OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: Manxmann on March 03, 2017, 06:18:19 pm

Title: [SOLVED] FTP-Proxy FTP server behind OPNSense FW with NAT
Post by: Manxmann on March 03, 2017, 06:18:19 pm
Hi Folks,

I'm having an issue with FTP Proxy so need some guidance again.

Ok first off the network plan is as follows:

[Internet] > [OPNSense] > [FTP Server vsftpd]

So far I've:

/ I've installed the FTP-Proxy plugin
/ Configured a single proxy instance listening on 127.0.0.1:8021, reverse address set to internal ip of ftp server port 21
/ Added a WAN rule allowing ftp/21 to the WAN IP Address
/ Added a port forward rule forwarding WAN ftp/21 to 127.0.0.1:8021

Ok, if I ftp to the WAN IP Address I can connect to the FTPProxy and logon to the target FTP server (either anonymous or a local user account). However if I then try and perform any action I get the following, the command hangs hence the Ctrl+C to cancel:

yyyyy@GC-JUMPBOX:~$ ftp -v 159.8.x.x
Connected to 159.8.x.x.
220 Welcome to the Txxx Sxxxx Patching FTP service.
Name (159.8.x.x:yyyyy): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
^C
421 Service not available, remote server has closed connection

receive aborted
waiting for remote to finish abort
ftp>

The clients tested are Debian's default FTP and MS Windows, both can connect to ftp.debian.org for example eliminating the local firewall.

It looks like when the FTP client issues the N+1 request the proxy doesn't work.

If I connect directly to the FTP server using a client on the same lan everything works.

Any help very much appreciated.

Simon
Title: Re: FTP-Proxy FTP server behind OPNSense FW with NAT
Post by: Manxmann on March 03, 2017, 06:26:09 pm
Quick update, if I force passive mode on the client ftp -p I can connect.

Trouble is I don't have control over which clients connect so cannot rely on this as a solution.
Title: Re: FTP-Proxy FTP server behind OPNSense FW with NAT
Post by: franco on March 03, 2017, 07:30:36 pm
Hi Manxmann,

Can you double check with the official tutorial and tell us what isn't working as expected?

https://forum.opnsense.org/index.php?topic=3868.0


Thank you,
Franco
Title: Re: FTP-Proxy FTP server behind OPNSense FW with NAT
Post by: faunsen on March 04, 2017, 01:56:05 pm
Ok, the ftp server cannot create an active data connection.
Possible reasons:
- a firewall or selinux prevent the vsftpd from making the data connection.
- an explicit rule on the OPNsense blocks traffic from LAN to WAN
- the client on WAN site has a firewall blocking the data connection

Did you made your tests always with active ftp?

The clients tested are Debian's default FTP and MS Windows, both can connect to ftp.debian.org for example eliminating the local firewall.
This has nothing to do with a reverse proxy. Connecting from LAN to WAN requires a forward ftp proxy.

You cannot use the same proxy as forward (LAN -> WAN) and reverse (WAN -> LAN) proxy.

Title: Re: FTP-Proxy FTP server behind OPNSense FW with NAT
Post by: Manxmann on March 08, 2017, 12:22:02 am
Sorted, thanks for the replys