Netgate SG-1000 microFirewall

Author Topic: NAT and vsftpd help pls  (Read 278 times)

0 Members and 1 Guest are viewing this topic.

Offline chudak

  • Full Member
  • ***
  • Posts: 108
  • Karma: +2/-0
    • View Profile
NAT and vsftpd help pls
« on: September 10, 2017, 11:13:13 am »
I have setup vsftpd as in https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-04

And forwarded ports as in https://snag.gy/YmTbo0.jpg

Is it right way to do so?

When I check open ports, except 21 all others closed for some reason?!

Thx

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21571
  • Karma: +1471/-26
    • View Profile
Re: NAT and vsftpd help pls
« Reply #1 on: September 11, 2017, 10:05:29 am »
vsftpd won't actually respond on any of those other ports except during a real FTP connection when it will accept connections from clients only on certain ports it designates for that client.

The only way to test the other ports, besides 21, is with an actual FTP client in passive mode outside your network (on WAN somewhere, or on the Internet)

Also, in your vsftpd.conf, you will need to set pasv_address=x.x.x.x where x.x.x.x is your real external WAN IP address.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline chudak

  • Full Member
  • ***
  • Posts: 108
  • Karma: +2/-0
    • View Profile
Re: NAT and vsftpd help pls
« Reply #2 on: September 11, 2017, 05:01:18 pm »
vsftpd won't actually respond on any of those other ports except during a real FTP connection when it will accept connections from clients only on certain ports it designates for that client.

The only way to test the other ports, besides 21, is with an actual FTP client in passive mode outside your network (on WAN somewhere, or on the Internet)

Also, in your vsftpd.conf, you will need to set pasv_address=x.x.x.x where x.x.x.x is your real external WAN IP address.

If I read you  correctly I need to keep port forwarding as is.
ref: pasv_address - it's working now, do I still need to enable it?

It's odd but snor seems to be throwing alerts about ftp connections ?!

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15183
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: NAT and vsftpd help pls
« Reply #3 on: September 12, 2017, 03:43:03 am »
Have to wonder why you don't take their advice they give right up front and use a more secure, and easier to setup option like sftp?  Now you don't have to deal with active or passive data channel through a nat..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21571
  • Karma: +1471/-26
    • View Profile
Re: NAT and vsftpd help pls
« Reply #4 on: September 12, 2017, 09:54:47 am »
If I read you  correctly I need to keep port forwarding as is.

Yes, though maybe even not all of those ports are required. Usually just 20-21 plus the pasv range.

ref: pasv_address - it's working now, do I still need to enable it?

It may work with some clients like Filezilla which are smart enough to use the correct address anyhow, but other clients will break without that set.

It's odd but snor seems to be throwing alerts about ftp connections ?!

That's between you and your snort config.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline blex

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Re: NAT and vsftpd help pls
« Reply #5 on: February 02, 2018, 05:34:49 am »
Hi,

just in case you have problems. I just did the setup with a CARP address on wan.

1. Create a NAT Forward for Port 21 to internal IP
2. Create a NAT Forward for passiv Ports. (like 20000 to 20010) to internal IP
3. Add the following lines to vsftpd.conf
Code: [Select]
pasv_enable=YES
pasv_address=CARPWANIP
pasv_min_port=20000
pasv_max_port=20010

4. Search for listen_ipv6=YES comment this out and add listen=YES

If you don't do step 4 you will see on the external FTP client somthing like:

Code: [Select]
ftp> dir
227 Entering Passive Mode (0,0,0,0,78,39).
ftp: connect: Connection refused