Solved FTP Server Protected by an External PF Firewall Running NAT | 425 Unable to build data connection: No route to host

[alfa]

Hi, i have Seagate personal cloud NAS and it is working behind the FreeBSD gw
As you may know i could'nt connect FTP server using active mode. The NAS has not any Passive Mode settings so that i tried to implement ftp-proxy.
But now I am having "server: 425 Unable to build data connection: No route to host\r\n" error
Thanks in advance

A.B.C.D = My real public IP address , directly connected on my gw there is no CGNAT
X.Y.Z.T = My client public IP adress
192.168.0.200 = my ftp server IP address
PF rules for ftp-proxy

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

anchor "ftp-proxy/*"
pass in log quick on { igb0 }  proto { tcp } from {  X.Y.Z.T/32 } to {  any }  flags S/SA keep state
pass out log

root@test:~ # /usr/sbin/ftp-proxy -p 8021 -R 192.168.0.200 -b A.B.C.D -P 21 -D7 -v -d
using fixed server 192.168.0.200
listening on A.B.C.D port 8021
#1 accepted connection from X.Y.Z.T
#1 FTP session 1/100 started: client X.Y.Z.T to server 192.168.0.200 via proxy 192.168.0.1
#1 server: 220 ProFTPD 1.3.5 Server (PersonalCloud) [::ffff:192.168.0.200]\r\n
#1 client: USER tester\r\n
#1 server: 331 Password required for tester\r\n
#1 client: PASS asdasd**\r\n
#1 server: 230 User tester logged in\r\n
#1 client: OPTS UTF8 ON\r\n
#1 server: 200 UTF8 set to on\r\n
#1 client: PWD\r\n
#1 server: 257 "/" is the current directory\r\n
#1 client: TYPE I\r\n
#1 server: 200 Type set to I\r\n
#1 client: PORT 192,168,11,102,158,87\r\n
#1 proxy: PORT 192,168,0,1,226,172\r\n
#1 active: server to client port 40535 via port 58028
#1 server: 200 PORT command successful\r\n
#1 client: MLSD\r\n
#1 server: 425 Unable to build data connection: No route to host\r\n
#1 client close
#1 ending session

root@test:~ # tcpdump -ttt -n -e -i pflog0 host X.Y.Z.T and action block -vv
<there is no block logs>

 

[diizzy]

While I would highly not recommend doing this I'm pretty sure ftp-proxy is also intended for outbound connections only not inbound.
FTP servers works just fine if you set a range and forward it in your firewall to the correct (internal) server IP.
I would recommend utilizing a vpn connection instead using Wireguard or OpenVPN and accessing your NAS over SMB to make your life easier.

That being said, the Seagate Personal Cloud seems to be based on the aging Marvell Armada platform so you might run into Samba incompatibilites with newer versions of Windows.
A dinky 35$ SBC/Mediabox (something that runs LibreELEC) will run circles around it and save you a lot of hassle.

 

[VladiBG]

you need to log the blocked packets to be able to see them in tcpdump. It will help if you share your entire pf.conf

/etc/rc.conf

ftpproxy_flags="-R 192.168.0.200 -p 21 -b A.B.C.D"

/etc/pf.conf

ext_if = "igb0"
ext_ip = "A.B.C.D"
ftp_ip = "192.168.0.200"

int_if = "igb1"

nat-anchor "ftp-proxy/*"
nat on $ext_if inet from $int_if -> ($ext_if)
rdr-anchor "ftp-proxy/*"

pass in on $ext_if inet proto tcp to $ext_ip port 21 \
    flags S/SA keep state
pass out on $int_if inet proto tcp to $ftp_ip port 21 \
    user proxy flags S/SA keep state
anchor "ftp-proxy/*"

PF: Issues with FTP

the OpenBSD FAQ page

docstore.mik.ua

 

[alfa]

I was using Filezilla as a client and i switched transfer mode from active to default
at last my problem solved i have successfully listed the directories on the remote ftp server