To realize FTP-access to my Synology-NAS, I need to do a port forwarding from my Fritzbox to my external IPfire and further to the NAS. So I’ve configured dyndns at the Fritzbox (ping from extern ok) and forward port 21 to the external IP of IPfire.
Than I’ve set an new firewall-rule in IPfire to forward port 21 to the NAS.
Source => RED
I think, the fritz will not make NAT by portforwarding, so the source-ip will be the external-ip from the user not the fritz-internal. And I would try it without NAT-option.
I would agree that the source should be RED or ANY.
Also the Firewall setting in the NAT section should be automatic.
However I would expect that the Fritzbox would also require Port Forwading to be set up unless it is capable of being put into bridged mode and several Fritzboxes are not capable of doing that.
I believe you only have to set ipfire as exposed host in your FritzBox, and port 21 on it. And you only have to configure your ipfire and everthing will be ok.
ok done, now the source is red (192.168.178.250 - ipfire extern)
I tried it without NAT, with NAT “automatic” and with NAT “red”, but without success…
I configured an exposed host from Fritzbox to IPfire, but without success…
Maybe it’s blocked by another service like Intrusion Prevention or Guardian? Is it possible?
To test it without ipfire, I’ve installed a Filezilla server to my Notebook. When my notebook is inside the Fritzbox-net (192.168.178.X) and I forward port 21 to the Notebook-IP, the port is open. When my notebook is inside the IPfire-net (10.0.0.X) and I forward port 21 to the Notebook-IP, the port is closed.
So I think the Fritzbox portforwarding configuration is correct, and the endpoint (FTP-Server) configuration also is correct. any idea?
The source-port 21 is wrong. Source-ports must be all and it will be work.
You must only define the target-port. All other connections with other target-ports will be blocked.
Explanation:
The client, that starts a connection to your ftp, use an random outgoing port with the target port 21 for every new connection.
In the Fritzbox, it’s no exposed host necessary. I just set TCP, external port 10021 to internal port 21 → forwarding to IPfire red (192.168.178.250). In IPfire this is my current configuration:
it’s the same. But you opened for all now. you should restrikt to one IP and set a static route in fritzbox.
if you set ipfire to exposed host you only have to configure ipfire and not fritzbox too.