Production 19.1.4 FTP-Proxy Setup

[jmp20]

Hello,

I followed instructions to setup ftp-proxy as an FTP forward proxy indicated on https://forum.opnsense.org/index.php?topic=3868.0. I am however not able to get it correctly working unless I specify a reverse address to the internet. This will create difficulties in using ftp-proxy as I will have to define each external site and map it to a specific port. I took trace on internal and external interface and it looks like ftp-proxy does not pass the connection to external interface unless an external/internet address is indicated. When an internet reverse address is included on the setup, I see the OPNsense IP address sending to the Internet FTP site but in this below shown case I do not. I have included TCP trace below. Any setup hints you may provide are appreciated. jmp.

Version
   OPNsense 19.1.4-amd64
   FreeBSD 11.2-RELEASE-p9-HBSD
   OpenSSL 1.0.2r 26 Feb 2019

FTP client: 10.20.30.41
OPNsense: 10.10.10.11
External IP: 12.3.4.5
NAT is setup on WAN interface from LAN net

Code: [Select]

INTERNAL INTERFACE
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmx1, link-type EN10MB (Ethernet), capture size 262144 bytes
10:57:53.338574 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [S], seq 4199712234, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:57:53.338702 IP 10.10.10.11.21 > 10.20.30.41.49204: Flags [S.], seq 1731605656, ack 4199712235, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
10:57:53.338574 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [S], seq 4199712234, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:57:53.338702 IP 10.10.10.11.21 > 10.20.30.41.49204: Flags [S.], seq 1731605656, ack 4199712235, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
10:57:53.346263 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [.], ack 1, win 256, length 0
10:57:53.338574 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [S], seq 4199712234, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:57:53.338702 IP 10.10.10.11.21 > 10.20.30.41.49204: Flags [S.], seq 1731605656, ack 4199712235, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
10:57:53.346263 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [.], ack 1, win 256, length 0
10:57:53.338574 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [S], seq 4199712234, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:57:53.338702 IP 10.10.10.11.21 > 10.20.30.41.49204: Flags [S.], seq 1731605656, ack 4199712235, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
10:57:53.346263 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [.], ack 1, win 256, length 0
10:57:53.338574 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [S], seq 4199712234, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:57:53.338702 IP 10.10.10.11.21 > 10.20.30.41.49204: Flags [S.], seq 1731605656, ack 4199712235, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
10:57:53.346263 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [.], ack 1, win 256, length 0
10:57:53.338574 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [S], seq 4199712234, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:57:53.338702 IP 10.10.10.11.21 > 10.20.30.41.49204: Flags [S.], seq 1731605656, ack 4199712235, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
10:57:53.346263 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [.], ack 1, win 256, length 0
10:58:13.445143 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [F.], seq 1, ack 1, win 256, length 0
10:58:13.445203 IP 10.10.10.11.21 > 10.20.30.41.49204: Flags [.], ack 2, win 513, length 0
10:58:13.445232 IP 10.10.10.11.21 > 10.20.30.41.49204: Flags [F.], seq 1, ack 2, win 513, length 0
10:58:13.453237 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [.], ack 2, win 256, length 0


Code: [Select]

EXTERNAL INTERFACE
listening on vmx0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:57:53.338574 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [S], seq 4199712234, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:57:53.338702 IP 10.10.10.11.21 > 10.20.30.41.49204: Flags [S.], seq 1731605656, ack 4199712235, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
10:57:53.346263 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [.], ack 1, win 256, length 0
10:58:13.445143 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [F.], seq 1, ack 1, win 256, length 0
10:58:13.445203 IP 10.10.10.11.21 > 10.20.30.41.49204: Flags [.], ack 2, win 513, length 0
10:58:13.445232 IP 10.10.10.11.21 > 10.20.30.41.49204: Flags [F.], seq 1, ack 2, win 513, length 0
10:58:13.453237 IP 10.20.30.41.49204 > 10.10.10.11.21: Flags [.], ack 2, win 256, length 0

[fabian]

The dnat rule must be placed on lan

[jmp20]

Hi Fabian,

thanks for the quick response. what i mean by NAT is setup on WAN interface from LAN net is -- Firewall, NAT: Outbound:

Interface    Source     Source Port  Destination  Destination Port  NAT Address  NAT Port  Static Port  Description   
WAN           LAN net      *                    *                 *                wan address     *             NO         FW_NAT

On NAT Port Forward i have redirect rule:

LAN   TCP   10.20.30.0/24    *   *   21 (FTP)   127.0.0.1   8021

By the way, outgoing FTP connections to internet sites works ok with shadow socks. i however, rather have ftp-proxy working as some clients may not be able to use socks proxies for ftp access.

[jmp20]

hi,

are there any other configuration options that I should be looking at?