When this happened, you have to restart Xlight service to unblock it, which is undesirable. If in a short period of time, there are many failed login attempts to Active Directory from Xlight program, Active Directory will think that Xlight FTP program is hammering it and will block Xlight FTP program from accessing it. When Xlight FTP Server is configured to use Active Directory to authenticate user. "IP had made over 6 failed logins in the past 60 seconds, server will automatically ban this IP for 600 seconds to prevent from being lockout by Active Directory for hammering." I thought the process went like this client:21 -> ftp server 21 -> sends back data channel prorts -> open connection on those ports.I see this in Xlight error log, what happened? This is NOT the same as the port used in passive or active connection. See attached - my nat, and firewall rules and then test from website you gave that your testing source port is going to be RANDOM depending on the client and how many sessions they have had open, etc. To setup ftp should take all of about 30 seconds You could never have any sort of control over what port the source is going to be from the client. You seeing blocks in your firewall to 21 have NOTHING to do with the data connection, and would be the control channel connection which again is going to be some random port the client picks to your port 21. Now depending if active or passive, ether your ftp server will connect to my public IP from port 20 to some port I tell it to connect tooįtpserver:20 -> clientpublicIP:randomabove1024įtpclient:randomabove1024 -> ftpserver:randomabove1024orwhateverrandftpsettoforpassive This is NOT the same as the port used in passive or active connection.Īll connections have a source port – so I come from my publicIP:randomport>1024 too your publicIP:21 The source port is going to be RANDOM depending on the client and how many sessions they have had open, etc. The automaticaly created rule is a bit akward though -> external ip (21) destination = internal ip (21). In case of phone is around 2200, when using the website it falls in the windows 2008 default range. The difference between a test from the above mentioned website and my mobile is the port range that tries to connect to 21. NAT reflection is system default (disabled), filter rule association is "add associated filter rule). Source: depening on mobile or website /\ ip address (single hos or alias), source port range = FTP (from/to), destination is WAN address, destination port range = FTP (from/to), redirect target ip is internal address, redirect target port = 21. I'm trying from two locations, using my smartphone (not via wifi) and via. You should not need your ftp server to return its public IP - the ftp helper in pfsense would change say a pasv connect that lists 192.168.1.100 as the ftp server IP to whatever your pfsense public IP is. Or are you seeing that on the ftp server - windows has a firewall, you sure you allowed the traffic on windows firewall?Īlso are you trying this from OUTSIDE your network, or are you trying to use nat reflection to access your internal ftp server with its external IP? Only 2 entries on log, both stemming from external ip port 2250 to WAN address see connections being blocked coming from :2229 to 21) "īlocked where? 21 is the control port - and if being blocked by pfsense you don't have your forward setup correctly. Update: changed the passive ports 1025 7025. So maybe the ftp helper provides client with the data ports (?) I see connections being blocked coming from :2229 to 21) -> this also happens when the ftp server is turned off. I'll try to adjust the passive ports of windows 2008 to reflect the > win2008 standards (1025-5000). The ftp server gives back the external ip address to pfsense. The dynamic ports are set to the standard (0-0 which gives a passive port range of 49152 - 65535). I have reinstalled pfsense and recreted the ftp within IIS manager (Windows 2008). Spent already a lot of hours trying to get this going. Did you configure the ftp server to use a specific range of those ports?įirst of all thanks for the reply. The ftp helper should automatically allow the passive ports that are needed if needed, there should be no reason to create rules for the passive ports your ftp server would use if asked for a passive connection. Its possible they are active and not passive. Passive depends on what the client wants to do.
0 Comments
Leave a Reply. |