Feature Request : Local subnet list for passive mode

[remorse]

In the passive mode settings on the server i have the option to "Don't use external IP for local connections".

Would it be possible to add a configurable list of subnets that the server would consider local.

Regards,
Anders

[botg]

Why?

[remorse]

Becuase I have several internal networks/subnets that I want to use normal mode and the external connections should use passive mode (ie on the outside of the FW).

Regards

Remorse

[botg]

Should work fine as long as you are using private IP address ranges for your internal networks. What exactly is the problem?

[remorse]

I am not seeing this behaviour in the software.

In the passive mode setting i have the "Use the following IP address" set and added an IP address.
Also the "Use custom port range" is set and i have a span of 1000 ports 61000 - 62000.
The "Don't use external IP for local connections" is also set.

When i connect from 10.100.40.10 (Client) to 192.168.2.10 (Server) in passive mode it gives out the external IP.

I know that i could avoid this by setting the client to use active mode but i do not have control of all the clients.

Regards,
Remorse

[botg]

Private IP address ranges are unroutable, you shouldn't even be able to contact 192.168.0.0/16 from 10.0.0.0/8 imo.

[da chicken]

No, they're fully routeable. They're just private. Any router that is sending or receiving data on an Internet IP address -- that is, the public network -- should be configured to drop packets for private networks.

There's no reason you couldn't set up a private network to route between 10.0.0.0/8, 192.168.0.0/16, and 172.16-32.0.0/16 as long as it's still a private network. Remember, 192.168.0.0 is technically 255 class C networks. They're meant to be routable. I can't think of a case scenario where you'd exhaust the 10.0.0.0 subnet, but I suppose it could happen. The only time I've seen the problem come up is when two entities merge and need to merge networks as a part of migration.

You'll need to write a custom web script that can handle the decision making of what IP address needs to be returned. That's why you're given the "use external script" method.

[botg]

Since you do have more than 16 million machines in your LAN (while else use more than one private address range), have you ever considered switching to IPv6? Far easier.

[remorse]

Since you do have more than 16 million machines in your LAN (while else use more than one private address range), have you ever considered switching to IPv6? Far easier.

I'm sure we will switch to IPv6 some day but know i think it would just create more problems.

You'll need to write a custom web script that can handle the decision making of what IP address needs to be returned. That's why you're given the "use external script" method.

Thanks, i will give it a try.

I think it would be a great feature though. Having a editable list with 10.0.0.0/8, 192.168.0.0/16 and 172.16.0.0/12 by default.

[botg]

You'll need to write a custom web script that can handle the decision making of what IP address needs to be returned. That's why you're given the "use external script" method.

Won't work, the result is cached. Otherwise the default server handling the resolution would get hammered by millions of FZS installations each and every time the PASV command gets used.