FTP Proxy Howto

[faunsen]

Allow FTP Traffic
This how-to describes the steps to allow FTP traffic from your local network to the internet and from the internet to a FTP server protected by your OPNsense firewall.



Prerequisites
To allow FTP traffic we have to redirect all FTP connections to a local FTP proxy server which dynamically inserts and removes firewall rules according to the FTP port commands.
Additionally we need rules to allow traffic on the local interface to this proxy.

For the setup of the proxy we use the "Ftp Proxy" plugin. It was released with OPNsense 16.7.8.



Forward FTP Proxy
The forward proxy enables internal clients to connect to FTP servers on the internet.




To add a new FTP proxy server navigate to Services->FTP Proxy and click on the Add Button bottom right.
Now you see a dialog with the proxy settings.


For now you can leave the defaults.

NOTE: If the outbound NAT address is different than the primary interface address you need to specify the NAT address as "Source Address".
      This is probably the case in clustered setups with CARP.

Clicking on Save changes creates a new FTP proxy server and starts it. Be patient, this takes a few seconds.
Now this proxy listens on 127.0.0.1 on port 8021 and you should see it as a new entry in the proxy server list.



The green background indicates that the proxy is running. If the background appears yellow it is disabled and stopped.


Next we create rules to allow and redirect FTP from LAN interface to the proxy.
Go to Firewall->NAT->Port Forward and click on the Add Button.
Here we change following options:
   Interface: LAN
   Destination: any
   Destination port range: FTP
   Redirect target IP: 127.0.0.1
   Redirect target port: (other) 8021

This will create a redirect rule for all FTP connections to the internet


and a rule to allow FTP connections to the proxy. (See Firewall->Rules->LAN)


Apply these changes and you can connect FTP server on the internet.



Reverse FTP Proxy
The reverse proxy enables access from internet to a local FTP server behind the firewall.
Clients connecting the firewall via FTP will be redirected to a local FTP proxy and then to the internal FTP server.




So let's create a new FTP proxy and configure the "Reverse address" to point to the internal FTP server at 192.168.1.15.


Here we need the rules to redirect the traffic from the WAN Interface to the proxy as well.
Go to Firewall->NAT->Port Forward and add a new rule:
   Interface: WAN
   Destination: WAN address
   Destination port range: FTP
   Redirect target IP: 127.0.0.1
   Redirect target port: (other) 8022

And additionally to the auto generated rules we allow FTP access to the WAN interface.


Apply the changes and the FTP server is accessible from the internet.

[BlaM]

I'm on OPNsense 16.7.12, but I can't find the Ftp Proxy option. Do I have to enable the plugin somehow? Or has it been removed?

[franco]

See: System: Firmware: Plugins. It needs to be installed as it is not in the standard installation.


Cheers,
Franco

[Wayne Train]

Hi.

Is this "forward-proxy" example really correct ? I set it up like that with the proxy listening on 127.0.0.1, but ftp doesn't work for me. In the NAT-rule I had to choose a VLAN-interface, since I have a few seperate VLANs.
Isn't it more logical to make the proxy listening on for example 192.168.1.1 f.e., if this is considered the internal gateway on the LAN side ?
Thank you.

Best regards,
Wayne

[Ciprian]

You can do that.

I prefer it that way too, much more easy to control what is published/ redirected to where in NAT rules, especially when you have multiple internal (LAN) interfaces with different purposes and rules (LAN, Wi-Fi, Perimeter etc.).

The single one different thing I do on the reverse proxy is that I always set the IP address of the FW facing the FTP server as source address to be communicated to the FTP server.

Both forward and reverse proxy for FTP explained here are working fine, I have implemented them on two completely different OPNsense protected networks (different means no single common/ direct touching point - different ISP, different subnets, different everything) and now I can connect from any LAN to any other FTP server, both as active or passive connection. The forward proxy on the client side does the job well for creating dynamic inbound rules on FW for data port selected/ determined by the client (for active connection), and the reverse proxy does the same on the other (server) side for data port selected/ determined by the server (for passive connection).

