ubiquiti-edgerouter [Scratchbook]

This is an old revision of the document!

Warning: Declaration of syntax_plugin_indexmenu_tag::handle($match, $state, $pos, &$handler) should be compatible with DokuWiki_Syntax_Plugin::handle($match, $state, $pos, Doku_Handler $handler) in /home/httpd/vhosts/scratchbook.ch/wiki.scratchbook.ch/lib/plugins/indexmenu/syntax/tag.php on line 43 Warning: Declaration of syntax_plugin_indexmenu_tag::render($mode, &$renderer, $data) should be compatible with DokuWiki_Syntax_Plugin::render($format, Doku_Renderer $renderer, $data) in /home/httpd/vhosts/scratchbook.ch/wiki.scratchbook.ch/lib/plugins/indexmenu/syntax/tag.php on line 51 Warning: preg_match(): Compilation failed: invalid range in character class at offset 3135 in /home/httpd/vhosts/scratchbook.ch/wiki.scratchbook.ch/inc/parser/lexer.php on line 118

A PCRE internal error occured. This might be caused by a faulty plugin

This is a working configuration to set up an FTP server even if you have no static public IPv4 and your FTP server is in the NATed LAN. I'm using pure-ftpd with linux for some server-side settings; Router is EdgeRouter Lite v1.6.0. This config only allows passive FTP, not active (PORT). **DynDNS** I'm using afraid FreeDNS because it's free and in the supported DynDNS lists on the EdgeOS. Configuration in EdgeOS webgui: * Services -> DNS -> Dynamic DNS * set interface to your WAN interface * Service is afraid * hostname: the subdomain you set up with afraid * Login and Password are your afraid login credentials * click apply then force update **pure-ftpd** Assuming you have already set up ftp system user/group, login users with data directory and tls certificate stuff. The ftp server is somewhere in your LAN, I'm using 192.168.1.0/24 addresses in the example. Note that this is a working but not full command, you most likely have to set some additional parameters for security and over-load prevention Now you have to start pure-ftpd with the following settings in mind (important for this specific setup in bold): * IPv4 only (-4) * Chroot users (-A) and disable anonymous login (-E) * run as daemon (-B) * set authentication (-l) * Port range to use for passive ftp (-p) -- use this to set a range of eg. 200 ports for data connections, I'm using 21000 to 21200 in the example * public IP to use for announced passive connections (-P) -- use your dyndns hostname that resolves to your current public IP * IP address and port of the interface to bind to (-s), example using 192.168.1.5, the comma in the example is no mistake, the port comes afterwards but if omitted it defaults to 21 * Use TLS encryption for control and data channels (--tls) and only HIGH ciphers (--tlsciphersuite), omit both if you don't want encryption So we have the following command now: <code>/usr/sbin/pure-ftpd -4 -A -E -l <dbtype>:<full db path> -p 21000:21200 -P blub.ignorelist.com -s 192.168.1.5, --tls=3 --tlsciphersuite HIGH</code> **Firewall configuration** You need to * Allow connections to external port 21 and the data portrange from above * DNAT those ports to forward them to your server's LAN IP Configuration in EdgeOS webgui: Go to Firewall/NAT -> Firewall Policies Open ruleset WAN_IN (WAN to internal), add two new Rules: * enable, Action accept, Protocol TCP, Destination -> Port 21 * enable, Action accept, Protocol TCP, Destination -> Port 21 Go to Firewall/NAT -> NAT Add two Destination NAT rules: * enable, inbound interface: your WAN interface, Translations: Address 192.168.1.5 (use the correct one that your ftp server has), Port 21, Protocol TCP, Dest: Port 21 * enable, inbound interface: your WAN interface, Translations: Address 192.168.1.5 (use the correct one that your ftp server has) Port (leave empty), Protocol TCP, Dest: Port 21000-21200 Drawbacks of this configuration: No PORT (active mode), not using ip_conntrack_ftp or ip_nat_ftp. But it's at least working for me.

ubiquiti-edgerouter.1434640254.txt · Last modified: 2015/06/18 17:10 by komsat

Back to top