can you help me please :) ?

    connection's computer block here (with Filezilla in example) :

    "
    Statut :   Connexion à 36.58.63.200:21…
    Statut :   Connexion établie, attente du message d'accueil...
    Réponse :   220 Microsoft FTP Service
    Commande :   USER pierre.durand
    Réponse :   331 Password required for pierre.durand.
    Commande :   PASS *********
    Réponse :   230 User logged in.
    Commande :   SYST
    Réponse :   215 Windows_NT
    Commande :   FEAT
    Réponse :   211-Extended features supported:
    Réponse :    LANG EN*
    Réponse :    UTF8
    Réponse :    AUTH TLS;TLS-C;SSL;TLS-P;
    Réponse :    PBSZ
    Réponse :    PROT C;P;
    Réponse :    CCC
    Réponse :    HOST
    Réponse :    SIZE
    Réponse :    MDTM
    Réponse :    REST STREAM
    Réponse :   211 END
    Commande :   OPTS UTF8 ON
    Réponse :   200 OPTS UTF8 command successful - UTF8 encoding now ON.
    Statut :   Connecté
    Statut :   Récupération du contenu du dossier...
    Commande :   PWD
    Réponse :   257 "/" is current directory.
    Commande :   TYPE I
    Réponse :   200 Type set to I.
    Commande :   PASV
    Réponse :   227 Entering Passive Mode (36,58,63,200,199,117)
    Commande :   LIST
    Réponse :   150 Opening BINARY mode data connection.
    Erreur :   Délai d'attente expiré
    Erreur :   Impossible de récupérer le contenu du dossier
    "
    -------------------------------------> Here my config PfSense 2:  <--------------------

    --------------------------> Firewall > Virtuals IP > Edit <-------------------


    Virtual IP Address|Type|Description

    36.58.63.200/32  |PARP|IPWAN200

    Type         "Proxy ARP"

    Interface      "WAN"

    IP Address      Type   Single Address
    ----------      Address   36.58.63.200/32
    VirtualIP Password   (BLANK)
    VHID         1
    Advertising Frequency

    Description      IPWAN200

    ---------------------> Firewall > Aliases <---------------

    Liste des Objets :
    -> HTTP_HTTPS = 80,443
    -> Serveurs_Control = some IP with 192.168.1.40
    -> PortsServeursAD = 80,443,53,25,389

    ------------------------> Firewall > NAT <-------------------


    |IF    |PROTO  |Src.Addr|Srv.Ports|Dest.Addr    |Dest.Ports|NAT IP         |NAT Ports   |Descript. |

    |WAN|TCP/UDP|*             |*          |36.58.63.200|21 (FTP)  |192.168.1.40|21 (FTP)    |ServeurFTP|

    EN DETAILS

    Disabled      (BLANK)   Disable this rule

    No RDR (NOT)      (BLANK)   Enabling this option will disable redirection for traffic matching this rule.

    Interface            "WAN"      Choose which interface this rule applies to.

    Protocol          "TCP/UDP"   Choose which IP protocol this rule should match.

    Source               Advanced   (RIEN MIS) Show source address and port range

    Destination           (BLANK)    not
    -----------      Type      Public ip address  36.58.63.200    
            Address      x / x (RIEN MIS)

    Destination port range   from   "FTP"
    ----------------------   to   "FTP"    
    Redirect target IP   "192.168.1.40"

    Redirect target port   "FTP"

    Description       ServerFTP

    No XMLRPC Sync      (BLANK)

    NAT reflection      "ENABLE"

    Filter rule association   "PASS"

    -----------> Firewall > Rules > LAN <-------------------


    |ID|PROTO  |Source       |Port   |Destination|Ports      |Gateway |Queue|Schedule|Descript°


    Vert |  |*          |*                    |*    |LAN Address|80,443        |*       |none |        |Anti-Lockout Rule

    Vert |  |TCP/UDP|Servers_Control|*    |*               |PortsServAD|*       |none |        |

    Rouge|  |*        |*                     |*    |*               |*               |*       |none |        |Block All

    Thanks you very much


  • LAYER 8 Global Moderator

    So I just tried ftp to that IP you posted 36.58.xxx.xxx, and it does not allow even control (21) ftp, nor does it answer pings even.

    Where were you connecting from when attempting to access it?  Are you trying to do nat reflection to access that public IP?  Ie from a box internal to your network hitting the public IP?

    ftp should work just fine out of the box - all you should have to do is forward 21 to your ftp server IP.  The firewall rule should be created auto, and your good to go.

    Since I can not hit your 21, either you put up a bogus IP for privacy reasons?  Or you got something in front of it blocking?  Or you removed the rules to allow it?  Why are you setting up proxy arp?

    Might be easier if you posted screenshots of your settings vs just the text.  Are you setting up virtual IP because you have a range of them on the wan interface of pfsense?



  • normal , I posted a wrong ip address for best security :)

    ok I post screen if easiest :)


Log in to reply