Re: [pfSense Support] Configuration with Public IP DMZ
Hi, first thanks for your work and hints, but i have seen the entrys in forum and faq, but this covers not my problem. I think you have not really understand what i would, or better i have not clearly enough described my problem. Our ftp-server is on an public ip-address (our complete dmz). so that i have to make no nat on DMZ interfaces/addresses. The soulution that you have described is only really valid on private addresses on DMZ like 192.168.1.24 or so (i think) WAN DMZ LAN 213.135.2.225/28---213.135.2.240/28--192.168.1.0 And therfore i can not change our public ip addresses (on the servers) like change it to private to opreate with the known configuration as described by you and the entrys in the forum. possibly i think to strange for configuration (this may results from iptables and other config strategies). i would only redirect connects incoming on the WAN/LAN-Interface for DMZ-IP 247 port = ftp but not all connects on the WAN-IP to port = ftp ! this is important because we would later run a second ftp-server or soand with the described solution this is impossible, or i must eventually spend a second virtual ip from my WAN-NET. i hope so you and the others understand what i like to get. thanks for all regards michael 2006/9/28, Holger Bauer [EMAIL PROTECTED]: This is extensively covered at the forum and there even is a faq entry at faq.pfsense.com (I think). However, quick guide: - Delete all NAT/firewallrules you created for the ftpserver (most likely wrong as it doesn't work) to start over. - at interfaceswan enable ftp helper - at firewallnat, portforward create a portforward: interface WAN, interfaceadress, port 21, destination internal ftp server IP, port 21 - save (nothe te text in the apply message that it created a rule for the ftp-helper - apply That's it Holger -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:[EMAIL PROTECTED] Gesendet: Do 28.09.2006 12:28 An: support@pfsense.com Cc: Betreff: [pfSense Support] Configuration with Public IP DMZ Hi, i have pfsense taked yesterday in production use (SNAPSHOT from 2006-09-26). My configuration is wan public.226/28 DMZ public.241/28 lan privateip/24 now i have the Problem my config for ftp-proxying our ftp-server is probably wrong. i can connect to the ftp, but it passed only one type of ftp-connect's (active or passive, be not sure). i say our ftp.server is on public.247 so i must redirect all ftp connects to the ftp-proxy-helper, but i be not sure how. i have diabled the automatic nat rules, and need also the right rules for outboud ftp sessions. at the time i have configured outbound nat only for our privatenet except the DMZ-NET. Another question is abount /etc/sysctl.conf. I have made an entry for proxyarp, while out interconnect disconnects the dmz-nt if they get no arp addresses (for me this is bullshit, security-leak) but he doesn't work otherwise. Get the /etc/sysctl mangled or changes by an update? if so, if there another possibility to change net.link.ether.inet.proxyall to 1 ? (default 0 ). thank a lot regards michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Configuration with Public IP DMZ
As the ftp server has a routed public IP disable the ftp-helper at WAN (or keep it disabled, it is by default). Then all you need is firewallrules permitting tcp traffic from source any to destination public IP of ftp-server port 21 and additional to that the portrange range that the ftp server uses. You don't need to portforward or nat. Additionally I suggest enabling advanced outbound NAT. It will create a default NAT rule for your LAN subnet only. So NAT for the DMZ Interface is shut down by this (which you don't need in your setup). This way it should work with the above described firewallrules. Holger -Original Message- From: Michael Schuh [mailto:[EMAIL PROTECTED] Sent: Thursday, September 28, 2006 4:02 PM To: support@pfsense.com Subject: Re: [pfSense Support] Configuration with Public IP DMZ Hi, first thanks for your work and hints, but i have seen the entrys in forum and faq, but this covers not my problem. I think you have not really understand what i would, or better i have not clearly enough described my problem. Our ftp-server is on an public ip-address (our complete dmz). so that i have to make no nat on DMZ interfaces/addresses. The soulution that you have described is only really valid on private addresses on DMZ like 192.168.1.24 or so (i think) WAN DMZ LAN 213.135.2.225/28---213.135.2.240/28--192.168.1.0 And therfore i can not change our public ip addresses (on the servers) like change it to private to opreate with the known configuration as described by you and the entrys in the forum. possibly i think to strange for configuration (this may results from iptables and other config strategies). i would only redirect connects incoming on the WAN/LAN-Interface for DMZ-IP 247 port = ftp but not all connects on the WAN-IP to port = ftp ! this is important because we would later run a second ftp-server or soand with the described solution this is impossible, or i must eventually spend a second virtual ip from my WAN-NET. i hope so you and the others understand what i like to get. thanks for all regards michael 2006/9/28, Holger Bauer [EMAIL PROTECTED]: This is extensively covered at the forum and there even is a faq entry at faq.pfsense.com (I think). However, quick guide: - Delete all NAT/firewallrules you created for the ftpserver (most likely wrong as it doesn't work) to start over. - at interfaceswan enable ftp helper - at firewallnat, portforward create a portforward: interface WAN, interfaceadress, port 21, destination internal ftp server IP, port 21 - save (nothe te text in the apply message that it created a rule for the ftp-helper - apply That's it Holger -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:[EMAIL PROTECTED] Gesendet: Do 28.09.2006 12:28 An: support@pfsense.com Cc: Betreff: [pfSense Support] Configuration with Public IP DMZ Hi, i have pfsense taked yesterday in production use (SNAPSHOT from 2006-09-26). My configuration is wan public.226/28 DMZ public.241/28 lan privateip/24 now i have the Problem my config for ftp-proxying our ftp-server is probably wrong. i can connect to the ftp, but it passed only one type of ftp-connect's (active or passive, be not sure). i say our ftp.server is on public.247 so i must redirect all ftp connects to the ftp-proxy-helper, but i be not sure how. i have diabled the automatic nat rules, and need also the right rules for outboud ftp sessions. at the time i have configured outbound nat only for our privatenet except the DMZ-NET. Another question is abount /etc/sysctl.conf. I have made an entry for proxyarp, while out interconnect disconnects the dmz-nt if they get no arp addresses (for me this is bullshit, security-leak) but he doesn't work otherwise. Get the /etc/sysctl mangled or changes by an update? if so, if there another possibility to change net.link.ether.inet.proxyall to 1 ? (default 0 ). thank a lot regards michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: [pfSense Support] Configuration with Public IP DMZ
Hi, 2006/9/28, Holger Bauer [EMAIL PROTECTED]: As the ftp server has a routed public IP disable the ftp-helper at WAN (or keep it disabled, it is by default). Then all you need is firewallrules permitting tcp traffic from source any to destination public IP of ftp-server port 21 and additional to that the portrange range that the ftp server uses. You don't need to portforward or nat. Yes this is configured, except the other ports. and yes the other ports are my problem. but im not sure what ports are to openi have found an hint to 9500 to , the config say not much about this ...oh i have found it 49152-65535 on FBSD, if i be rigth there... Additionally I suggest enabling advanced outbound NAT. It will create a default NAT rule for your LAN subnet only. So NAT for the DMZ Interface is shut down by this (which you don't need in your setup). This way it should work with the above described firewallrules. i have this also checked, and no automagically created nat rule. i vahe made a NO NAT rule for the DMZ-Target, and an outbound NAT rule for the whole internal private net except the DMZ-Subnet. Here im not sure if the exception should cover the complete public ip-range here 213.135.2.224/27 thanks for your help cheers michael Holger -Original Message- From: Michael Schuh [mailto:[EMAIL PROTECTED] Sent: Thursday, September 28, 2006 4:02 PM To: support@pfsense.com Subject: Re: [pfSense Support] Configuration with Public IP DMZ Hi, first thanks for your work and hints, but i have seen the entrys in forum and faq, but this covers not my problem. I think you have not really understand what i would, or better i have not clearly enough described my problem. Our ftp-server is on an public ip-address (our complete dmz). so that i have to make no nat on DMZ interfaces/addresses. The soulution that you have described is only really valid on private addresses on DMZ like 192.168.1.24 or so (i think) WAN DMZ LAN 213.135.2.225/28---213.135.2.240/28--192.168.1.0 And therfore i can not change our public ip addresses (on the servers) like change it to private to opreate with the known configuration as described by you and the entrys in the forum. possibly i think to strange for configuration (this may results from iptables and other config strategies). i would only redirect connects incoming on the WAN/LAN-Interface for DMZ-IP 247 port = ftp but not all connects on the WAN-IP to port = ftp ! this is important because we would later run a second ftp-server or soand with the described solution this is impossible, or i must eventually spend a second virtual ip from my WAN-NET. i hope so you and the others understand what i like to get. thanks for all regards michael 2006/9/28, Holger Bauer [EMAIL PROTECTED]: This is extensively covered at the forum and there even is a faq entry at faq.pfsense.com (I think). However, quick guide: - Delete all NAT/firewallrules you created for the ftpserver (most likely wrong as it doesn't work) to start over. - at interfaceswan enable ftp helper - at firewallnat, portforward create a portforward: interface WAN, interfaceadress, port 21, destination internal ftp server IP, port 21 - save (nothe te text in the apply message that it created a rule for the ftp-helper - apply That's it Holger -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:[EMAIL PROTECTED] Gesendet: Do 28.09.2006 12:28 An: support@pfsense.com Cc: Betreff: [pfSense Support] Configuration with Public IP DMZ Hi, i have pfsense taked yesterday in production use (SNAPSHOT from 2006-09-26). My configuration is wan public.226/28 DMZ public.241/28 lan privateip/24 now i have the Problem my config for ftp-proxying our ftp-server is probably wrong. i can connect to the ftp, but it passed only one type of ftp-connect's (active or passive, be not sure). i say our ftp.server is on public.247 so i must redirect all ftp connects to the ftp-proxy-helper, but i be not sure how. i have diabled the automatic nat rules, and need also the right rules for outboud ftp sessions. at the time i have configured outbound nat only for our privatenet except the DMZ-NET. Another question is abount /etc/sysctl.conf. I have made an entry for proxyarp, while out interconnect disconnects the dmz-nt if they get no arp addresses (for me this is bullshit, security-leak) but he doesn't work otherwise. Get the /etc/sysctl mangled or changes by an update? if so, if there another possibility to change net.link.ether.inet.proxyall to 1 ? (default 0 ). thank
