Microsoft FTP.exe

charles.regan

FTP Helper:
On WAN or LAN ? or Both ?

sullrich

On my setup its enabled on LAN and WAN.

IE: the check boxes for it are not checked on each respective interface.

charles.regan

ok thanks

what about the RFC Workaround ? on or off ?

charles.regan

Just rebooted with FTP helper enabled on WAN OPT and LAN.
Now i can't access any FTP server with ftp.exe and iexplore.

My setup:
PRE-BETA2
Advanced Outbound NAT
Outbound loadbalancing

sullrich

Try it without outbound load balancing.

charles.regan

wow it works.

How can I make this works with loadbalancing.

sullrich

I know this is going to sound bad, but at the moment I really don't know.

I'll have to put some thought into how to work around this issue.

In the meantime, I wouldn't balance ftp, simply add a rule before your balancing rule and force it out your primary pipe.

charles.regan

ok it works with iexplore in passive mode. but with ftp.exe i have a different error now:

200 PORT command successful
425 Could not open data connection to port 61015: Connection timed out

charles.regan

Proto              Source  Port  Destination  Port  Gateway  Description
TCP/UDP  LAN net      *  *        20 - 21      *                FTP

If i put this rules before my loadbalancing rules in LAN , it doesn't work.
I need to completly disable loadbalancing for it to work with IE in passive mode.

If i disable outbound loadbalancing and permit any any on the wan interface it work with IE and ftp.exe!

What would be the rule to create in LAN to make it work with FTP.

State log:
tcp  127.0.0.1:8021 <- 142.217.134.xxx:21 <- 10.0.3.3:3677  CLOSED:SYN_SENT

charles.regan

Just found a workaround for this. not very secure…

Add this firewall rule in LAN
Proto  Source  Port  Destination  Port  Gateway
*        LAN net  *  127.0.0.1  *  *

Add this firewall rule in WAN
Proto  Source  Port  Destination  Port  Gateway
*                *        *  *      *  *

It works.
Firewall state shows:
tcp  127.0.0.1:8021 <- 194.71.11.70:21 <- 10.0.3.3:3887  FIN_WAIT_2:FIN_WAIT_2
tcp 127.0.0.1:8021 <- 194.71.11.70:21 <- 10.0.3.3:3896 FIN_WAIT_2:FIN_WAIT_2
tcp 194.71.11.70:20 -> 194.71.11.70:65294 -> 10.0.3.3:3898 FIN_WAIT_2:FIN_WAIT_2
tcp 127.0.0.1:8021 <- 194.71.11.70:21 <- 10.0.3.3:3899 ESTABLISHED:ESTABLISHED
tcp 194.71.11.70:20 -> 194.71.11.70:62700 -> 10.0.3.3:3903 FIN_WAIT_2:FIN_WAIT_2

Without permit any any on WAN I have this in my state
tcp 127.0.0.1:8021 <- 194.71.11.70:21 <- 10.0.3.3:3871 ESTABLISHED:ESTABLISHED

And I have this error with ftp.exe
200 PORT command successful
425 Could not open data connection to port 58974: Connection timed out

sullrich

The LAN->Localhost rule is fine.

I would remove that WAN rule ASAP.  Because if you permit all traffic from the internet in, then what is the point of having a firewall at all?

charles.regan

If I remove the permit any any rule on WAN I can't connect using active ftp mode (ftp.exe)

sullrich

@charles.regan:

If I remove the permit any any rule on WAN I can't connect using active ftp mode (ftp.exe)

Then you don't have a firewall!  You're allowing all of the internet into you're device.

charles.regan

My question is What is the rule I should put to make active FTP working.

sullrich

As I told you before I need to figure out how to make this work.  It currently will not work w/ Outgoing LB.

aldo

problem with outgoing ftp. ftp proxy is enabled on wireless. and nothing else it is working
sometimes but is very slow and seems to stop working after about 15 minutes.

still am a bit uncertian as to where to start lookking in respect to this.

additionally pppoe clients seem to also have trouble with ftp as well.