FTP between VLans

I have a policy set to allow FTP traffic from external through to my FTP server via an SNAT. Now what I need is to allow a PC on a differnet VLan access as well. The PC on the Vlan is set as a static IP address, ass is the FTP server. I thought I could just clone the FTP proxy ploicy and replace the From with the Vlan name - and do the same with the SNAt replace the publi IP address with the Vlan name but the Vlan name does not appear to be an option in the SNAT setup


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Roddy100

    You only need to use a SNAT action for traffic that is coming in and needs to be NAT'ed to your internal hosts. If you're going from one private network to another on the same firewall, you can just use a policy with TO and FROM being those networks.

    Unless you have a specific reason to be proxying the traffic, I'd suggest starting with a packet filter first, and later moving to a proxy (if you want the scanning) after you've confirmed it works with the FTP packet filter.

    As a side note, you need to use either the built-in FTP packet filter or proxy, do not try to create your own custom policy template for FTP. The FTP packet filter/proxy policies are the only ones that will track FTP connections and open appropriate ports for passive mode transfers.

    -James Carson
    WatchGuard Customer Support

  • Options

    Note that you can allow internal devices to access the FTP server using the public IP addr, by setting up NAT loopback.
    Basically you add the source such as VLAN name, interface name, Any-trusted etc. to the From: field of your existing incoming FTP policy.

    NAT Loopback and Static NAT (SNAT)

    Otherwise internal users need to access the FTP server using its private IP addr.

  • Options

    Thanks Bruce
    What I have done is put in place an Inter VLan policy to allow all traffic from the PC on the VLan to the FTP server, probably not as secure as locking it down to a the single FTP port 21. but it will do for testing purposes

  • Options

    Consider using a FTP packet filter as James suggested above.
    FTP uses more than a single port. The FTP packet filter or proxy handle the dynamically needed additional FTP ports.

Sign In to comment.