Ftp-proxy through dual WAN



  • hello

    I randomly have timeout or "SECURITY VIOLATION" in proftpd logs during passive transfers to an FTP server.
    Transfers are started from LAN and ftp-proxy, when enabled, makes data connections with two WAN IP origins

    My configs:
    FTP server  on internet (proftpd)

    PassivePorts                  65000 65500
    

    Pfsense config (2.1.1-PRERELEASE (amd64) built on Wed Feb 5 14:09:54 EST 2014 FreeBSD 8.3-RELEASE-p14)
    The default WAN is GW_ADSL
    The second WAN is GW_SDSL
    LAN interface is IFLAN10 and my routing policy is to use gateway "GW_SDSL" for FTP through GW failover

    pass  in  quick  on $IFLAN10 inet proto tcp  from 172.16.64.0/19  to <negate_networks>port 21 flags S/SA keep state  label "NEGATE_ROUTE: Negate policy routing for destination"
    pass  in  quick  on $IFLAN10  $GWfailoverSDSL inet proto tcp  from 172.16.64.0/19 to any port 21 flags S/SA keep state  label "USER_RULE: FTP sortant"
    debug.pfftpproxy =0</negate_networks> 
    

    Filezilla config:
    passive transfers

    Why is ftp-proxy making connections with two originating IP? I thought it should create FTP data connections with the same IP as connection for FTP connect…
    Now, if I add explicit rules and policy routing, it works:

    pass  in  quick  on $IFLAN10  $GWfailoverSDSL inet proto tcp  from 172.16.64.0/19 to any port $Ports_FTPdata flags S/SA keep state  label "USER_RULE: FTP sortant"
    

    Then IP for FTP data and IP for FTP connect are the same and my FTP server is happy  :D

    But ftpproxy doesn't help me anymore… since I have to add specific rules for each ftp server
    I am missing something or is this the normal behaviour? Can I tune ftpproxy?

    thanks!


  • Rebel Alliance Global Moderator

    I'm a bit confused.. Where are the clients - are they public internet clients coming into your network.  Or are they lan clients on your network talking to your ftp servers via a public IP to be forwarded back in?



  • sorry…
    ftp clients are on my LAN where pfsense is installed. This pfsense box has two WAN IP.
    they connect to an intenet FTP server