I would like to use my truenas scale system as storage for True Image backups.
The home edition of True Image does not support NFS so the only option if I need to recover a system backup from the NAS using a TrueImage boot cd is FTP
So I:
created a TrueImage account on Scale
made it member of the ftp group
created a dataset with permissions for ‘TrueImage’
changed the firewall settings to allow ‘TrueImage’ to access Scale
Note that the Scale FTP server has no option to define an IP-listen address, so I assumed the Scale GUI-address is the only option.
After doing so I did create the related FTP-link in TrueImage and did test. It worked at that level.
Then I did try to create a FTP-folder in TrueImage to ‘mybackups’ => TrueImage ‘hangs’/‘fails’
I decided to test with a real / normal ftp-client (FileZilla). And that showed me the following
Command: MLSD
Answer: 425 Unable to build data connection: Connection refused
Error: Failed to receive folder list
That failed to receive folder list does of course explain why ‘TrueImage’ has a problem as soon as I would like to define to backup target folder.
Does any one understands this problem? Knows the solution?
My IP-network is divided in sections / security zones using vlans. In the middle of those vlans my firewall (pfSense).
TrueImage is running om my windows11 pro PC. The PC is in my ‘PC-vlan’
TrueNAS is in my ‘GreenZone’ VLAN.
Traffic towards the NAS (‘GreenZone’) is protected via floating rules (highest prio).
a rule related to the source vlan gateway to allow traffic from a particular vlan to go to r the ‘GreenZone’ and
a second rule related to the GreenZone gateway to allow the traffic to enter.
One of the tests I did was disabling the windows firewall (which did not change the situation / solve the problem)
The FileZilla log below and also the behavoir of TrueImage suggest that the connection itself occurs.
Below (in Nederlands) shows the FileZilla log. I did add some englsich explanations in the log
|Status:|Verbinden met 192.168.a.b:21…|
& connect to
|—|—|
|Status:|Verbinding gemaakt, welkomstbericht afwachten…|
& connection establisched, wait for welcom message
|Status:|Onveilige server, die geen FTP over TLS ondersteunt.|
& server does not support TLS (not true but I can not use that, since TrueImage does not support encryption)
|Status:|Ingelogd|
& connected
|Status:|Mappenlijst ophalen…|
& collect folder list
|Opdracht:|PWD|
& send command PWD
|Antwoord:|257 / is the current directory|
& answer 257 is current directory
|Opdracht:|TYPE I|
& command type 1
|Antwoord:|200 Type set to I|
& answer 200
|Opdracht:|PORT 192,168,c,d,146,0|
& command PORT etc
|Antwoord:|200 PORT command successful|
& command successfull
|Opdracht:|MLSD|
& command MLSD
|Antwoord:|425 Unable to build data connection: Connection refused|
& Response: Unable to build data connection / refused
|Fout:|Ontvangen van mappenlijst is mislukt|
& Error receive folderlist failed
|Status:|Verbinding gesloten door server|
& connection ended by server
Below the scale exact ftp setup
And that of user MrTrueImage (being TrueImage)
FTP uses multiple TCP connections. What you are seeing in your traffic dump is the control connection (port 21). All data transfer is done with a separate TCP connection (this includes the list of directory contents).
In active mode, which is the case in your screenshot, the server is the one which must open the data connection. The client tells the server “use 192.168.17.107 port 11447 as the destination for the data connection” (that is done via the PORT command). The server tries to establish a connection (The SYN packet, in dark gray) but gets rejected (TCP RST in red).
My guess is that you have a firewall rule that only allows traffic on TCP port 21.
Here’s how I setup my FTP server
Choose a random port for “Minimum Passive Port” (Example: 21000)
Enter “Minimum Passive Port” and “Maximum Passive Port” in TrueNAS FTP Server settings.
Add Firewall Rule: Protocol: TCP, SRC: [Client IP Range] DST: [FTP Server IP] Port range: 21000-21100
Always use passive mode on the client with this setup. Also if a NAT is in use you need to set the “Masquerade Address” setting (doesn’t seem to be necessary in your case).
Or replace the outdated insecure and completely brain dead FTP with a current secure and sane protocol that uses only a single TCP connection like SFTP or DAV over HTTPS.
@bacon’s analysis is correct - you need to allow the data connections. My suggestion to allow anything from Filezilla to TN and set passive mode does exactly that.
With @bacon’s more detailled instructions you can limit the port range you allow somewhat.
in the situation that my windows install is not running, I need to recover via a boot USB. Also in that case the NAS-based-backup needs to be accessible. And not only that but also without the option to enter a long complex password of key set.
The alternative methods would
to have the actual system backup on a local drive
to have a reasonable recent backup image on an USB / removable SSD.
connect the removable with that older image
boot with the trueimage boot iso
install that older windows iso
boot that windows version
fetch the actual backup and install that one
reboot into the actual windows version
As you understand I am not a big fan of the NAS-backup, given all the related issues
Most home users don’t have a firewall set up with VLANs and security zones restricting or blocking LAN traffic, so your issues are what I would describe as rather esoteric.
Thanks ! You really helped me understanding the main problem!!
I am still facing issues, also related to this issue, but not the ‘core problem’
To mention:
the TrueNas ftp-server … is not without ‘issues’.
I did add passive port values, which have changed the behavoir, however I am not sure it works without these entries (even with the firewall wide open). Behavior does feel wired.
the way you have to configure the ftp-server authorization is … less clear
the users home folder is at the same time the root of its FTP-folder
you can only access one dataset
if the dataset has a child dataset, it is not recognized / seen as an ftp folder
the TrueImage FTP-client … also has many ‘quirks’ surely not behaving like it should
I had / have troubles to find out which firewall rules are exactly needed.
open every thing works, but I always opt for open ‘as less as possible’
which is difficult to find because I had troubles with my firewall logging and both FTP-client and FTP-server are not having the quality you would like to see.
I Decided to store the backups in the dataset main folder. Working with sub-folders … difficult
I have it more or less working now, but I am not sure if I stick with this backup method given all the related ‘issues and disadvantages’
