Hi, 2006/9/28, Holger Bauer <[EMAIL PROTECTED]>:
As the ftp server has a routed public IP disable the ftp-helper at WAN (or keep it disabled, it is by default). Then all you need is firewallrules permitting tcp traffic from source any to destination <public IP of ftp-server> port 21 and additional to that the portrange range that the ftp server uses. You don't need to portforward or nat.
Yes this is configured, except the other ports. and yes the other ports are my problem..... but im not sure what ports are to open....i have found an hint to 9500 to 9999, the config say not much about this ...oh i have found it 49152-65535 on FBSD, if i be rigth there...
Additionally I suggest enabling advanced outbound NAT. It will create a default NAT rule for your LAN subnet only. So NAT for the DMZ Interface is shut down by this (which you don't need in your setup). This way it should work with the above described firewallrules.
i have this also checked, and no automagically created nat rule. i vahe made a NO NAT rule for the DMZ-Target, and an outbound NAT rule for the whole internal private net except the DMZ-Subnet. Here im not sure if the exception should cover the complete public ip-range here 213.135.2.224/27.... thanks for your help cheers michael
Holger > -----Original Message----- > From: Michael Schuh [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 28, 2006 4:02 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] Configuration with Public IP DMZ > > > Hi, > > first thanks for your work and hints, but > i have seen the entrys in forum and faq, but this covers not > my problem. > I think you have not really understand what i would, or better i have > not clearly enough described my problem. > > Our ftp-server is on an public ip-address (our complete dmz). > so that i have to make no nat on DMZ interfaces/addresses. > The soulution that you have described is only really valid on > private addresses on DMZ like 192.168.1.24 or so (i think) > > WAN DMZ LAN > 213.135.2.225/28---213.135.2.240/28--192.168.1.0 > > And therfore i can not change our public ip addresses > (on the servers) like change it to private to opreate with the known > configuration as described by you and the entrys in the forum. > > possibly i think to strange for configuration > (this may results from iptables and other config strategies). > > i would only redirect connects incoming on the WAN/LAN-Interface for > DMZ-IP 247 port = ftp > but not all connects on the WAN-IP to port = ftp ! this is > important because > we would later run a second ftp-server or so....and with the > described solution > this is impossible, or i must eventually spend a second virtual ip > from my WAN-NET. > > i hope so you and the others understand what i like to get. > > > thanks for all > > regards > > michael > > 2006/9/28, Holger Bauer <[EMAIL PROTECTED]>: > > This is extensively covered at the forum and there even is > a faq entry at faq.pfsense.com (I think). > > > > However, quick guide: > > - Delete all NAT/firewallrules you created for the > ftpserver (most likely wrong as it doesn't work) to start over. > > - at interfaces>wan enable ftp helper > > - at firewall>nat, portforward create a portforward: > interface WAN, interfaceadress, port 21, destination > <internal ftp server IP>, port 21 > > - save (nothe te text in the apply message that it created > a rule for the ftp-helper > > - apply > > > > That's it > > > > Holger > > > > -----Ursprüngliche Nachricht----- > > Von: Michael Schuh [mailto:[EMAIL PROTECTED] > > Gesendet: Do 28.09.2006 12:28 > > An: support@pfsense.com > > Cc: > > Betreff: [pfSense Support] Configuration with Public IP DMZ > > > > > > > > Hi, > > > > i have pfsense taked yesterday in production use > > (SNAPSHOT from 2006-09-26). > > My configuration is > > wan public.226/28 > > DMZ public.241/28 > > lan privateip/24 > > > > now i have the Problem my config for ftp-proxying > our ftp-server > > is probably wrong. i can connect to the ftp, but it > passed only > > one type of ftp-connect's (active or passive, be not sure). > > > > i say our ftp.server is on public.247 so i must redirect all > > ftp connects to the ftp-proxy-helper, but i be not sure how. > > > > i have diabled the automatic nat rules, and need > also the right > > rules for outboud ftp sessions. > > at the time i have configured outbound nat only for > > our privatenet except the DMZ-NET. > > > > Another question is abount /etc/sysctl.conf. I have made > > an entry for proxyarp, while out interconnect > disconnects the > > dmz-nt if they get no arp addresses (for me this is > bullshit, security-leak) > > but he doesn't work otherwise. > > Get the /etc/sysctl mangled or changes by an > update? if so, if there > > another possibility to change > net.link.ether.inet.proxyall to 1 ? > > (default 0 ). > > > > thank a lot > > > > regards > > > > michael > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
