Hi, Problem accesing FTP behind pfsense firewall
-
what do u mean ?
A port-forward is a type of NAT where you bind a LAN IP to a WAN IP, and provide a mapping of the specific ports that you want to be open. 1:1 NAT does a complete mapping of all ports from the WAN IP to LAN IP. It's overkill for your needs here. You only need 2 firewall rules and two port-forwards. You haven't posted a screen of your NAT rules.
-
thank u body, for your time and energy.
here is the NAT rules :
-
For Dest. addr, you need to put the WAN IP address of the server, so 213.8.246.209 in your case.
-
well , i did it , and even delete the 1:1 NAT (now that i understand i dont need it)
now the clients can access the ftp and succesfuly LOG ON , but cant do any command like LIST, PUT …
do you think Is it still something with my ftp server?
-
now the clients can access the ftp and succesfuly LOG ON
Making progress…
do you think Is it still something with my ftp server?
Perhaps. Check your logs. Anything in your pfSense Firewall log? Anything in your FTP server log?
-
well you passive ports sure and the hell are not UDP?? Are you sure ftp server is handing out your PUBLIC IP and not its private? If you send me a login I will validate what server is sending for IP and port when i try and do a passive connection.
-
wait a sec…
After i deleted the 1:1 NAT (follow by KOM idea) , the ftp server is not using it's public IP anymore when it go out . (it start using our "general" network IP NAT)
I know that when i used the checkpoint router i was bind the internal IP to the Public IP through its MAC address.
I guess i need to do the same thing here , but how? -
Do you have a Virtual IP alias (Firewall - Aliases) for your public IP used by your FTP server?
-
Hey, I'm not so familiar with this setting,
What should I do there? -
What should I do there?
Well, that depends on whether or not you have more than one public IP address. If you have more than one, you use Virtual IPs to let pfSense handle them, and you use those IPs in your NAT rules as destinations. I don't want to confuse the issue though. This shouldn't be that hard:
-
1 NAT port forward for port 21 to your ftp server
-
1 NAT port forward for the passive port space you are using to your ftp server
-
1 firewall rule to allow the port 21 traffic to your ftp server
-
1 firewall rule to allow the passive port space traffic to your ftp server
That's it. This assumes that your ftp server works properly and is configured properly.
-
-
First , i'd like to thank you for your help.
second , for all those who will have the same problem like me :
I installed FileZilla server at the FTP server , and things began to work just fine!
-
I was starting to suspect that it was your FTP server. Glad to hear you got it working. Which server were you running before, so that we know to avoid it?
-
Yeah would be curious to what ftp server you were using as well, most likely it was not sending out its correct public IP but its private IP when doing passive connections. Filezilla makes it quite easy to manipulate using private or public and even offer solutions for your public to be looked up by the ftp server, etc.
While you stated you set the passive to a limited range, I have to assume any ftp server that allowed for that would also allow for use of public IP vs its local private IP.
-
Yeah would be curious to what ftp server you were using as well
MicroShit IIS. There's a screenshot a page back. ::)
-
I saw that screen but it told me nothing. I don't use IIS for anything, ever. It figures, though. Microsoft.
-
well, i have 2 ftp servers , one with 2008 and one with 2003. (no 3rd party application, just the classic iis managment)
the problem were at the two of them.After the Zilla installation (btw it can't be install on 2003 , just from 2008 and above…) i configure the passive port range (again) but at the setting windows of the Filezilla, and it works like magic.
Actually i installed the zilla only for it's LOG , and on the way it solved my problem so i'm good with it.
my next step is to set the VPN users (instead the endpoint connect of the checkpoint VPN) , but i'm sure it will be more easier , elsewhere my managers will probably kill me .
-
@KOM:
It figures, though. Microsoft.
Yeah. They get the ftp.exe client totally wrong, and the server is no better.
-
I have not had to deal with ftp in IIS for YEARS and YEARS.. Would have to fire up a copy to see if it lets you set the IP to use for passive when its on a private? There are much better options for ftp servers than IIS that is for sure ;)
To be honest you should try and get away from ftp altogether and use either sftp or just plain http or https.
-
Yes , i will think about it. maybe you right.
Our company developing a desktop software for nursing homes , and long time care hospitals that one of it's features is to get lab results automaticaly .(u know like hemoglobin, rdw ,wbc, cholesterol …)
So the way we choose to perform this operation is to connect to the FTP via activeX and simply download the HL7 files (if u familiar with web services) that belongs to the hospital.Every hospital have a uniqe ID , so at the FTP server we created a folder tree , every folder is the uniqe id of each hospital.
thats why we choose to work with ftp , so every client after they connect to the server operate 3 simple commands:
CD <unique id)="" <br="">mget *.hl7
del *.hl7
(bye)i'm not sure i will succeed the same proccess with other protocol like http to control these commands.</unique>
-
