PASV error on LAN behind firewall/router and WAN

Think you've found a bug in a BETA version of Cerberus FTP Server? Post a description here.
Locked
drdoalot
Posts: 2
Joined: Sat Oct 16, 2004 6:53 pm

PASV error on LAN behind firewall/router and WAN

Post by drdoalot » Sat Oct 16, 2004 7:20 pm

I have almost set up everything on this version (2.22) including users and access, have even got my login screen from another internet connection, so must have done something right with my ports in my router. Im running XP Pro SP2 with all updatesrunning fixed ip adresses on my LAN and from my ISP. Im sure you have heard this fault before but why is it im getting the exact same error when im logging in on another computer on the network (of course using local ip instead and still recieving loggin box). Surely the firewall settings are nothing to do with the LAN. all soft firewalls are turned off on each computer. I have tried changing the passive FTP setting in IE6. I have changed PASV range from 6000 to 6600 and still no luck. If your answer is regarding changing setting on my router, why do i still have the same problem through my LAN. Somebody please help.

renke
Experienced User
Posts: 63
Joined: Fri Apr 16, 2004 4:31 am
Location: Old Europe ;-)

Post by renke » Tue Oct 19, 2004 4:14 am

The XP-Firewall influences the local network - can you connect to your ftp-server if you disable the ms-firewall?

drdoalot
Posts: 2
Joined: Sat Oct 16, 2004 6:53 pm

Still no luck

Post by drdoalot » Wed Oct 20, 2004 2:43 pm

All my software firewalls have been turned off leaving only my hardware firewall to do the work. All other firewalls from client computers have been turned off for test purposes. My hardware firewall must have the correct ports open as remote computers are confronted with a login screen, its only after that (and likewise with the lan only login) that the error box appears, stating that we do not have the privelages to access the folder- User name and password must be correct otherwise it gives me a different message.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Wed Oct 20, 2004 6:39 pm

Hello drdoalot,

The exact error you are getting is a littlel unclear. Could you please post the Cerberus FTP Server log file showing the problem? It sounds like you are hitting the server fine, but that sometimes the client is giving the "do not have the privelages to access the folder" error message. The log file showing the difference between a successful query and your error should shed light on your problem.

frank

Post by frank » Tue Nov 30, 2004 8:17 pm

I had the same problem for several days (spending hours in trying to find the reason). I assigned the ports 4000 to 4003 to PASV and routed statically these ports to my local server through the hardware firewall and NAT. The first connect of the server worked well. But when it tried to switch to passive mode, I got timeouts. Only the active mode worked fine! Each time switching to PASV, I saw at the logs ports reported to the client completely different from the ports I specified for PASV (mostly 55xxx ports). It seemed to ignore the PASV ports setting completely.

Just an hour ago, I changed the local port of Cerberus FTP from 21 (& 20) to 31 (& 30) for testing also other ftp servers on port 20/21, if they do a better job (without having to shutdown Cerberus), also changing the mapping at the NAT. Externally it was available at ports 920/921 all the time. The active connections still worked fine. I didn't test passive mode anymore. For testing other servers I now mapped ports 20/21 internal to 820/821 external.

Now I tested some more ftp servers - but there was no chance to setup these servers as required. So I returned to the articles here. When I saw this article, I thought I should post a reply. So I tested the passive mode once again to receive logs for posting here. But, surprise, surprise, passive mode suddenly works!!!! It suddenly used the ports, I defined in the setup!!!!

Somewhere I've read a report about saving settings to the registry and a settings file "users.pro". Someone said, that parts of the settings were only updated on the registry, but not inside the "users.pro". If this could be the reason for the problem, may be I enforced the update of the "users.pro" by changing the local port at the interfaces.

I also saw, that after the change the second interface with the explicite (local) IP address disappeared for some time and then returned (btw: I have only one interface on my system).


:arrow: I hope, this will help you to discover the problem!


For myself, there's only one problem left with PASV: My IP address changes every 24 hours and Cerberus doesn't see the change until the application is restarted. So now I can use PASV only until the next IP change. After that, only active mode still works. :(
On autodetecting the WAN IP, Cerberus should verify that the IP didn't change at least i.e. every 10 minutes... (I DON'T use dyndns assigning a domain name to my changing IP, I just use a small tool posting my (changing) ip address via ftp to my externally hosted website...)

operating system: Windows 98 SE, dsl-router: SMC 7004 VBR

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Tue Nov 30, 2004 9:37 pm

Hello,

Well, the main problem is that the port range you are specifying for PASV is too small. You need a much larger range to guarantee success. This is because FTP needs to issue a new PASV command for each command that uses the data port (file transfers and file listings for example.)

However, TCP/IP has a built-in timeout that has to elapse before a port can be re-used, so if your range is too small and Cerberus has to attempt to re-use a port before the timeout has elapsed, the command will fail. The timeout can take several minutes.

I would recommend a PASV range of at least a 100 ports.

frank

Post by frank » Wed Dec 01, 2004 5:51 pm

I see, but when I was testing, it first NEVER used one of the specified ports for PASV (the login always died with the switch to the passive mode - the PASV command). Since the described moment, it used ONLY the (four) specified ports, it never failed again! That was really strange!!!

Btw: On my first tests, I started with a port range of 10 ports... (and it ALLWAYS failed the described way) I reduced it to 4 ports, because for static routing, I could not define ranges. I had to open each port with a single rule and the number of rules therefore is limited on the router. I'll soon test again also triggered opening of ports. There I can specify ranges and then I'll increase the range again.

But I'm not sure, what will happen, if I touch the PASV port range again at the Cerberus FTP setup...

frank
New User
Posts: 4
Joined: Wed Dec 01, 2004 6:09 pm

Post by frank » Wed Dec 01, 2004 7:48 pm

OK, it seems, that I looked at the wrong logs. Now I managed to reproduce the problem and the server correctly shows the right ports for PASV, but the client always shows (and tries to connect to) the wrong ports. It seems, that for some reasons sometimes the ROUTER ignores NAT entries and then assigns external ports dynamically. This is really strange, but I think Cerberus FTP is not involved in the problem.

:arrow: currently testing with an increased port range of 100 ports for PASV

frank
New User
Posts: 4
Joined: Wed Dec 01, 2004 6:09 pm

Post by frank » Thu Dec 02, 2004 2:47 pm

I could finally isolate my problem: My SMC router seems to modify the ports of PASV commads, when using port 21 for ftp! It changes the port specified by the ftp to a port 55xxx.
But somehow it doesn't rout back automatically this port to the original port. It even reports "LAND" attacks on this port... :(

When you switch to a different port, everything works fine. I first ran into these problems with Cerberus FTP until I moved to a different internal port. When I installed a second ftp server ("FZ"), I ran into the same problems, until I changed also the port for the second server. I didn't find any documentation about this behaviour up to now. It should be expected, that many SMC router models behave the same way. So if the NAT routing for the PASV command does not work, try changing to a different local port (away from port 21)!

:arrow: My only remaining problem is, that Cerberus FTP does not detect a changing ip, while running ("FZ" does!), so PASV will fail after an IP change (every 24 hours) until you restart the application...

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Mon Dec 06, 2004 5:24 pm

Yes, I am aware of the PASV IP issue. The next release should solve the issue.

odino
Posts: 2
Joined: Tue May 17, 2005 8:13 pm

Post by odino » Tue May 17, 2005 8:23 pm

Will this get fixed anytime soon because it's an annoying bug.

Locked