Making outbound NAT use a specific IP with Outbound FTP
-
Hi all,
I've got outbound FTP working just fine, so I've got a leg up on most of those questions. I've got the FTP Helper enabled on all interfaces currently (though I will likely disable it on the WAN in a little while as I set up Inbound FTP), but what I want is to have all outbound FTP connections source from a specific VIP. This is because some companies block on source IP to their FTP sites, and since we're a Dual FW setup, we need that IP to follow. Right now, everything comes from the box's WAN IP. I've tried a few different things on Outbound NAT to try and get things working:
WAN <lan network="">* * 21 <ftp carp="" vip="">* NO
WAN 127.0.0.1 * * 21 <ftp carp="" vip="">* NO
even
WAN <lan network="">* * * <ftp carp="" vip="">* NObut I'm betting that since the FTP Helper ends up sourcing the connection, that it picks the source IP to use, and it chooses the default on the interface. Is anyone aware of a way to change this or in general address this problem?</ftp></lan></ftp></ftp></lan>
-
Assuming you've already got an alias group set up to handle that very issue for secure protocols, just add FTP to it…
-
I'm sorry, I'm not sure what you're saying here. The problem is that outbound FTP seems to always source from the WAN IP, likely because the FTP Helper application re-sources the packets and just chooses whatever interface it wants (probably defaulting to the WAN IP). I've tried various NAT rules to try to force rewriting to a specific IP, but nothing works.
I'm not sure how any alias group would apply here… we are doing something similar with Outbound HTTP/HTTPS, and that works just fine, though I'm not sure that you can put a port alias in the "destination port" field on NAT as it isn't highlighted, but perhaps I'm not understanding what you're saying.
Assuming that the problem is with the FTP proxy re-sourcing the connection (as it should, seeing as it's proxying the connection), and I'm also betting that since it's a daemon running one per interface that it's active on, I can't pick and choose per connection what source IP to use, so I'm betting that I either need some way to spawn that process with a set source IP (which would be OK), or a way to rewrite the traffic after it gets done with things (which I'm betting is not possible/valid because the thing exists to deal with problems relating to NAT and FTP in the first place). -
Ah, sorry, misunderstood the question, ignore my response above.
Yes, the FTP proxy does always prefer WAN and I don't believe there is a way, (yet), to change that and have outbound FTP connections load-balanced properly.
(I have seen that issue referenced elsewhere though, I suspect it is already on the to-do list. :) -
Yeah, I was thinking of checking out the code for pftpx and seeing if there's an option to change the binding IP, since even if there is not a UI option for it, being able to specify that would at least solve my problem for now. And if there's not an option, then I can't imagine that adding that would be that hard.
-
Any chance you could just swap the connections around physically or in the interface setup to achieve the same end? Might be quicker and easier.
-
It would kinda suck to have to burn a whole interface just for this. For now we've been contacting FTP customers and having them include the WAN IPs as well as the dedicated IP. Personally it hasn't ended up being a killer thing to solve from the customer standpoint, and I've been instead spending time trying to hack in OpenVPN filtering in 1.2.2 instead. But I'll post about that later :) Actually, before posting this, I wanted to at least download the code, so I did and unpacked it… it's only 4 files and a Makefile, so I looked through the main C program (my C is pretty crappy) and found an option "f" for a fixed server address. I'm not entirely sure if that's what I want, but I'll test and report back.
-
Maybe I misunderstood the config, but if you have two WAN links, and you want the secondary to (functionally) be the primary, then swapping them around shouldn't be a big deal other than the few minutes of downtime, no?
-
It's a VIP… Not sure where you got a second WAN from. I've got a second firewall, if that's what you mean, but the idea is to have that IP still be active on failover, so it really needs to be a CARP VIP. I'm not trying to load-balance or anything, just trying to dictate what IP ends up being the source IP when viewed externally. For other protocols, I can just NAT traffic to a specific IP, but for FTP, that doesn't work.