PASV port differs between log and actual message

Think you've found a bug? Post a description here.

Moderator: Serin

Post Reply
growfybruce
New User
Posts: 4
Joined: Wed Sep 22, 2004 2:45 pm

PASV port differs between log and actual message

Post by growfybruce » Wed Sep 22, 2004 3:05 pm

I've found what would be a particular perverse bug if it's genuine:

The response to a PASV request is not the one shown in the log - and is for a port outside of the specified port range.

I'm behind a DrayTek Vigor2600We firewall/router and have port 21 open for the server and ports 21000-21099 open for PASV connections. I'm using NAT port forwarding to the Windows 2000 box running Cerberus 2.21. I've manually entered my external IP into the 'PASV Options' box under 'Interface Options' and set up the 'PASV Port Range' under 'Advanced'.

When I make a PASV request from the outside world, Cerberus logs (with a couple of octets removed for reasons of paranoia):

Code: Select all

Wed Sep 22 19:57:04 2004  5  PASV 
Wed Sep 22 19:57:04 2004 5 227 Entering Passive Mode (82,69,___,___,82,9)


..except that I see at the far end (using raw telnet!):

Code: Select all

PASV
227 Entering Passive Mode (82,69,___,___,132,204)
The logged port (21001, in this case) is in my intended range - but the received port (33996) is clearly not.

My question then is this: Is this a bug or have I missed some intricate detail of using PASV?

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Wed Sep 22, 2004 9:55 pm

I have a feeling your router is performing some kind of content filtering/forwarding on the FTP traffic. I did a quick lookup of your router and discovered it has something called a "PASV FTP – Virtual FTP Server." Not sure what that is, but the router is packed with so many firewall, security, and packet-filtering capabilities that anything is possible. I would also look at the NAT Port redirection and translation feature present on your router.

I can't find anything in the Cerberus FTP Server code that could account for the results you are seeing. In addition, I have never observed, nor had anyone report a similiar problem.

I would suggest taking a closer look at your router configuration. Any more insight you could provide on this would be appreciated.

Thanks,

growfybruce
New User
Posts: 4
Joined: Wed Sep 22, 2004 2:45 pm

Post by growfybruce » Thu Sep 23, 2004 12:58 pm

Ah, that seems a likely explanation. I swear, that router's smarter than I am.

Thanks for taking an initial delve into the manuals for it. I'll get to the bottom of the issue and get back to you. I'll be glad to get it sorted - yours is the only sane bit of FTP server software for Windows that I've come across.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Thu Sep 23, 2004 1:42 pm

Thanks, and happy to help.

growfybruce
New User
Posts: 4
Joined: Wed Sep 22, 2004 2:45 pm

Post by growfybruce » Fri Sep 24, 2004 3:00 pm

I've finally got to the bottom of the problem - and it's an argument between 'Detect WAN IP at Startup' and my router.

My DrayTek firewall/router basically won't play with PASV unless it controls the NAT - but as a result doesn't need me to open up any ports except 21.

So, when Cerberus offers out:

Code: Select all

Fri Sep 24 19:45:10 2004  1  PASV 
Fri Sep 24 19:45:10 2004 1 227 Entering Passive Mode (192,168,1,1,4,3)
...the FTP client sees:

Code: Select all

PASV
227 Entering Passive Mode (82,69,___,___,135,180)
...and the firewall quietly opens up the appropriate port and sets up the NAT to route the connection through to Cerberus - and it all works.

However, if I opt to autodetect the WAN IP at installation - or check the 'Detect WAN IP at Startup' option - it all goes pear-shaped. Cerberus correctly spots the WAN IP, inserts the 'PASVIp' keys into the registry under the various interfaces (including 'Default') and when I try a PASV connection, Cerberus tries to help by putting in the correct external IP address:

Code: Select all

Fri Sep 24 19:50:41 2004  0  PASV 
Fri Sep 24 19:50:41 2004 0 227 Entering Passive Mode (82,69,___,___,4,2)


...but now all that PASV NAT jiggery-pokery from my firewall/router fails - in fact, it tries to route from its own auto-allocated and automatically opened port to port 1026 (in this example) on its external interface rather than on the machine hosting Cerberus.

Unfortunately, unchecking the 'Detect WAN IP at Startup' option doesn't clear the 'PASVIp' registry keys. The way to override it, therefore, is to go to 'Server Manager' > 'Interface Options' > 'PASV Options' and enter the interface's own IP (192.168.1.1 in this case) under 'Use different IP for PASV command'. PASV connections begin to work once more.

To be fair, the confusion lies mainly with my firewall/router which provides no real information about this 'feature' and certainly no way of turning it off. However, given Cerberus encourages a user to auto-detect their WAN IP at installation, it's fairly easy to fall into this quagmire.

As a suggestion, you might want to clear out the 'PASVIp' registry keys when the 'Detect WAN IP at Startup' option is unchecked but, in the main, probably the best course of action is to add my experience to your FAQ.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Tue Oct 05, 2004 11:38 pm

Ahh, smart routers. You have to love them. Thanks for the excellent explanation of the problem. I will take both of your suggestions and try to incorporate them into future Cerberus releases.

ROram3
Posts: 2
Joined: Sat Jul 16, 2005 7:39 pm
Location: New York, NY

My Router is smart?

Post by ROram3 » Sat Jul 16, 2005 8:13 pm

I believe I was suffering from the same problem growfybruce was . I was running Cerberus 2.22 behind a D-Link 614+ for ages with no apparent problems, although I am not sure I tried this specifically. I upgraded (!?) my router to a D-Link 4300, and then could not connect to my server from an IE client. I upgraded my server to 2.32 in an attempt to fix this problem, to no avail. I saw growfybruce 's fix in the forum,
viewtopic.php?t=1122
and it worked. Now, based on your answer, it looks like you were going to include a fix in future releases. He was using 2.21, and I am using 2.32. Did the fix not make it in yet?
Based on my forum perusal, I sounds like alot of people are having this same issue, but are being misdiagnosed! Maybe you could put a list of routers on the site that have this known issue, with instructions on how to work around it?

Post Reply