problems when connected to server via a NAT router

This forum is for anyone experiencing problems related to their firewall settings. More specifically, anyone experiecing connection issues should take a look at this forum.
Post Reply
hagrid

problems when connected to server via a NAT router

Post by hagrid » Fri Jan 23, 2004 5:25 pm

The latest release of Cerberus is being used and the problem we are seeing is as follows :-

You can log in to the FTP server without any problems but get the following after issuing a DIR command.

ftp> dir
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Listening on (xxx,xxx,xxx,xxx,yyy,yyy)
ftp: connect: No route to host

where for Cerberus xxx,xxx,xxx,xxx is the LAN IP address of the machine it is being run on and yyy,yyy is the port number.

When the connection is routed to another machine on the LAN running IIS a similar message is returned

ftp> dir
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode (xxx,xxx,xxx,xxx,yyy,yyy)
---> LIST
and it all works.

In IIS though xxx,xxx,xxx,xxx is the routers WAN IP address rather than the IP address of the machine IIS is being run on.

From memory IIS isn't configured with the WAN IP address information so it must pick it up from the traffic routed to it and so it would seam that Cerberus doesn't do this.

Cerberus works fine from within the LAN because in this case the machines IP address on the LAN is exactly what is required but when the traffic comes via a NAT router it doesn't use the WAN address when telling the remote machine what PASV port it is prepared to listen on.

Is there a configuration option to get round this problem.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Sat Jan 24, 2004 8:54 am

Yes, there is a configuration option to allow the WAN address to be used for the PASV command.
  • * Open the "Server Manager" and select the "Interface Options" tab.
    * Select the interface you are interested in, then check the "Use different IP for PASV."
    * Enter you WAN IP address in the IP box that appears.
The above steps should fix your problem.

Sincerely,

afternoonnap

Post by afternoonnap » Fri Jan 30, 2004 10:00 am

serin wrote:Yes, there is a configuration option to allow the WAN address to be used for the PASV command.
  • * Open the "Server Manager" and select the "Interface Options" tab.
    * Select the interface you are interested in, then check the "Use different IP for PASV."
    * Enter you WAN IP address in the IP box that appears.
The above steps should fix your problem.
Grant - when I use this option, Cerberus fails trying to open the passive port. It sure looks like you are trying to bind the port to the WAN address instead of just sending the WAN address in the PASV reply. You should always be binding the passive port to the interface address.

afternoonnap

Post by afternoonnap » Fri Jan 30, 2004 10:24 am

Just to be more clear:

Cerberus is running behind a NAT router. Assume the router's external address is x.x.x.x and the IP address of the computer running the Cerberus server is y.y.y.y. I have set up port forwarding so that incoming requests to x.x.x.x in the PASV port range (as well as port 21) are forwarded to y.y.y.y.

So my Cerberus interface is y.y.y.y.

When I enable the "Use different IP for PASV" option, and put in the WAN address x.x.x.x, Ceberus fails opening the passsive port whenever it gets a PASV command.

It sure looks like Cerberus is trying to bind the passive port to x.x.x.x, but it can't because that address is on the router. It should be binding to y.y.y.y but sending the address x.x.x.x back to the client in the reply to the PASV command.

Guest

Post by Guest » Mon Feb 02, 2004 11:59 pm

I get the same thing...

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Thu Feb 05, 2004 7:40 am

afternoonnap,

After further investigation, there does appear to be a bug in the "Use different IP for PASV" command. I am working on a fix...


Thanks,

Post Reply