Allow FTP TrafficThis how-to describes the steps to allow FTP traffic from your local network to the internet and from the internet to a FTP server protected by your OPNsense firewall.
PrerequisitesTo allow FTP traffic we have to redirect all FTP connections to a local FTP proxy server which dynamically inserts and removes firewall rules according to the FTP port commands.
Additionally we need rules to allow traffic on the local interface to this proxy.
For the setup of the proxy we use the "Ftp Proxy" plugin. It was released with
OPNsense 16.7.8.
Forward FTP ProxyThe forward proxy enables internal clients to connect to FTP servers on the internet.
(https://images2.imgbox.com/31/90/pRTJJ6PV_o.png?download=true)
To add a new FTP proxy server navigate to
Services->FTP Proxy and click on the
Add Button bottom right.
Now you see a dialog with the proxy settings.
(https://images2.imgbox.com/8a/e1/FGNZtzF0_o.png?download=true)
For now you can leave the defaults.
NOTE: If the outbound NAT address is different than the primary interface address you need to specify the NAT address as "Source Address".
This is probably the case in clustered setups with CARP.
Clicking on
Save changes creates a new FTP proxy server and starts it. Be patient, this takes a few seconds.
Now this proxy listens on 127.0.0.1 on port 8021 and you should see it as a new entry in the proxy server list.
(https://images2.imgbox.com/40/63/fkf2noM8_o.png?download=true)
The green background indicates that the proxy is running. If the background appears yellow it is disabled and stopped.
Next we create rules to allow and redirect FTP from LAN interface to the proxy.
Go to
Firewall->NAT->Port Forward and click on the
Add Button.
Here we change following options:
Interface:
LAN Destination:
any Destination port range:
FTP Redirect target IP:
127.0.0.1 Redirect target port: (other)
8021This will create a redirect rule for all FTP connections to the internet
(https://images2.imgbox.com/6f/f0/IqA9Oo4b_o.png?download=true)
and a rule to allow FTP connections to the proxy. (See
Firewall->Rules->LAN)
(https://images2.imgbox.com/b8/02/MtSMyuwO_o.png?download=true)
Apply these changes and you can connect FTP server on the internet.
Reverse FTP ProxyThe reverse proxy enables access from internet to a local FTP server behind the firewall.
Clients connecting the firewall via FTP will be redirected to a local FTP proxy and then to the internal FTP server.
(https://images2.imgbox.com/90/f2/ggjqzsfC_o.png?download=true)
So let's create a new FTP proxy and configure the "Reverse address" to point to the internal FTP server at 192.168.1.15.
(https://images2.imgbox.com/0b/3e/tRKUWvNQ_o.png?download=true)
Here we need the rules to redirect the traffic from the WAN Interface to the proxy as well.
Go to
Firewall->NAT->Port Forward and add a new rule:
Interface:
WAN Destination:
WAN address Destination port range:
FTP Redirect target IP:
127.0.0.1 Redirect target port: (other)
8022And additionally to the auto generated rules we allow FTP access to the WAN interface.
(https://images2.imgbox.com/2f/57/fNra3zzs_o.png?download=true)
Apply the changes and the FTP server is accessible from the internet.
I'm on OPNsense 16.7.12, but I can't find the Ftp Proxy option. Do I have to enable the plugin somehow? Or has it been removed?
See: System: Firmware: Plugins. It needs to be installed as it is not in the standard installation.
Cheers,
Franco
Hi.
Is this "forward-proxy" example really correct ? I set it up like that with the proxy listening on 127.0.0.1, but ftp doesn't work for me. In the NAT-rule I had to choose a VLAN-interface, since I have a few seperate VLANs.
Isn't it more logical to make the proxy listening on for example 192.168.1.1 f.e., if this is considered the internal gateway on the LAN side ?
Thank you.
Best regards,
Wayne
You can do that.
I prefer it that way too, much more easy to control what is published/ redirected to where in NAT rules, especially when you have multiple internal (LAN) interfaces with different purposes and rules (LAN, Wi-Fi, Perimeter etc.).
The single one different thing I do on the reverse proxy is that I always set the IP address of the FW facing the FTP server as source address to be communicated to the FTP server.
