This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FileZilla Connection Problems from external network

Hey there,

I hope this thread hasn't been here before but I tried multiple browsers, the search function is broken for me.

I wanted to use FileZilla FTP in order to save snapshots from a webcam in an external network. I have set up FileZilla on a server (lets say 192.168.100.10) with custom ftp ports (59000 for FTP and 59001 for passive mode), configured the server's firewall to allow traffic on port 59000 and 59001 and set up the camera. Everything worked in my internal network and the camera saved the jpg files into my FTP folder. 

I then created a DNAT rule in my UTM, as I have done plenty of times with different services before, and let it create a firewall rule for me. Coming from any, ports begin source 1:65535 to destination port 59000:59001 and my external destination adress (lets say 100.10.10.100) and changed the target to 192.168.100.10

I then added the webcam to an external network, changed the ftp adress from internal 192.168.100.10 to external 100.10.10.100. It can log into the FTP server, but it can not edit files. It starts a session, goes into the directory and has access, creates a 0kb jpg file and then times out. This does not happen from an internal network which leads me to believe it has to do with my UTM and im seriously lost. I found another person making a guide on how to set up Filezilla behind a UTM and creating the DNAT rule with an auto firewall rule is the only thing he does as well. I also tried disabling the server's firewall completely, giving all users full file and folder access and changing the ports in my firewall, filezilla and UTM back to 20/21. Doesnt change.

Can anyone give me ideas on what to look into? FTP Proxy is disabled btw.



This thread was automatically locked due to age.
Parents
  • Hey guys,

    first of all thanks for your suggestions and help! I did check Steve's suggestion immediately but after that I didn't find time and opportunity to get back to you or work on the topic further.

    We have disabled Intrusion Prevention for other reasons anyways but just to test I took it a step further and also disabled every other feature under Network Protection > Intrusion Prevention. Didn't change a thing. What I'm currently most confused about is which UTM log could help me further troubleshoot my problem? I got my public IP that connects to my FTP as you can already see from the Filezilla log, but I don't find any connection from this IP in my firewall log, intrusion prevention log (obviously) or web filter log. 

    Under network protection > firewall I enabled FTP connection logging but it doesn't show up still. I'll investigate further in this forum and try out other possibilities but help is much appreciated!

    Also I'm using the most recent 9.709-3 firmware!

  • Your FTP-Server doesn´t have any other default gateway? Default Gateway is always the UTM? No other Gateways/Router or static routes?

    Normally you should see everything in the firewall log - do you have any automatic firewall rules? Automatic firewall rules are default without logging but you can enable it. Maybe such an automatic firewall rule matched?

    regards

  • No, the UTM is the gateway. I did however let my UTM auto create the firewall rule when creating my DNAT like I said in my opening post, which did not have the logging activated by default, of course... Thanks for the hint. I did activate the logging, found some weird dropped UDP packages and created a firewall rule which allowed traffic from any over any tcp/udp port to any tcp/udp port to my external address. Just for sake of testing. Firewall log then showed all logged traffic rules as green but the behavior on my Filezilla server did not change and remains like the log in the OP.

    I also deleted the auto firewall rule and created it again manually just to be sure theres nothing funky going on.

    E: to summarize, my firewall logs coming from my external address are green, but I still deactivated my server's software firewall completely, deactivated every option in my UTM under Intrusion Prevention, created a firewall rule at the very top of my list to allow any source > over and to any TCP/UDP port > to my external DNAT address and internal FTP server definition. FTP helper on or off, doesn't matter. Still won't work and I can't find any reasoning since it does work inside my network if the UTM doesn't interfere. Logs however haven't been useful yet. I will try and use another external internet connection to rule out further problems, but in the meantime I guess I'll read up on what this Sophos FTP Proxy is all about and if implementing it could help.

  • If you're not seeing drops in the firewall or IPS log, Pete, you have a routing problem, maybe a configuration misunderstanding.  Rather than describing your configuration, please inse pictures of the Edits of the firewall and NAT rules.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey BAlfson,

    thanks for further trying to help me! As I already said yesterday I wanted to try recreating the whole configuration and test it through another external network connection. I did exactly that. I still encountered errors in Filezilla, but different ones and I'm not sure what exactly I have done different from before. You guys might be able to relate, but at some point when you are out of ideas you try out so many unrelated options that you don't even know what you tried and what you didn't, what the original configuration was and what wasn't part of it.

    Anyways, those Filezilla errors did direct me into further looking up the Filezilla FTP passive mode. I had it configured before but I did not know that using a port range was pretty much mandatory and a single port was not sufficient. Unfortunately all the Filezilla Wiki documentation is way out of date, like inserting your external server address. But in the end it all worked out now so thanks again for helping me on my journey!

Reply
  • Hey BAlfson,

    thanks for further trying to help me! As I already said yesterday I wanted to try recreating the whole configuration and test it through another external network connection. I did exactly that. I still encountered errors in Filezilla, but different ones and I'm not sure what exactly I have done different from before. You guys might be able to relate, but at some point when you are out of ideas you try out so many unrelated options that you don't even know what you tried and what you didn't, what the original configuration was and what wasn't part of it.

    Anyways, those Filezilla errors did direct me into further looking up the Filezilla FTP passive mode. I had it configured before but I did not know that using a port range was pretty much mandatory and a single port was not sufficient. Unfortunately all the Filezilla Wiki documentation is way out of date, like inserting your external server address. But in the end it all worked out now so thanks again for helping me on my journey!

Children
No Data