- This topic is empty.
September 22, 2004 at 7:05 pm #28467
I’ve found what would be a particular perverse bug if it’s genuine: The response to a PASV request is not the one shown in the log – and is for a port outside of the specified port range.
I’m behind a DrayTek Vigor2600We firewall/router and have port 21 open for the server and ports 21000-21099 open for PASV connections. I’m using NAT port forwarding to the Windows 2000 box running Cerberus 2.21. I’ve manually entered my external IP into the ‘PASV Options’ box under ‘Interface Options’ and set up the ‘PASV Port Range’ under ‘Advanced’.
When I make a PASV request from the outside world, Cerberus logs (with a couple of octets removed for reasons of paranoia):Code:
Wed Sep 22 19:57:04 2004 5 PASV
Wed Sep 22 19:57:04 2004 5 227 Entering Passive Mode (82,69,___,___,82,9)
..except that I see at the far end (using raw telnet!):Code:
227 Entering Passive Mode (82,69,___,___,132,204)
The logged port (21001, in this case) is in my intended range – but the received port (33996) is clearly not.
My question then is this: Is this a bug or have I missed some intricate detail of using PASV?September 23, 2004 at 1:55 am #32329
I have a feeling your router is performing some kind of content filtering/forwarding on the FTP traffic. I did a quick lookup of your router and discovered it has something called a “PASV FTP – Virtual FTP Server.” Not sure what that is, but the router is packed with so many firewall, security, and packet-filtering capabilities that anything is possible. I would also look at the NAT Port redirection and translation feature present on your router.
I can’t find anything in the Cerberus FTP Server code that could account for the results you are seeing. In addition, I have never observed, nor had anyone report a similiar problem.
I would suggest taking a closer look at your router configuration. Any more insight you could provide on this would be appreciated.
Thanks,September 23, 2004 at 4:58 pm #32330
Ah, that seems a likely explanation. I swear, that router’s smarter than I am.
Thanks for taking an initial delve into the manuals for it. I’ll get to the bottom of the issue and get back to you. I’ll be glad to get it sorted – yours is the only sane bit of FTP server software for Windows that I’ve come across.September 23, 2004 at 5:42 pm #32331
Thanks, and happy to help.September 24, 2004 at 7:00 pm #32332 I’ve finally got to the bottom of the problem – and it’s an argument between ‘Detect WAN IP at Startup’ and my router.
My DrayTek firewall/router basically won’t play with PASV unless it controls the NAT – but as a result doesn’t need me to open up any ports except 21.
So, when Cerberus offers out:Code:
Fri Sep 24 19:45:10 2004 1 PASV
Fri Sep 24 19:45:10 2004 1 227 Entering Passive Mode (192,168,1,1,4,3)
…the FTP client sees:Code:
227 Entering Passive Mode (82,69,___,___,135,180)
…and the firewall quietly opens up the appropriate port and sets up the NAT to route the connection through to Cerberus – and it all works.
However, if I opt to autodetect the WAN IP at installation – or check the ‘Detect WAN IP at Startup’ option – it all goes pear-shaped. Cerberus correctly spots the WAN IP, inserts the ‘PASVIp’ keys into the registry under the various interfaces (including ‘Default’) and when I try a PASV connection, Cerberus tries to help by putting in the correct external IP address:Code:
Fri Sep 24 19:50:41 2004 0 PASV
Fri Sep 24 19:50:41 2004 0 227 Entering Passive Mode (82,69,___,___,4,2)
…but now all that PASV NAT jiggery-pokery from my firewall/router fails – in fact, it tries to route from its own auto-allocated and automatically opened port to port 1026 (in this example) on its
external interface rather than on the machine hosting Cerberus.
Unfortunately, unchecking the ‘Detect WAN IP at Startup’ option doesn’t clear the ‘PASVIp’ registry keys. The way to override it, therefore, is to go to ‘Server Manager’ > ‘Interface Options’ > ‘PASV Options’ and enter the interface’s
own IP (192.168.1.1 in this case) under ‘Use different IP for PASV command’. PASV connections begin to work once more.
To be fair, the confusion lies mainly with my firewall/router which provides no real information about this ‘feature’ and certainly no way of turning it off. However, given Cerberus encourages a user to auto-detect their WAN IP at installation, it’s fairly easy to fall into this quagmire.
As a suggestion, you might want to clear out the ‘PASVIp’ registry keys when the ‘Detect WAN IP at Startup’ option is unchecked but, in the main, probably the best course of action is to add my experience to your FAQ.October 6, 2004 at 3:38 am #32333
Ahh, smart routers. You have to love them. Thanks for the excellent explanation of the problem. I will take both of your suggestions and try to incorporate them into future Cerberus releases.July 17, 2005 at 12:13 am #32334ROram3Participant I believe I was suffering from the same problem growfybruce was . I was running Cerberus 2.22 behind a D-Link 614+ for ages with no apparent problems, although I am not sure I tried this specifically. I upgraded (!?) my router to a D-Link 4300, and then could not connect to my server from an IE client. I upgraded my server to 2.32 in an attempt to fix this problem, to no avail. I saw growfybruce ‘s fix in the forum,
and it worked. Now, based on your answer, it looks like you were going to include a fix in future releases. He was using 2.21, and I am using 2.32. Did the fix not make it in yet?
Based on my forum perusal, I sounds like alot of people are having this same issue, but are being misdiagnosed! Maybe you could put a list of routers on the site that have this known issue, with instructions on how to work around it?
- You must be logged in to reply to this topic.