Can't access FTP server behind OPNSense

Started by npowroz, May 03, 2025, 10:24:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 03, 2025, 10:24:22 PM
I have an internal network of several servers with OPNSense acting as the firewall and gateway. My external connection includes a /28 subnet, so I have about a dozen usable external IP addresses. I have several FTP servers running on my network, and have been trying, unsuccessfully, to allow access to them from the outside world. I am only trying to get one working for the moment, and I figure that once I get that one allowing connections, then I can use the lessons learned to get the others up.

I have installed the FTP-proxy, and followed the tutorial on how to set it up. I figure I must have one of the rules incorrectly configured, as every time I try to connect to the FTP server from a remote system, the connection attempt times out without even showing the login banner.

The proxy has rules set for "Listen Address" of 127.0.0.1 for both ports 8021 and 8022. The 8021 is to allow outbound FTP connections to external systems, and that works fine.

Under Firewall->NAT->Port Forward, I have a rule defined as "WAN/TCP/*/*/External IP/21(FTP)/127.0.0.1/8022" and a rule defined as "LAN/TCP/*/*/127.0.0.1/8022/Internal IP/21(FTP)".

So, I read that as "incoming FTP requests to the external IP get routed to the loopback address of 127... at port 8022". In turn, "anything sent to port 8022 at address 127... on the LAN side gets routed to the internal IP at port 21".

To me, it all looks correct, but it doesn't work, as any incoming FTP request gets blocked or ignored, and the inbound request times out.

Is there some other rule I should have to connect all the dots, or have I missed something somewhere? Any help gratefully appreciated.

Cheers
Norm


May 03, 2025, 11:25:17 PM #1
This tutorial? https://forum.opnsense.org/index.php?topic=3868.0

The first part is for a proxy (outbound to external FTP server).
That appears to be working, although I'm not sure how it is relevant.

The second part is for a reverse proxy, which appears to be what you want.
There's only one PF rule in the tutorial, for the WAN side and your read is fine.
The reverse proxy should then connect to your internal FTP server specified in the reverse proxy config. No rule needed for this.

In any case, there's no need for a PF rule on the LAN side for a reverse proxy.

Try to connect from the outside (eg. from phone or tethered to phone).
You FW logs should show pass/redirected traffic in on WAN (logging enabled on rule), out on LAN.
May 04, 2025, 07:19:36 AM #2
Success! Finally ;)

It turned out to be a case of too many rules in one sense, and not enough in another. The tutorial you referenced was the one I followed, but what had screwed me up was the last two rules shown at the end of the tutorial. I didn't realize that it was referring to the collection in Firewall->Rules->WAN, so I hadn't properly defined the rules. Once I cleaned things up, and seeing your comments about not needing more than than one PF rule, I got it working by simplifying the rules.

Interestingly enough, it works perfectly with FileZilla as the FTP client, but not using the Windows command-line FTP client. And I am using a remote system as the client source. I have a rented server in a facility about 1,000 km away. I connect to it using RDP and then come back to my network using various protocols. In this case I needed FTP as the protocol, and that now works perfectly.

Now to set up another FTP server using the same approach.

Thanks again for the assist.
Print
Go Up Pages1
User actions