Setup Passive FTP server behind OPNSense

[labsy]

Hi,

I am trying to setup most secure Passive FTP server setup behind OPNSense. For the moment I have WORKING temporary solution:

On OPNSense I have NAT Port forwarded:
- port 21 from WAN to LAN FTP server IP
- passive ports range 10000-11000 from WAN to LAN FTP server IP
This works fine.

...BUT I do not want passive port range 10000-11000 to be statically opened from WAN to LAN.
So, as I understand, OPNSense/PFSense can use a kind of "FTP Helper" which intercepts FTP server response, in which FTP server instructs FTP client which passive port to use for data connection.
Communication goes like this:
1.) FTP client initiates connection on port 21
2.) In case of Explicit FTP over TLS, both then switch to TLS, exchanging certificates
3.) Then FTP client asks FTP server for PASV PORT
4.) Server answers and includes WAN IP address and PASV PORT on which FTP client should send/receive data
And this answer is here also recognized by OPNSense, which opens the requested data port for the client only.
5.) FTP client then sends and receives data on this data port and given WAN IP (not necessarily the same WAN IP as initial FTP connection was started on)

Now, within my FTP server I see the settings for:
- PASV port range
- and PASV WAN IP to be responded

But how/where to setup this on OPNSense?

[fabian]

Have you tried the os-ftproxy plugin?

Note: does not work with encrypted connections