Firewall/NAT

Hi,

I've seen that there are several threads regarding FTP-problems, but I couldn't find a similar case as mine.

I'll try to give as much information as possible :
- monowall 1.3 - generic pc (Vmware ESXi) is our router
- About 50 client-PC's (windows) behind router.
- The Windows clients can't connect to some FTP-servers. Some work though...
- We use Filezilla or Windows Explorer as FTP client.
- See below for Filezilla's errors :
          Status:   Verbinden met 91.183.45.245:21...
          Status:   Verbinding aangemaakt, welkomstbericht afwachten...
          Answer:   220-FTP server ready.
          Answer:   220 This is a private system - No anonymous login
          Commando:   USER NINIX
          Answer:   331 User NINIX OK. Password required
          Commando:   PASS *******
          Answer:   230-User NINIX has group access to:  smbCusto smbusers
          Answer:   230 OK. Current restricted directory is /
          Answer:   FEAT
          Error:   Connection lost
          Error:   Can't connect to server
- Windows Explorer says it can't connect and check if I am authorized.
- We can(!) connect using Firefox or FTP from command line! (active connection?)
- If we replace monowall with other router, than FTP works on all clients correctly!!
- I've attached screenshots of our WAN/LAN-rules and NAT configuration
- We have an FTP server (Filezilla server) which is working correctly, and I don't think it has anything to do with our problems connecting to external FTP server.

read about the difference between passive and active ftp.

http://en.wikipedia.org/wiki/File_Transfer_Protocol#NAT_and_Firewall_traversal

I know the difference, but still can't find what's wrong,
I've disabled just about any rule on monowall, and it won't work.

you need to port forward a group of ports that are used for data traffic back to ftp server. Normally you would go to ftp server and set the ports you want to use for passive transfer. I use 5500-5600. on the client choose passive mode and tell it which ports are being used. In the above  I decided to use 5500-5600 so you would enter the same here. The mono side still requires you to port forward port 21 and ports 5500-5600 to ftp server also. I am using filezilla server for my ftp server and filezill ftp client for this task.

Billmakr,

I think you misunderstood : Our FTP-server behind the monowall router is working correctly.
We can connect to our FTP-server from external locations.

The problem is that we can't connect to some external FTP-servers with filezilla client, from
our local network.
In the mean time I discovered that Core FTP Lite does not have this problem (whereas Filezilla Client does).

Thomas.

if you forwarded the ports the filezilla client uses for passive to the local FTP server, NAT will no longer map them to your local PC.

chances are the other FTP client uses a different set of ports which are not manually mapped.

I've got this problem too.

I'm on a client computer in the network, trying to access a webspace on a remote server via ftp. CoreFTP Lite, FileZilla and WinSCP acts the same all of them; They resolve the IP of the remote server address and tries to establish connection but then it just sits there until it times out. It doesn't matter if I use active or passive.

Just to try, I put the same client computer on an external IP connected directly to the internet, and the connection worked like it should. So I know the problem is in my network, and since the m0n0wall is the only thing between the client and the internet, that must be it.

For troubleshooting, I added rules in the firewall at the top, allowing *all* traffic to and from this specific client, but that doesn't help at all. Probably because I need to port forward the proper ports, I don't know.

This is my setup:
WAN --> vswitch1 in a vmware server --> m0n0wall virtual machine --> vswitch0 (main network)

We have no other issues. http, smtp and rdp all works fine. I'm not sure what to try next, so I'd love some help! Thanks!