With a forward proxy configured as exemplified here you can connect (active connections only) from behind it to any FTP in the world existing behind a simple NAT for port 21 (even without a reverse FTP proxy).

Conversely, with a reverse proxy for your FTP server, you ensure every client in the world can connect to your published FTP server without a glitch (passive connection only).

Though, to be able to use active connections for everything to/ from everything, both FW/ NAT equipment in between the client(s) and the server(s) must have forward and reverse proxies, respectively, properly configured.

There is no way you can successfully initiate a FTP connection (active or passive) from behind a NAT to a NATed FTP server (aka double NAT) only by using NAT for the server, without at least one FTP proxy, either reverse in front of the server, either forward in front of the client (there is, though, the workaround to play with the ephemeral ports on FW/ NAT on the server side, but is cumbersome, and only works for passive connections, plus it somehow lowers the security on the FW/NAT equipment).

[faunsen]

Hi Wayne,

Isn't it more logical to make the proxy listening on for example 192.168.1.1 f.e., if this is considered the internal gateway on the LAN side ?

no.

Connecting the proxy without a redirection doesn't work. Therefore you don't need it to listen on LAN/OPT.

If you let the proxy listen on the LAN/OPT interface you need a proxy for every LAN/OPT interface.
A proxy on 127.0.0.1 can serve all FTP connections.
In any case you still need the port forwarding rules.


Cheers,
Frank

[jmp20]

Hi,

I am having a problem with this setup where the client connect to ftp proxy but then OPNsense sends the data back into itself on port 21.

client: 192.168.20.20:23456 --> firewall: 127.0.0.1:8021
then from
firewall: 10.10.10.11:45678 --> firewall: 10.10.10.11:21


See my full post here: https://forum.opnsense.org/index.php?topic=12617.msg58173#msg58173

Any help is greatly appreciated.

jmp

[Link2019]

Hi,

I am having a problem with this at the moment. I have my port 21 forwarded to my FTP server but I am only able to connect in Active mode via an ftp client, If I try and connect in passive mode, I get a time out error.

I followed this example but that made no difference.
Looking at my logs I cannot see any ports being blocked

[faunsen]

You should redirect port 21 to the FTP proxy not the server.

Client --> firewall WAN_IP:21 --> ftp-proxy 127.0.0.1:8021 --> your_local_ftp_server:21

[Link2019]

Hi Faunsen,

So I followed your instructions and made a slight change

Client --> firewall WAN_IP:21 --> ftp-proxy 127.0.0.1:21 --> your_local_ftp_server:21 and it worked. For some reason trying 8021 didn't work.

Thanks for your help though!!

[faunsen]

Ah, I see the problem. Tinypic has shutdown and now some pictures are missing.
Will fix that.

You should configure your ftp-proxy to listen on 8021.

[Wim post]

I have followed the instructions multiple times, double checking everyting. but ftp just won't connect. if I try to connect locally, it works. But no mather what I do, it just won't connect from outside the network. I can't tell you why exactly, not really shure where to check and witch log will tell me why it won't connect.

[faunsen]

This is a how-to and not meant for resolving problems.

Can you please start a new topic in the '19.7 Production Series' section and inform me via PM?


Thanks 

[mauro]

Dear all,

I would say I followed this tutorial but I'm still not able to connect to the local FTP server.

I only need to set up access to a local FTP from the LAN to start and then from the WAN once everything works

These my steps not far from this tutorial
-create an alias FTP proxy server: 127.49.49.1
- FTP PROXY -  loopback ftp proxy server, 127.49.49.1:8822 to FTP local Server IP:21
- LAN address NAT to ftp proxy server (TCP, LAN Address, dport 21 redirect to 127.49.49.1:8822)

If I check the log on the ftp server there is no logged connection from 127.49.49.1 and also no packets passed through the ftp iptables rules

Ftp proxy is up and running (green light in the dashboard and alocated web page) but seams not forwarding the info. Has anybody faced similar issue?

Thanks in advance