Both forward and reverse proxy for FTP explained here are working fine, I have implemented them on two completely different OPNsense protected networks (different means no single common/ direct touching point - different ISP, different subnets, different everything) and now I can connect from any LAN to any other FTP server, both as active or passive connection. The forward proxy on the client side does the job well for creating dynamic inbound rules on FW for data port selected/ determined by the client (for active connection), and the reverse proxy does the same on the other (server) side for data port selected/ determined by the server (for passive connection).
With a forward proxy configured as exemplified here you can connect (active connections only) from behind it to any FTP in the world existing behind a simple NAT for port 21 (even without a reverse FTP proxy).
Conversely, with a reverse proxy for your FTP server, you ensure every client in the world can connect to your published FTP server without a glitch (passive connection only).
Though, to be able to use active connections for everything to/ from everything, both FW/ NAT equipment in between the client(s) and the server(s) must have forward and reverse proxies, respectively, properly configured.
There is no way you can successfully initiate a FTP connection (active or passive) from behind a NAT to a NATed FTP server (aka double NAT) only by using NAT for the server, without at least one FTP proxy, either reverse in front of the server, either forward in front of the client (there is, though, the workaround to play with the ephemeral ports on FW/ NAT on the server side, but is cumbersome, and only works for passive connections, plus it somehow lowers the security on the FW/NAT equipment).
Hi Wayne,
Quote from: Wayne Train on November 27, 2017, 02:55:12 PM
Isn't it more logical to make the proxy listening on for example 192.168.1.1 f.e., if this is considered the internal gateway on the LAN side ?
no.
Connecting the proxy without a redirection doesn't work. Therefore you don't need it to listen on LAN/OPT.
If you let the proxy listen on the LAN/OPT interface you need a proxy for every LAN/OPT interface.
A proxy on 127.0.0.1 can serve all FTP connections.
In any case you still need the port forwarding rules.
Cheers,
Frank
Hi,
I am having a problem with this setup where the client connect to ftp proxy but then OPNsense sends the data back into itself on port 21.
client: 192.168.20.20:23456 --> firewall: 127.0.0.1:8021
then from
firewall: 10.10.10.11:45678 --> firewall: 10.10.10.11:21
See my full post here: https://forum.opnsense.org/index.php?topic=12617.msg58173#msg58173 (https://forum.opnsense.org/index.php?topic=12617.msg58173#msg58173)
Any help is greatly appreciated.
jmp
Hi,
I am having a problem with this at the moment. I have my port 21 forwarded to my FTP server but I am only able to connect in Active mode via an ftp client, If I try and connect in passive mode, I get a time out error.
I followed this example but that made no difference.
Looking at my logs I cannot see any ports being blocked
You should redirect port 21 to the FTP proxy not the server.
Client --> firewall WAN_IP:21 --> ftp-proxy 127.0.0.1:8021 --> your_local_ftp_server:21
Hi Faunsen,
So I followed your instructions and made a slight change
Client --> firewall WAN_IP:21 --> ftp-proxy 127.0.0.1:21 --> your_local_ftp_server:21 and it worked. For some reason trying 8021 didn't work.
Thanks for your help though!!
Ah, I see the problem. Tinypic has shutdown and now some pictures are missing.
Will fix that.
You should configure your ftp-proxy to listen on 8021.
I have followed the instructions multiple times, double checking everyting. but ftp just won't connect. if I try to connect locally, it works. But no mather what I do, it just won't connect from outside the network. I can't tell you why exactly, not really shure where to check and witch log will tell me why it won't connect. :-[
This is a how-to and not meant for resolving problems.
Can you please start a new topic in the '19.7 Production Series' section and inform me via PM?
Thanks :)
Dear all,
I would say I followed this tutorial but I'm still not able to connect to the local FTP server.
I only need to set up access to a local FTP from the LAN to start and then from the WAN once everything works
These my steps not far from this tutorial
-create an alias FTP proxy server: 127.49.49.1
- FTP PROXY - loopback ftp proxy server, 127.49.49.1:8822 to FTP local Server IP:21
- LAN address NAT to ftp proxy server (TCP, LAN Address, dport 21 redirect to 127.49.49.1:8822)
If I check the log on the ftp server there is no logged connection from 127.49.49.1 and also no packets passed through the ftp iptables rules
Ftp proxy is up and running (green light in the dashboard and alocated web page) but seams not forwarding the info. Has anybody faced similar issue?
Thanks in advance