Help & advice seeked to setup rules and NAT for FTP server on OPT1
-
Hello
so I've been using pfsense for quite a while now but just recently started to dive into it with some deeper/more complicated configurations.
Basically my network is configured as this:
pfsense (latest) running in a VM under KVM
Interface 1 is WAN
Interface 2 is LAN
Interface 3 is OPT1WAN is set to DHCP and is physically connected to my ISP's modem. LAN has subnet 192.168.0.0/24 with DHCP set at 192.168.0.100 which provides IP's to LAN clients (with some static assignemnts). Same is configured for OPT1 except of course its subnet is 192.168.1.0/24 and again DHCP set at 192.168.1.100
On LAN I have several physical computers, IP cameras and other VoIP equipment, printers, etc, as well as several VM's (all under the same hypervisor as pfsense).
On OPT1 I have a virtual machine (Centos) acting as a FTP server. It uses a ZFS share located on a storage server which is located on LAN. So basically a machine is using services from another machine on a different subnet. Not black magic and it works!
These are the things I want to achieve. Please criticize because I need to learn how to properly use pfsense.
The first thing I wanted to achieve was to configure the firewall rules so ONLY FTP traffic passes between the FTP server and the internet (only inbound because the server will need some other outbound protocols for YUM and other services such as NTP, etc tp properly function)
Then have in/out traffic possible ONLY between the FTP server and 2 of my LAN hosts (namely my main workstation which I will use to SSH to the FTP server, and the Freenas box for the NFS share that the FTP uses..) Traffic between other machines/VM's and the FTP server should not be possible for security reasons. This is to prevent or make life more difficult for an attacker who would compromise the FTP server to not easily reach my other machines and VM's..
I may or may not run a barebone Snort process on OPT1 to monitor unusual activity or possible attacks.. After all, the FTP server will be the only machine accessible from outside.
So far what Ive done
Configured OPT1 properly
Created the FTP server and set a static IP mapping on the DHCP server running on OPT1. The FTP server can get an IP without problems
Created some rules under Firewall > Rules > OPT1.. I tried various combinations and configurations but I am not sure how to proceed. One of my attempts is shown in the first screenshot.From the assumption that pfsense starts by blocking everything until you open with rules, I created 2 rules to open FTP ports (21 & range 60000-60050 for passive connection) from WAN, then created a wide open rule from FTP server to the WAN (for YUM, ntpd, sendmail, etc). Finally, I created 2 wide open rules (one for inbound and another for outbound) to allow traffic between the FTP server and the "ftp_collaborators"..
ftp_collaborators is an alias which contains both my workstation and the freenas box..
With these rules, I can
- SSH from FTP to worrkstation: Working! (Good)
SSH from workstation to FTP: Working! (Good)
Mounting the NFS share on Freenas to FTP: Working! (Good)
SSH from FTP to LAN hosts: Not working! (Good)
SSH from LAN hosts to FTP: Working! (NOT good)
Access to the internet from FTP: Not working! (NOT good)
Access to the FTP from the internet: Couldnt test yet (will do tomorrow)
Obviously something is wrong with my rules or aliases or NAT'ting…. Can someone take a look at my rules (see screenshot) and provide some comments/recommendations? Am I using these properly?
If I delete all rules on OPT1 and create a single rule with Source=any, dest=any, proto=IPv4, Ports=any on Src & Dest, then all works but traffic can pass between the FTP server and other LAN clients which is not desirable...
Feedback and quick explanations will be VERY appreciated!
Thanks!!!
- SSH from FTP to worrkstation: Working! (Good)
-
That didnt work out too well… This morning, SSH to ALL machines on LAN failed (Temporary DNS name resolution), the firewall was suspiciously slow (and not responsive), I couldnt reach the internet from any machine...
Deactivated all rules under OPT1, and rebooted the firewall, all is back to normal.
For now I will assume this is only a glitch in the firewall and not related to my OPT1 rules, unless someone can point out that it is..