Error FTP Server IIS 7 NAT ?
-
Hi,
I'am french and excuse me for my language
On my lanin 192.168.1.0, I configured a iis 7 ftp server with windows 2008r2 because I need activedirectory's accounts users
my ftp server is in 192.168.1.40 and my ip public is 36.58.63.200
my problem is can't connection since internet (In lan it's OK).
I wrote my error and my config pfsense.can you help me please :) ?
connection's computer block here (with Filezilla in example) :
"
Statut : Connexion à 36.58.63.200:21…
Statut : Connexion établie, attente du message d'accueil...
Réponse : 220 Microsoft FTP Service
Commande : USER pierre.durand
Réponse : 331 Password required for pierre.durand.
Commande : PASS *********
Réponse : 230 User logged in.
Commande : SYST
Réponse : 215 Windows_NT
Commande : FEAT
Réponse : 211-Extended features supported:
Réponse : LANG EN*
Réponse : UTF8
Réponse : AUTH TLS;TLS-C;SSL;TLS-P;
Réponse : PBSZ
Réponse : PROT C;P;
Réponse : CCC
Réponse : HOST
Réponse : SIZE
Réponse : MDTM
Réponse : REST STREAM
Réponse : 211 END
Commande : OPTS UTF8 ON
Réponse : 200 OPTS UTF8 command successful - UTF8 encoding now ON.
Statut : Connecté
Statut : Récupération du contenu du dossier...
Commande : PWD
Réponse : 257 "/" is current directory.
Commande : TYPE I
Réponse : 200 Type set to I.
Commande : PASV
Réponse : 227 Entering Passive Mode (36,58,63,200,199,117)
Commande : LIST
Réponse : 150 Opening BINARY mode data connection.
Erreur : Délai d'attente expiré
Erreur : Impossible de récupérer le contenu du dossier
"
-------------------------------------> Here my config PfSense 2: <----------------------------------------------> Firewall > Virtuals IP > Edit <-------------------
Virtual IP Address|Type|Description
36.58.63.200/32 |PARP|IPWAN200
Type "Proxy ARP"
Interface "WAN"
IP Address Type Single Address
---------- Address 36.58.63.200/32
VirtualIP Password (BLANK)
VHID 1
Advertising FrequencyDescription IPWAN200
---------------------> Firewall > Aliases <---------------
Liste des Objets :
-> HTTP_HTTPS = 80,443
-> Serveurs_Control = some IP with 192.168.1.40
-> PortsServeursAD = 80,443,53,25,389------------------------> Firewall > NAT <-------------------
|IF |PROTO |Src.Addr|Srv.Ports|Dest.Addr |Dest.Ports|NAT IP |NAT Ports |Descript. |
|WAN|TCP/UDP|* |* |36.58.63.200|21 (FTP) |192.168.1.40|21 (FTP) |ServeurFTP|
EN DETAILS
Disabled (BLANK) Disable this rule
No RDR (NOT) (BLANK) Enabling this option will disable redirection for traffic matching this rule.
Interface "WAN" Choose which interface this rule applies to.
Protocol "TCP/UDP" Choose which IP protocol this rule should match.
Source Advanced (RIEN MIS) Show source address and port range
Destination (BLANK) not
----------- Type Public ip address 36.58.63.200
Address x / x (RIEN MIS)Destination port range from "FTP"
---------------------- to "FTP"
Redirect target IP "192.168.1.40"Redirect target port "FTP"
Description ServerFTP
No XMLRPC Sync (BLANK)
NAT reflection "ENABLE"
Filter rule association "PASS"
-----------> Firewall > Rules > LAN <-------------------
|ID|PROTO |Source |Port |Destination|Ports |Gateway |Queue|Schedule|Descript°
Vert | |* |* |* |LAN Address|80,443 |* |none | |Anti-Lockout Rule
Vert | |TCP/UDP|Servers_Control|* |* |PortsServAD|* |none | |
Rouge| |* |* |* |* |* |* |none | |Block All
Thanks you very much
-
So I just tried ftp to that IP you posted 36.58.xxx.xxx, and it does not allow even control (21) ftp, nor does it answer pings even.
Where were you connecting from when attempting to access it? Are you trying to do nat reflection to access that public IP? Ie from a box internal to your network hitting the public IP?
ftp should work just fine out of the box - all you should have to do is forward 21 to your ftp server IP. The firewall rule should be created auto, and your good to go.
Since I can not hit your 21, either you put up a bogus IP for privacy reasons? Or you got something in front of it blocking? Or you removed the rules to allow it? Why are you setting up proxy arp?
Might be easier if you posted screenshots of your settings vs just the text. Are you setting up virtual IP because you have a range of them on the wan interface of pfsense?
-
normal , I posted a wrong ip address for best security :)
ok I post screen if easiest :)