OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: faunsen on November 02, 2016, 05:25:02 pm

Title: FTP Proxy Howto
Post by: faunsen on November 02, 2016, 05:25:02 pm
Allow FTP Traffic
This how-to describes the steps to allow FTP traffic from your local network to the internet and from the internet to a FTP server protected by your OPNsense firewall.



Prerequisites
To allow FTP traffic we have to redirect all FTP connections to a local FTP proxy server which dynamically inserts and removes firewall rules according to the FTP port commands.
Additionally we need rules to allow traffic on the local interface to this proxy.

For the setup of the proxy we use the "Ftp Proxy" plugin. It was released with OPNsense 16.7.8.



Forward FTP Proxy
The forward proxy enables internal clients to connect to FTP servers on the internet.

(http://i67.tinypic.com/2hhn37l.png)


To add a new FTP proxy server navigate to Services->FTP Proxy and click on the Add Button bottom right.
Now you see a dialog with the proxy settings.
(http://i63.tinypic.com/10hu1li.png)

For now you can leave the defaults.

NOTE: If the outbound NAT address is different than the primary interface address you need to specify the NAT address as "Source Address".
      This is probably the case in clustered setups with CARP.

Clicking on Save changes creates a new FTP proxy server and starts it. Be patient, this takes a few seconds.
Now this proxy listens on 127.0.0.1 on port 8021 and you should see it as a new entry in the proxy server list.

(http://i65.tinypic.com/549api.png)

The green background indicates that the proxy is running. If the background appears yellow it is disabled and stopped.


Next we create rules to allow and redirect FTP from LAN interface to the proxy.
Go to Firewall->NAT->Port Forward and click on the Add Button.
Here we change following options:
   Interface: LAN
   Destination: any
   Destination port range: FTP
   Redirect target IP: 127.0.0.1
   Redirect target port: (other) 8021

This will create a redirect rule for all FTP connections to the internet
(http://i66.tinypic.com/rw3r85.png)

and a rule to allow FTP connections to the proxy. (See Firewall->Rules->LAN)
(http://i68.tinypic.com/2pqrmea.png)

Apply these changes and you can connect FTP server on the internet.



Reverse FTP Proxy
The reverse proxy enables access from internet to a local FTP server behind the firewall.
Clients connecting the firewall via FTP will be redirected to a local FTP proxy and then to the internal FTP server.

(http://i65.tinypic.com/20r0dq9.png)


So let's create a new FTP proxy and configure the "Reverse address" to point to the internal FTP server at 192.168.1.15.
(http://i66.tinypic.com/15p2xdh.png)

Here we need the rules to redirect the traffic from the WAN Interface to the proxy as well.
Go to Firewall->NAT->Port Forward and add a new rule:
   Interface: WAN
   Destination: WAN address
   Destination port range: FTP
   Redirect target IP: 127.0.0.1
   Redirect target port: (other) 8022

And additionally to the auto generated rules we allow FTP access to the WAN interface.
(http://i68.tinypic.com/oa877p.png)

Apply the changes and the FTP server is accessible from the internet.

Title: Re: FTP Proxy Howto
Post by: BlaM on January 06, 2017, 03:49:52 pm
I'm on OPNsense 16.7.12, but I can't find the Ftp Proxy option. Do I have to enable the plugin somehow? Or has it been removed?
Title: Re: FTP Proxy Howto
Post by: franco on January 06, 2017, 03:59:41 pm
See: System: Firmware: Plugins. It needs to be installed as it is not in the standard installation.


Cheers,
Franco
Title: Re: FTP Proxy Howto
Post by: Wayne Train on November 27, 2017, 02:55:12 pm
Hi.

Is this "forward-proxy" example really correct ? I set it up like that with the proxy listening on 127.0.0.1, but ftp doesn't work for me. In the NAT-rule I had to choose a VLAN-interface, since I have a few seperate VLANs.
Isn't it more logical to make the proxy listening on for example 192.168.1.1 f.e., if this is considered the internal gateway on the LAN side ?
Thank you.

Best regards,
Wayne
Title: Re: FTP Proxy Howto
Post by: hutiucip on November 28, 2017, 10:41:36 am
You can do that.

I prefer it that way too, much more easy to control what is published/ redirected to where in NAT rules, especially when you have multiple internal (LAN) interfaces with different purposes and rules (LAN, Wi-Fi, Perimeter etc.).

The single one different thing I do on the reverse proxy is that I always set the IP address of the FW facing the FTP server as source address to be communicated to the FTP server.

Both forward and reverse proxy for FTP explained here are working fine, I have implemented them on two completely different OPNsense protected networks (different means no single common/ direct touching point - different ISP, different subnets, different everything) and now I can connect from any LAN to any other FTP server, both as active or passive connection. The forward proxy on the client side does the job well for creating dynamic inbound rules on FW for data port selected/ determined by the client (for active connection), and the reverse proxy does the same on the other (server) side for data port selected/ determined by the server (for passive connection).

With a forward proxy configured as exemplified here you can connect (active connections only) from behind it to any FTP in the world existing behind a simple NAT for port 21 (even without a reverse FTP proxy).

Conversely, with a reverse proxy for your FTP server, you ensure every client in the world can connect to your published FTP server without a glitch (passive connection only).

Though, to be able to use active connections for everything to/ from everything, both FW/ NAT equipment in between the client(s) and the server(s) must have forward and reverse proxies, respectively, properly configured.

There is no way you can successfully initiate a FTP connection (active or passive) from behind a NAT to a NATed FTP server (aka double NAT) only by using NAT for the server, without at least one FTP proxy, either reverse in front of the server, either forward in front of the client (there is, though, the workaround to play with the ephemeral ports on FW/ NAT on the server side, but is cumbersome, and only works for passive connections, plus it somehow lowers the security on the FW/NAT equipment).
Title: Re: FTP Proxy Howto
Post by: faunsen on November 28, 2017, 11:40:11 am
Hi Wayne,

Isn't it more logical to make the proxy listening on for example 192.168.1.1 f.e., if this is considered the internal gateway on the LAN side ?

no.

Connecting the proxy without a redirection doesn't work. Therefore you don't need it to listen on LAN/OPT.

If you let the proxy listen on the LAN/OPT interface you need a proxy for every LAN/OPT interface.
A proxy on 127.0.0.1 can serve all FTP connections.
In any case you still need the port forwarding rules.


Cheers,
Frank