Issue with CARP, NAT and FTP
I have got a strange problem. I need to connect to an external FTP Server (not WAN, but through the firewall). The interface is an CARP interface with IP X.X.X.6 the physical interface has the IP X.X.X.4. As both sides are in the same IP-Range I have to NAT the connection. I have created a NAT Rule that masks all outgoing traffic with the IP X.X.X.6. This works for the most part, but not for the ftp control port, there the IP X.X.X.4 is shown in the logs of the FTP-server making it impossible to transfer data.
I tried it with ftp helper enabled and disabled, but the result is the same. Is this a bug?
Version is 2.3.1-RELEASE-p5
Any help would be greatly appreciated.
so you can not make a control connection or the data connection? Control would be on port 21, data who makes the connection depends if your using active or passive. Active the server would make the connection back to you on the port your client told him to connect to from source port 20. In passive your client would make the data connection to the port the server says to connect too.
Are you hiding these IPs because they are public? Why would you have public IPs on both sides that are the same?
The ftp proxy package works for outbound active connections, as long as your not using ftps or ftpes where the control channel is encrypted. In a passive connection outbound you don't need anything. But you would need correct setup on the firewall in front of server. So is there 2 filewalls involved here. Your client side one and the server side? Do you control both?
When you say external, but not wan?? So internet? Remote site I assume through a tunnel? An upstream network from this pfsense but not actual internet? So your saying both sides using the same network? How exactly are you natting to get around that?
The problem is, that both connections work technically speaking, but on the target server the control connection is from IP X.X.X.4 and the data connection from X.X.X.6. Of course this does not work. But as there is a NAT rule that should mask all traffic to X.X.X.6, it should work and the FTP control session should also use the X.X.X.6 address.
Thank you for the very fast response.
So lets ask this again. Are those public IPs your masking? Or some tunnel? If public are they in the same netblock?
Are you using active or passive? Lets see these nats that your saying should nat and from both sides? Since depending if your using active or passive the data connection will be initiated from either the server side or the client side. Lets say its an active, so your client is telling the server to connect to the .4 address how are you doing that? Are you using the active helper? The client knows about its public IP? That IP would be inside the control channel communication and your nat would have nothing to do with it.
If passive the server will tell the client which IP to connect too. The path your client takes to get to that IP yes could be controlled by the nat on your client side. So lets see these nats, and are these connections going through a tunnel?
Love to help you, but without understanding your setup, that is just impossible.
the IPs are private, it is no tunnel, it's just a connection between two companies on the same campus. The IPs that are masked are private 172.16.x.x and the network used to mask is a private as well 10.x.x.6, FTP is passive or active, the result is the same.
The NAT should mask all requests from the 172.16.x.x network using the CARP IP 10.x.x.6 and it does just that for all traffic I tested besides FTP control, for this specific traffic the firewall always uses 10.x.x.4. So on the FTP server there is a control session using 10.x.x.4 and then the client tries to establish a data session using the IP 10.x.x.6 and of course the FTP server does not like this.
The problem is not that the client does not connect to the server, through the firewall, it just uses differnt IPs for control and data. And as far as I have tested, passive or active FTP does not change the matter.
I hope this was more precise.
"the IPs are private, "
Then WTF you masking them for?? Do you really think someone would find you if you post up 10.0.0.6…
This does 2 things, it makes it harder to understand what your doing, 2nd it really brings to question of understanding of basic concepts of the OP..
I really have to question why are you natting?? If all the addresses are rfc1918 and your all on the same campus??
So your saying when you make a ftp connection on 21 (control) it uses 10.x.x.4 (why are you hiding this??).. But all other traffic uses 10.x.x.6??
I would say your using the ftp package, And you didn't set the source so its just using the default wan vs your carp address
the IPs on both sides happen to use the same subnet, so I need to NAT. But you were absolutely right about the cause. But it does not help me as I am not using the WAN interface for the connection to the other network, so I cannot set the IP. I will try to switch to SSH, this will work for sure.
Thank you very much!