Portforwarding FritzBox > Ipfire > NAS

Hi Community,

To realize FTP-access to my Synology-NAS, I need to do a port forwarding from my Fritzbox to my external IPfire and further to the NAS. So I’ve configured dyndns at the Fritzbox (ping from extern ok) and forward port 21 to the external IP of IPfire.

Than I’ve set an new firewall-rule in IPfire to forward port 21 to the NAS.

Screenshot_2021-03-09 14_46_311025×455 67.6 KB

The NAS-firewall isn’t active and the FTP is reachable at port 21. From internal, the FTP-service is reachable, but from external, port 21 is closed.

Somebody knows, what is wrong in this configuration?

Fritzbox 7530: IP 192.168.178.251, dyndns ok, portforwarding TCP Port 21 > IPfire (192.168.178.250)
IPfire (2.25 (x86_64) - Core Update 154) external IP 192.168.178.250, internal IP 10.0.0.250
Synology DS218): FTP-service active, NAS-firewall off, IP 10.0.0.13

Hi @oztranet

Welcome to the IPFire Community.

The button that shows Änderung übernehmen in Green needs to be pressed after you have created new rule(s) to actually apply the changes.

It allows you to make several new rules and then review them all and change the order etc before actually making all of them go live at once.

Right, I forgot to press that button, before I record the screenshot but the port also isn’t open after saving the configuration…

Maybe it’s good to have the configuration mask:

Screenshot_2021-03-09 16_17_22923×894 88.9 KB

Source => RED
I think, the fritz will not make NAT by portforwarding, so the source-ip will be the external-ip from the user not the fritz-internal. And I would try it without NAT-option.

I would agree that the source should be RED or ANY.

Also the Firewall setting in the NAT section should be automatic.

However I would expect that the Fritzbox would also require Port Forwading to be set up unless it is capable of being put into bridged mode and several Fritzboxes are not capable of doing that.

I believe you only have to set ipfire as exposed host in your FritzBox, and port 21 on it. And you only have to configure your ipfire and everthing will be ok.

Screenshot_2021-03-10 09_32_37913×310 35.8 KB

ok done, now the source is red (192.168.178.250 - ipfire extern)

I tried it without NAT, with NAT “automatic” and with NAT “red”, but without success…

I configured an exposed host from Fritzbox to IPfire, but without success…

Maybe it’s blocked by another service like Intrusion Prevention or Guardian? Is it possible?

To test it without ipfire, I’ve installed a Filezilla server to my Notebook. When my notebook is inside the Fritzbox-net (192.168.178.X) and I forward port 21 to the Notebook-IP, the port is open. When my notebook is inside the IPfire-net (10.0.0.X) and I forward port 21 to the Notebook-IP, the port is closed.

So I think the Fritzbox portforwarding configuration is correct, and the endpoint (FTP-Server) configuration also is correct. any idea?

yes, cause in your case you have to come with port 21. but this is normaly not. only port 21 have to be open. from is all port and to is 21

As Exposed Host

image714×469 23.9 KB

image995×978 74.8 KB

The source-port 21 is wrong. Source-ports must be all and it will be work.
You must only define the target-port. All other connections with other target-ports will be blocked.

Explanation:
The client, that starts a connection to your ftp, use an random outgoing port with the target port 21 for every new connection.

client 5291 → target 21
client 4222 → target 21

It works!!

In the Fritzbox, it’s no exposed host necessary. I just set TCP, external port 10021 to internal port 21 → forwarding to IPfire red (192.168.178.250). In IPfire this is my current configuration:

Screenshot_2021-03-10 12_48_54923×632 64.5 KB

When I ping :10021 the port is open now! Important to know is the note of Steven X: set no source-port

Thank you for support.

it’s the same. But you opened for all now. you should restrikt to one IP and set a static route in fritzbox.
if you set ipfire to exposed host you only have to configure ipfire and not fritzbox too.