1 Reply Latest reply on Mar 18, 2010 7:05 PM by orionweb

    Client (behind NAT) not able to transfer file from FTP server behind NAT

      I'm having no luck trying to config our FTP server on a non standard port via NAT on the SnapGear to work. I've done the ussual NAT from the external IP to the internal host port translation from the non standard port to the internal host port 21. Both client and server are behind a SnapGEar unit.


      The ftp client can connect to and login to the server fine but can't seem to transfer any files through. From initial investigation it looks like it failed to negotiate the secondary connect to actualy transfer the file. Is there anything in particular I need to also do to get this working? Must I open a range of ports and redivert this to the internal FTP host.



        • 1. Re: Client (behind NAT) not able to transfer file from FTP server behind NAT

          This may assist


          Can we edit the connection tracking module for FTP to use the port number other than TCP/20/21

                Scenario: We have a server that runs an FTP service listening on TCP/10248. Our clients connect to that server on that port and FTP files to us for daily processing. The problem is, the FTP protocol sends a command (Either PORT or PASV, depending on settings) that includes the IP Address of the server or client, that the other should connect to. When FTP runs over TCP/21, the SG does “connection tracking” to mangle the PORT or PASV command, to change the IP address in the payload to the proper NAT address. IE, if the server sends the PASV command (Something like: PASV (10,240,0,16,51,230)), the SG will change the payload to read PASV (65,213,255,98,51,230) and open and forward the appropriate ports so that the ftp client connects to the proper address, instead of attempting to connect to the internal NAT address.               

          However, if the FTP service is running on a port different than TCP/21, for example TCP/10248, then the connection tracking does not occur, and the remote client attempts to connect to the internal NAT address, which of course won’t work.


          Solution: In the ‘start’ file in /etc/config,  place the following lines:

          insmod -o ip_conntrack_ftp_10248 ip_conntrack_ftp ports=10248

          insmod -o  ip_nat_ftp_10248 ip_nat_ftp ports=10248

          That way, insmod loads the modules needed with the proper port parameters at start.