Text only | Text with Images

OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: Manxmann on March 03, 2017, 06:18:19 PM

Title: [SOLVED] FTP-Proxy FTP server behind OPNSense FW with NAT
Post by: Manxmann on March 03, 2017, 06:18:19 PM
Hi Folks,

I'm having an issue with FTP Proxy so need some guidance again.

Ok first off the network plan is as follows:

[Internet] > [OPNSense] > [FTP Server vsftpd]

So far I've:

/ I've installed the FTP-Proxy plugin
/ Configured a single proxy instance listening on 127.0.0.1:8021, reverse address set to internal ip of ftp server port 21
/ Added a WAN rule allowing ftp/21 to the WAN IP Address
/ Added a port forward rule forwarding WAN ftp/21 to 127.0.0.1:8021

Ok, if I ftp to the WAN IP Address I can connect to the FTPProxy and logon to the target FTP server (either anonymous or a local user account). However if I then try and perform any action I get the following, the command hangs hence the Ctrl+C to cancel:

yyyyy@GC-JUMPBOX:~$ ftp -v 159.8.x.x
Connected to 159.8.x.x.
220 Welcome to the Txxx Sxxxx Patching FTP service.
Name (159.8.x.x:yyyyy): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
^C
421 Service not available, remote server has closed connection

receive aborted
waiting for remote to finish abort
ftp>

The clients tested are Debian's default FTP and MS Windows, both can connect to ftp.debian.org for example eliminating the local firewall.

It looks like when the FTP client issues the N+1 request the proxy doesn't work.

If I connect directly to the FTP server using a client on the same lan everything works.

Any help very much appreciated.

Simon
Title: Re: FTP-Proxy FTP server behind OPNSense FW with NAT
Post by: Manxmann on March 03, 2017, 06:26:09 PM
Quick update, if I force passive mode on the client ftp -p I can connect.

Trouble is I don't have control over which clients connect so cannot rely on this as a solution.
Title: Re: FTP-Proxy FTP server behind OPNSense FW with NAT
Post by: franco on March 03, 2017, 07:30:36 PM
Hi Manxmann,

Can you double check with the official tutorial and tell us what isn't working as expected?

https://forum.opnsense.org/index.php?topic=3868.0


Thank you,
Franco
Title: Re: FTP-Proxy FTP server behind OPNSense FW with NAT
Post by: faunsen on March 04, 2017, 01:56:05 PM
Ok, the ftp server cannot create an active data connection.
Possible reasons:
- a firewall or selinux prevent the vsftpd from making the data connection.
- an explicit rule on the OPNsense blocks traffic from LAN to WAN
- the client on WAN site has a firewall blocking the data connection

Did you made your tests always with active ftp?

Quote from: Manxmann on March 03, 2017, 06:18:19 PM
The clients tested are Debian's default FTP and MS Windows, both can connect to ftp.debian.org for example eliminating the local firewall.
This has nothing to do with a reverse proxy. Connecting from LAN to WAN requires a forward ftp proxy.

You cannot use the same proxy as forward (LAN -> WAN) and reverse (WAN -> LAN) proxy.

Title: Re: FTP-Proxy FTP server behind OPNSense FW with NAT
Post by: Manxmann on March 08, 2017, 12:22:02 AM
Sorted, thanks for the replys
Text only | Text with Images