https://community.ubnt.com/t5/EdgeMAX/FTP-server-with-dynamic-IP-and-behind-NAT-with-EdgeRouter-Lite/td-p/1279205

This is a working configuration to set up an FTP server even if you have no static public IPv4 and your FTP server is in the NATed LAN. I'm using pure-ftpd with linux for some server-side settings; Router is EdgeRouter Lite v1.6.0. This config only allows passive FTP, not active (PORT).

DynDNS

I'm using afraid FreeDNS because it's free and in the supported DynDNS lists on the EdgeOS.

Configuration in EdgeOS webgui:

  • Services → DNS → Dynamic DNS
  • set interface to your WAN interface
  • Service is afraid
  • hostname: the subdomain you set up with afraid
  • Login and Password are your afraid login credentials
  • click apply then force update

pure-ftpd

Assuming you have already set up ftp system user/group, login users with data directory and tls certificate stuff. The ftp server is somewhere in your LAN, I'm using 192.168.1.0/24 addresses in the example.

Note that this is a working but not full command, you most likely have to set some additional parameters for security and over-load prevention

Now you have to start pure-ftpd with the following settings in mind (important for this specific setup in bold):

  • IPv4 only (-4)
  • Chroot users (-A) and disable anonymous login (-E)
  • run as daemon (-B)
  • set authentication (-l)
  • Port range to use for passive ftp (-p) – use this to set a range of eg. 200 ports for data connections, I'm using 21000 to 21200 in the example
  • public IP to use for announced passive connections (-P) – use your dyndns hostname that resolves to your current public IP
  • IP address and port of the interface to bind to (-s), example using 192.168.1.5, the comma in the example is no mistake, the port comes afterwards but if omitted it defaults to 21
  • Use TLS encryption for control and data channels (–tls) and only HIGH ciphers (–tlsciphersuite), omit both if you don't want encryption

So we have the following command now: 

/usr/sbin/pure-ftpd -4 -A -E -l <dbtype>:<full db path> -p 21000:21200 -P blub.ignorelist.com -s 192.168.1.5, --tls=3 --tlsciphersuite HIGH

Firewall configuration

You need to

  • Allow connections to external port 21 and the data portrange from above
  • DNAT those ports to forward them to your server's LAN IP

Configuration in EdgeOS webgui:

Go to Firewall/NAT → Firewall Policies Open ruleset WAN_IN (WAN to internal), add two new Rules:

  • enable, Action accept, Protocol TCP, Destination → Port 21
  • enable, Action accept, Protocol TCP, Destination → Port 21

Go to Firewall/NAT → NAT Add two Destination NAT rules:

  • enable, inbound interface: your WAN interface, Translations: Address 192.168.1.5 (use the correct one that your ftp server has), Port 21, Protocol TCP, Dest: Port 21
  • enable, inbound interface: your WAN interface, Translations: Address 192.168.1.5 (use the correct one that your ftp server has) Port (leave empty), Protocol TCP, Dest: Port 21000-21200

Drawbacks of this configuration: No PORT (active mode), not using ip_conntrack_ftp or ip_nat_ftp.

But it's at least working for me.

ubiquiti-edgerouter.txt · Last modified: 2015/06/23 20:43 by komsat
Back to top
GNU Free Documentation License 1.3
chimeric.de = chi`s home Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0