News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: FTP from WAN to LAN Broken
Pages: [1]
Topic: FTP from WAN to LAN Broken  (Read 1926 times)
« on: July 16, 2008, 07:33:51 »
jscleveland *
Posts: 1
Internally I can authenticate and view and transfer files to and from my FTP server, no problem.  However, when connecting from outside the LAN through the monowall, I am able to authenticate, but that is all.  I can neither view files when connecting through the monowall nor transfer them.

I have Inbound NAT setup to the internal IP and Firewall Rules corresponding to port 21.  I have tried both Passive and Active mode.  I have even tried modifying the Firewall Rules to allow any/any from any/any to this server with the same result.  All other port/service connections to this server work without issues (SSH, HTTP, etc.).

The raw format of the _successful_ authentication looks like this in the logs:
22:17:03.366867 ng0 @200:7 p 66.146.160.25,2092 -> 10.0.0.9,21 PR tcp len 20 60 -S K-S IN

and the non-raw format looks like this:
22:17:03.366867 WAN 66.146.160.25, port 2092 10.0.0.9, port 21 TCP

All subsequent _unsuccessful_ FTP requests look like this in the raw logs:
22:22:08.557846 ng0 @0:22 b 66.146.160.25,1210 -> 99.178.210.194,9902 PR tcp len 20 60 -S IN

and like this in the non-raw logs:
22:22:08.557846 WAN 66.146.160.25, port 1210 99.178.210.194, port 9902 TCP

Notice the port numbers?  These numbers do not remain constant either, each FTP transfer request will result in port numbers all over the place.  What is up with the Monowall and FTP?  And if it's just a port number issue, why didn't setting the Firewall Rules to any/any solve the problem?
« Last Edit: July 16, 2008, 07:46:07 by jscleveland »
« Reply #1 on: July 16, 2008, 08:53:38 »
ChainSaw
Guest
by default, m0n0wall allows everything to pass from LAN to WAN.  if you have changed this default LAN rule, make sure you have a LAN rule that allows TCP port 20 to pass from the LAN to the WAN.   

NAT TCP port 21 to your FTP server and add the associated WAN rule.

For passive mode you will need to NAT a port range to your FTP server.  I usually use 50200-50215.  you might need to make this range larger if you have lots of concurrent users.  don't forget to add the associated WAN rule.

now you need to configure your FTP server's Passive Port Range to reflect the same port range used above.  You also need to tell your FTP server what its public IP is (the one  assigned to your m0n0wall WAN).

CS...
 
 
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines