Trouble in FTP-land



  • I have a cumbersome ftp-problem and could use a little advice
    I have a host on our LAN that needs to connect to a ftp-server on a different subnet, here called LAN2.
    The LAN is 192.168.10.0/24
    The host's ip on the LAN is 192.168.10.7
    The ftp server is on LAN2, 192.168.1.128/25
    The ftp-servers ip is 192.168.1.129, so they say....
    I have a small pfsense-router, the SG-1000, sitting between these 2 LAN's.
    It has a LAN port, 192.168.10.13, and a WAN port connected to the LAN2, with ip 192.168.1.152
    So I have set up traditional NAT on the pfsense-box from LAN TO LAN2 and allowed connections from LAN TO LAN2 in the firewall rules
    Now for the troublesome part:
    If I try to do a normal "passive" ftp connection it connects fine. It's classic ftp, no tls etc.

    Status: Opretter forbindelse til 192.168.1.129:21...
    Status: Forbindelsen blev etableret, venter på velkomstbesked...
    Status: Almindelig FTP er usikkert. Skift til FTP over TLS.
    Status: Logget ind
    Status: Henter mappevisning...
    Kommando: PWD
    Svar: 257 "/" is current directory.
    Kommando: TYPE I
    Svar: 200 Command TYPE okay.
    Kommando: PASV
    Svar: 227 Entering Passive Mode (192,168,241,3,180,95)
    Kommando: MLSD
    Svar: 150 File status okay; about to open data connection.
    Svar: 425 Can't open data connection.
    Fejl: Kunne ikke hente mappeindholdsliste

    Some of this is in danish, but the client connects correctly to the ftp-servers command-port.
    But then the server tells the client to connect to it's data-port on a DIFFERENT ip:
    192.168.241.3, port 180*256+95=46175, which is on a completely different subnet.
    It's a very strange setup with this Dolby ftp-server, so my first thought is that I should maybe use active ftp.
    But before I start to dig into the options, has any of you come across something like this?
    And has someone got some ideas on what to do here?
    If I am going to use active ftp I should obviously set up port forwarding etc.
    But i foresee all kind of problems with oberlapping ip-ranges etc.
    Any ideas anyone?



  • @holunde said in Trouble in FTP-land:

    ....
    The ftp server is on LAN2, 192.168.1.128/25
    The ftp-servers ip is 192.168.1.129, so they say....

    and stop.

    /25 ..... and a host IP using .129 ......
    My binary background switches to red alert.

    @holunde said in Trouble in FTP-land:

    and a WAN port connected to the LAN2, with ip 192.168.1.152

    ... and LAN2 is the second LAN port on the SG ?



  • Hi Gertjan

    Easy now, no need for red alert on this.
    That part is perfectly fine.
    LAN2 is 192.168.1.128/25
    so it has addresses from 192.168.1.129 - 192.168.1.254, broadcast 192.168.1.255.
    And this is where the ftp-server is at 192.168.1.129.
    LAN1 is 192.168.10.0/24.
    And the SG has 192.168.10.13 in LAN1 and 192.168.1.152 in LAN2 and it should be able to route from LAN1 to ROUTE2, which is straight forward.
    The problem is that the ftp-server in passive mode gets back to the client telling it to connect to its DATA-port at the ip:192.168.241.3 after the client has connected correctly to the command-port 21 at 192.168.1.129.
    This is weird, but I have no control over that ftp-server and cannot change that behaviour.
    I have some ideas, but a cannot change the fact that you cannot communicate across subnet-boundaries without a router....☠
    One idea could be to change the LAN1-subnet to 10...* and change the subnetmask on the SG's WAN-port to 255.255.0.0 to include both 192.168.1.129 and 192.168.241.3.
    Another could be not to use a router at all. I think we only need one pc to be able to connect to that ftp-server, so this pc could have another nic for that. And so on...
    So I just wanted to hear, what you think of this whole mess?



  • @holunde said in Trouble in FTP-land:

    so it has addresses from 192.168.1.129 - 192.168.1.254, broadcast 192.168.1.255.

    I was thinking 1 to 127 - 128 and urther up using bit 8 (set) which lies outside the mask.
    For memory :

    /24
    1111 1111 1111 1111 1111 1111 0000 0000
    /25
    1111 1111 1111 1111 1111 1111 1000 0000
    

    @holunde said in Trouble in FTP-land:

    192.168.241.3

    Ok, I get it - I guess. The FTP server makes up some IP being totally outside it's network.
    Like : I'm a.b.c.d - talk back to using e.f.g.h.
    I always thought FTP servers messed around with sets of ports numbers - not IP adrresses.

    If NATting was used, then IP becomes important - but that is not the case here. It's just direct routing.

    @holunde said in Trouble in FTP-land:

    what you think of this whole mess?

    Like millions : so happy that this FTP mess is finally over .....

    Still, I'm using an FTP client and server, a DVR Dashua record on my LAN network that blast several screenshots every 20 seconds to my web server (webcam !), a dedicated server some where on the Internet.
    The FTP server is locked to my @work WAN IP. No TLS, nothing the like because the images are posted anyway.

    What about a clean setup :
    LAN default 192.168.1.1/24
    OPT1 : 192.168.2.1/24
    And WAN something else, also /24


Log in to reply