Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help & advice seeked to setup rules and NAT for FTP server on OPT1

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 1 Posters 595 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pftdm007
      last edited by

      Hello

      so I've been using pfsense for quite a while now but just recently started to dive into it with some deeper/more complicated configurations.

      Basically my network is configured as this:

      pfsense (latest) running in a VM under KVM
      Interface 1 is WAN
      Interface 2 is LAN
      Interface 3 is OPT1

      WAN is set to DHCP and is physically connected to my ISP's modem.  LAN has subnet 192.168.0.0/24 with DHCP set at 192.168.0.100 which provides IP's to LAN clients (with some static assignemnts).  Same is configured for OPT1 except of course its subnet is 192.168.1.0/24 and again DHCP set at 192.168.1.100

      On LAN I have several physical computers, IP cameras and other VoIP equipment, printers, etc, as well as several VM's (all under the same hypervisor as pfsense).

      On OPT1 I have a virtual machine (Centos) acting as a FTP server.  It uses a ZFS share located on a storage server which is located on LAN.  So basically a machine is using services from another machine on a different subnet.  Not black magic and it works!

      These are the things I want to achieve.  Please criticize because I need to learn how to properly use pfsense.

      The first thing I wanted to achieve was to configure the firewall rules so ONLY FTP traffic passes between the FTP server and the internet (only inbound because the server will need some other outbound protocols for YUM and other services such as NTP, etc tp properly function)

      Then have in/out traffic possible ONLY between the FTP server and 2 of my LAN hosts (namely my main workstation which I will use to SSH to the FTP server, and the Freenas box for the NFS share that the FTP uses..)  Traffic between other machines/VM's and the FTP server should not be possible for security reasons.  This is to prevent or make life more difficult for an attacker who would compromise the FTP server to not easily reach my other machines and VM's..

      I may or may not run a barebone Snort process on OPT1 to monitor unusual activity or possible attacks..  After all, the FTP server will be the only machine accessible from outside.

      So far what Ive done

      Configured OPT1 properly
      Created the FTP server and set a static IP mapping on the DHCP server running on OPT1.  The FTP server can get an IP without problems
      Created some rules under Firewall > Rules > OPT1..  I tried various combinations and configurations but I am not sure how to proceed.  One of my attempts is shown in the first screenshot.

      From the assumption that pfsense starts by blocking everything until you open with rules, I created 2 rules to open FTP ports (21 & range 60000-60050 for passive connection) from WAN, then created a wide open rule from FTP server to the WAN (for YUM, ntpd, sendmail, etc).  Finally, I created 2 wide open rules (one for inbound and another for outbound) to allow traffic between the FTP server and the "ftp_collaborators"..

      ftp_collaborators is an alias which contains both my workstation and the freenas box..

      With these rules, I can

      • SSH from FTP to worrkstation:  Working! (Good)
        SSH from workstation to FTP:  Working! (Good)
        Mounting the NFS share on Freenas to FTP: Working! (Good)
        SSH from FTP to LAN hosts:  Not working! (Good)
        SSH from LAN hosts to FTP:  Working! (NOT good)
        Access to the internet from FTP:  Not working! (NOT good)
        Access to the FTP from the internet:  Couldnt test yet (will do tomorrow)

      Obviously something is wrong with my rules or aliases or NAT'ting….  Can someone take a look at my rules (see screenshot) and provide some comments/recommendations?  Am I using these properly?

      If I delete all rules on OPT1 and create a single rule with Source=any, dest=any, proto=IPv4, Ports=any on Src & Dest, then all works but traffic can pass between the FTP server and other LAN clients which is not desirable...

      Feedback and quick explanations will be VERY appreciated!

      Thanks!!!
      pfsense_rules_ftp.jpg
      pfsense_rules_ftp.jpg_thumb
      pfsense_rules_lan.jpg
      pfsense_rules_lan.jpg_thumb
      pfsense_rules_wan.jpg
      pfsense_rules_wan.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • P
        pftdm007
        last edited by

        That didnt work out too well… This morning, SSH to ALL machines on LAN failed (Temporary DNS name resolution), the firewall was suspiciously slow (and not responsive), I couldnt reach the internet from any machine...

        Deactivated all rules under OPT1, and rebooted the firewall, all is back to normal.

        For now I will assume this is only a glitch in the firewall and not related to my OPT1 rules, unless someone can point out that it is..

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.