[email protected]

How to access your FTP server at 192.168.100.95 from the WAN on VyOS

To access your FTP server at 192.168.100.95 from the WAN, you need to configure NAT port forwarding and firewall rules:

1. Configure NAT Destination Rule (Port Forwarding)

# Forward FTP control port (21) from WAN to DMZ server
set nat destination rule 110 description 'Forward FTP to DMZ server'
set nat destination rule 110 destination port '21'
set nat destination rule 110 inbound-interface name 'eth2.201'
set nat destination rule 110 protocol 'tcp'
set nat destination rule 110 translation address '192.168.100.95'
set nat destination rule 110 translation port '21'

2. Add Firewall Forward Rule

# Allow FTP traffic from WAN to DMZ server
set firewall ipv4 forward filter rule 35 action 'accept'
set firewall ipv4 forward filter rule 35 description 'Allow FTP from WAN to DMZ'
set firewall ipv4 forward filter rule 35 destination address '192.168.100.95'
set firewall ipv4 forward filter rule 35 destination port '21'
set firewall ipv4 forward filter rule 35 inbound-interface name 'eth2.201'
set firewall ipv4 forward filter rule 35 outbound-interface name 'br1'
set firewall ipv4 forward filter rule 35 protocol 'tcp'

3. For Passive FTP (Recommended)

If using passive FTP, you need to forward the passive port range. Configure your FTP server to use a specific passive port range (e.g., 50000-51000), then:

# Forward passive FTP port range
set nat destination rule 111 description 'Forward FTP passive ports to DMZ'
set nat destination rule 111 destination port '50000-51000'
set nat destination rule 111 inbound-interface name 'eth2.201'
set nat destination rule 111 protocol 'tcp'
set nat destination rule 111 translation address '192.168.100.95'

# Allow passive FTP ports through firewall
set firewall ipv4 forward filter rule 36 action 'accept'
set firewall ipv4 forward filter rule 36 description 'Allow FTP passive from WAN to DMZ'
set firewall ipv4 forward filter rule 36 destination address '192.168.100.95'
set firewall ipv4 forward filter rule 36 destination port '50000-51000'
set firewall ipv4 forward filter rule 36 inbound-interface name 'eth2.201'
set firewall ipv4 forward filter rule 36 outbound-interface name 'br1'
set firewall ipv4 forward filter rule 36 protocol 'tcp'

4. Apply Configuration

commit
save

5. Verify FTP Conntrack Module

Good news! Your config already has FTP connection tracking enabled:

set system conntrack modules ftp

This helps the firewall understand FTP’s secondary data connections.

Access from WAN

Once configured, access your FTP server using your WAN IP address:

ftp <your-wan-ip>

Important Notes:

  1. Get your WAN IP: Run show interfaces ethernet eth2.201 to see your current WAN IP
  2. FTP Server Configuration: Make sure your FTP server (at 192.168.100.95) is configured for:
    • Passive mode with the port range you forwarded (50000-51000)
    • The correct external IP address for passive mode announcements
  3. Security: Consider using SFTP (port 22) or FTPS (ports 21, 990) instead of plain FTP for better security

Testing:

# From outside your network, test FTP connection
telnet <your-wan-ip> 21

# Or use FTP client
ftp <your-wan-ip>

Would you like help configuring secure FTP (FTPS) or SFTP instead?

Leave a Reply