Hello to everyone,
I’m setting up FTP Server based on windows 10 IIS, obviously i have open port 21 to FTP Server on Lan1 network 192.168.4.0/24. Mostly used for data acquisition for CSV files.
For safety, I have Lan2 (dedicated interface - not Vlan) for the rest of application servers i need.192.168.5.0/24.
What do you recommend for accessing Lan1 from Lan2, to transfer the incoming data from CSV files in Lan1 for further processing on application servers on Lan2 ?
I’m not much experienced in networking but i already found something. I need your opinion.
Possible Solutions:
- second ethernet card to all machines on Lan2, so they can access also Lan1. I don’t know if this compromises security.
- Open VPN Access accounts to each machine in Lan 2 to LAN1. I know this compromises bandwidth because of the limit of each network card 1gbit.
- Static Route from specific IP’s on Lan2 to Lan1 ? I don’t know if this is possible.
- Is there any way to VPN the whole Lan2 to LAN1 ?
- Anything else i couldn’t think of ?
Thanks for your time reading this.
There are better more secure ways than FTP to transfer files. Based on what you said I assume the networks are running through the same firewall so just an allow rule for FTP between the networks should work.
Hello Sir, Are you the guy on youtube making the tutorials ?
Please let me clarify something:
I use FTP to transfer files from WAN outside (from low spec dataloggers) because is the only protocol they support. So all the files are landed on LAN1 through FTP, port forward etc, following your tutorials.
The LAN2 as you correctly stated, is from the same pfSense box dedicated interface. I don’t have to use again FTP, i just need a way to access Lan1 from LAN2 to pass the files to the safe network !! Most probably with windows share (SMB).
I think now is more clear. that’s why i though for permanent VPN between them, or static routes, or second network card to pc’s.
Thank you.
If they are on the same network, you just need a rule in pfsense that will allow traffic between the hosts.
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html
1 Like
Thanks for your direction. I really enjoy your tutorials on youtube.
Here is what I would do…
I would put the FTP server on a dedicated network/DMZ. The only rule needed for that network is a NAT to point the WAN IP to the FTP server IP for port 21 traffic (ACL should be created automatically). For your App server network I would create a rule from LAN2 to LAN1 for access to the FTP internal IP on port 21. This is important because you only want your App server to initiate the connection and never the FTP server. Assuming the FTP server gets hacked, it can’t reach out directly to anything on your internal networks.
I would stick with FTP and use an FTP client on your app servers whenever you need the data that was uploaded from your customer.
Thanks Fred,
Good to know that. Following your philosophy, why not doing a permanent VPN connection between the two lans, or a VPN connection for each machine on internal network ? I guess will be faster and maybe more reliable ?
The data is continuously flowing from several dataloggers outside the WAN, 1 csv every 1 minute from 30-35 sites.
I will try anyway what you suggested. Thank you.
If you are looking for a permanent setup where files will constantly be sent, then yes I would setup a site to site VPN to each customer.
Mr. Fred,
you misunderstood one thing, files constantly are coming from WAN - LAN1 FTP server (dataloggers).
I have port forward 21 and a custom range Ports to enable passive FTP.
The same log files are going to constantly going to the protected site of network, LAN2. This is my question, how to access LAN1 from LAN2.
Lan1 = 192.168.4.0/24 Port forward to FTP Server 192.168.4.100
Lan2 = 192.168.6.0/24 App server 192.168.6.100
The App server needs to take the log files for further processing and pass it to the protected network.
Using pfSense box with 2 dedicated LANs (not VLANS). I hope now is more clear.
Thank you for your support.
Got it. After the log files have hit the FTP server, how will they find their way to the app servers? Will the app server retrieve them or will the FTP server push it?
The App Server will retrieve the log file as soon the transfer completed. Is doing adaptive frequency scan for files in the shared folder.
The system right now is like that:
The app server has a 2nd network card installed, so it can connect to the FTP Server LAN1 with normal windows share. (The FTP Site is shared).
My concern is IF this method compromises safety !! and if there is another proper method of doing this. That’s why i made the question.
Thanks for your help.
The answer is yes, it compromises security because the traffic would be bypassing the firewall since it has a directly connected network to LAN1.
Since the app server is reaching out to the FTP server, you should be able to route it through the firewall. Just make sure you create a rule on LAN2 for the app server to reach the FTP server on the required ports.
Thanks guys for the help. I really appreciate it.
As you can see, even i have the 85 lan, i can see the files in 42 LAN.
For anyone trying this in the future, i can help.
Hint: you have to make allow rule in windows firewall also.
1 Like
