Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Active FTP through a binat ipsec tunnel in 2.2\. No go?

    General pfSense Questions
    3
    5
    537
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yaffle11 last edited by

      Hi there,

      We have a situation that's rather complicated, and we cannot seem to find a working solution.
      We have a ipsec tunnel, in which a local net is natted. So: 192.168.1.x ->172.16.20.x –-------- 10.1.1.x
      This works great, except for the fact that on the 10.1.1.x side, there is an active FTP server we need to connect to from the 192.168.1.x net.
      This all worked in 2.1, but since the upgrade to 2.2 we cannot get this working again. We tried disabling the debug.ftpproxy, we tried rules (any any on ipsec) and we tried the ftp-proxy package for 2.2. But no go yet.
      Does anybody have any idea besides reverting back to 2.1?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned last edited by

        Yeah, active FTP across quad NAT – that is definitely a complete no go and utter waste of time that should instead be invested into using a reasonable and secure protocol.

        1 Reply Last reply Reply Quote 0
        • Y
          yaffle11 last edited by

          I agree. But client legacy demands data…We're pushing for sftp, but dinosaurs walk slowly.
          But... Why did it work in 2.1?

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned last edited by

            Use the search feature on this forum and read the wiki docs and release notes. Covered about zillion times.

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              why did it work in 2.1, because 2.1 had a helper for ftp that changed IPs in the commands and opened up firewall rules..

              As to why the package wouldn't work - pretty sure that is for clients to talk to a active ftp server, not for the active ftp server behind pfsense.

              There really should not be an issue with pfsense active ftp server behind it..  in that mode the client says hey ftp server come talk to me on IP:port from your source port 20..

              So your server is the one making the data connection..  So unless you have rules on your segment your ftp server is on that blocks traffic?  I would just sniff the traffic and see what the client is actually sending you for data channel, you sure client is wanting to do a active connection where the server talks to the IP and port given by the client..  You sure its not a passive connection??  That would be broken since pfsense would have to forward ports into the server, which the helper use to do which is now gone.

              First step is actually understanding how active/passive differ - this I find is normally #1 reason its not working because they don't really know what is being used active or passive and don't understand the difference anyway.

              This is a GREAT write up on active vs passive
              http://slacksite.com/other/ftp.html

              Once you understand how the protocol works, then creating the proper firewall rules is really straight forward..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

              1 Reply Last reply Reply Quote 0
              • First post
                Last post