access from lan ip via public ip

[muznark]

hello all! I am connected to the internet via a router with a public ip on the wan port.
how to make the server return the public ip when connecting from a private address from the provider's side, and return private ip when connecting frome my home network(192.168.3.1-254) in PASV relpy ?

[muznark]

hello all, to fix this situation without install two servers
Server feature request: passive mode setting, Use the default host from my lan only.

[oibaf]

You must simply activate the check on "Use the default host for local connections" in the Passive mode configuration page.

Schermata del 2023-11-27 17-18-22.png (48.25 KiB) Viewed 6782 times

[botg]

Why? That couldn't possibly work.

[muznark]

if client from provider lan use private ip - server report my private ip for this client...

[muznark]

if a client with a private ip connects from the provider side, and the use default host for local connection option is marked in the server, will your server return the public ip registered in it, or my private ip ?

[oibaf]

You mean that other clients are connecting to the server from IPs in the 172.16.0.0/12 or 10.0.0.0/8 ranges and to those you want the give the server's public IP when they issue the PASV command?

If that is so, it's not currently possible.

[botg]

Clients connecting to the server's public IP address over the internet are always seen as coming from a public IP address. You cannot present such clients your private LAN IP address, as they are not within your local network, and private address ranges are not being routed over the internet.

[muznark]

a small correction is needed to the "use default host for local connection" option, but what should I do with a local connection? all private ip, or selected ip range...?

[muznark]

I understand that the problem is far-fetched (modern software will bypass it), but purely theoretically...

[botg]

Private is private, public is public. There is no distinction between different addresses or address ranges within the same address type.

127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and 169.254.0.0/16 are private address ranges. If "Use default host for local connection" is set, FileZilla Server automatically replies to the PASV command with the same IP address used by the FTP control connection. That is guaranteed to work, as the control connection was already being able to be established that same way.

It is only clients connecting from the Internet, and thus a public IP address, which need to be informed about the server's public IP address in the PASV reply. As this information is not available in the presence of NAT, this information has to be provided in the server configuration.

[muznark]

for me, everything behind the wan port is the Internet, and for the server there is a concept of private ip, and I would like all clients behind the wan port to receive a public ip in response to pasv, and my devices on the home network are the private address of the server

[muznark]

option : to shield only my subnet with local connections will not hurt anyone, and will help many, imho

[boco]

Clients coming from the public net don't have a private IP. Private IPs are invalid on the Internet, as they are not unique and thus not routed.

Note that in case of double-NAT (CGN, Carrier Grade NAT), running servers is impossible.

[botg]

option : to shield only my subnet with local connections

"To shield"? Please repeat after me: A NAT is not a firewall. Write that a hundred times.

Note that in case of double-NAT (CGN, Carrier Grade NAT), running servers is impossible.

Double-nat, aka NAT-in-NAT, is an abomination, it must not ever be used. At least thanks to IPv6, these days there's zero reason to ever use NAT. Use IPv6 if you can, it is your friend.