Problem with passive mode (urgent problem - please help)

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
cpi-ivu
500 Command not understood
Posts: 5
Joined: 2021-02-22 10:25
First name: Christoph
Last name: P.

Problem with passive mode (urgent problem - please help)

#1 Post by cpi-ivu » 2021-02-22 10:40

Hi!
I have an urgent problem: I'm running Filezilla Server on an Amazon EC2 instance. I want the server to be accessible
from intern (IP: 172.100.51.4). Now the EC2 instance has a public elastic IP. Now the problem: As I have to use passive
mode, either the clients from inside kann transfer files (Settings -> Passive Mode Settings -> IP set to [Default]), or
the Clients from outside can connect (Settings -> Passive Mode Settings -> IP set to [the public IP]).

It seems that because the IP 172.100.51.4 is internet routable, the server doesn't accept
transfers because it thinks the IP is Public and therefore adds the real public IP to the FTP packages.

How to solve this problem?

Thanks!

User avatar
botg
Site Admin
Posts: 33411
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Problem with passive mode (urgent problem - please help)

#2 Post by botg » 2021-02-23 08:53

Leaving it at default should work in all cases.

Is their a NAT involved that changes the source IP of incoming connections?

cpi-ivu
500 Command not understood
Posts: 5
Joined: 2021-02-22 10:25
First name: Christoph
Last name: P.

Re: Problem with passive mode

#3 Post by cpi-ivu » 2021-02-23 12:39

botg wrote:
2021-02-23 08:53
Is their a NAT involved that changes the source IP of incoming connections?
No. It's an EC2 instance with elastic Public IP adress. It should act like an normal internet-connected server.
botg wrote:
2021-02-23 08:53
Leaving it at default should work in all cases.
So what we have discovered is, that if you choose "default" the client is told to use the internal IP of the instance (172.100.51.4). So for internal clients there is no problem when connecting and transferring. But if an external client tries to connect, it gets the same (172.100.51.4) IP and therefore doesn't know how to transfer (you can see the 172.100.51.4 in the response log of the server) - although the connection is successful.

If we set the external IP in the settings, it's vice versa: the external clients can connect and transfer, but the internal only can connect and not transfer.

We have now connected the internal instance that is holding the client to the internet and connected against the public IP of the server holding isstance. We can now connect to the serve successfully.

The question is: why do internal clients get the external IP as target if they come from 172.100.51.4? Why don't they simply get the source IP (=172.100.51.4) as target to connect? Is that because 172.100.51.4 is outside Class B?

Thanks in advance!

User avatar
boco
Contributor
Posts: 25490
Joined: 2006-05-01 03:28
Location: Germany

Re: Problem with passive mode (urgent problem - please help)

#4 Post by boco » 2021-02-23 16:48

FileZilla Server has an option to handle local connections. Unfortunately, the "local" IP you have does not fall into one of the private ranges reserved for that purpose.
Alone the fact that you have both an "internal" and external IP means there is some type of gateway (most probably NAT) in place. A direct dedicated connection to the Internet would provide you with one public IP address only.

Pragmatic solution: Have internal clients use Active (PORT) mode. That should work as the client will propose the IP.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

cpi-ivu
500 Command not understood
Posts: 5
Joined: 2021-02-22 10:25
First name: Christoph
Last name: P.

Re: Problem with passive mode (urgent problem - please help)

#5 Post by cpi-ivu » 2021-02-24 08:07

boco wrote:
2021-02-23 16:48
FileZilla Server has an option to handle local connections. Unfortunately, the "local" IP you have does not fall into one of the private ranges reserved for that purpose.
Ok. But what is the action by the server then (saying: there comes an connection from 172.100.51.4)? It allows the login but denies the transfer? Why accepting the login?
boco wrote:
2021-02-23 16:48
Alone the fact that you have both an "internal" and external IP means there is some type of gateway (most probably NAT) in place. A direct dedicated connection to the Internet would provide you with one public IP address only.
Yes your're right. But there is no extra NAT Gateway. Only the standard AWS NAT way.
boco wrote:
2021-02-23 16:48
Pragmatic solution: Have internal clients use Active (PORT) mode. That should work as the client will propose the IP.
Sadly, that's no option for us as our software can't manage active FTP connections.

So all in all: we only have the option to access over the right Class B net or through the external IP?

User avatar
botg
Site Admin
Posts: 33411
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Problem with passive mode (urgent problem - please help)

#6 Post by botg » 2021-02-25 10:10

Try switching to IPv6, is has an address space so large, only a lunatic would use NAT with it. Surely Amazon doesn't hire lunatics.

User avatar
boco
Contributor
Posts: 25490
Joined: 2006-05-01 03:28
Location: Germany

Re: Problem with passive mode (urgent problem - please help)

#7 Post by boco » 2021-02-26 03:01

The issue is that both IP addresses are regarded as being public ones. By default, FZ Server will listen on one or more socket(s) per available IP address (IP address:listening port). Thus, it will initially react to connection attempts from all address spaces. There is a "IP bindings" tab in the settings where you can control that.
When the client sends PASV, FZ Server replies with the configured IP (Passive settings), which is usually the external one. For private IPs connections, it will automatically send its private one, but only IF the IP is from a private range AND the option is enabled.

Switching to IPv6 would be a possibility. It would prevent clients without any IPv6 connectivity (sadly, still far too many) to reach your server, however.
Another possibility is to run 2 FileZilla Server instances with identical configuration, except one is bound to the internal and one to the external IP.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 33411
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Problem with passive mode (urgent problem - please help)

#8 Post by botg » 2021-02-26 08:53

If there is no IP configured, ie. "Default" is selected in FileZilla Server, it simply uses the IP address of the control connection, which should work fine unless Amazon does something really crazy with their addressing and routing.

User avatar
boco
Contributor
Posts: 25490
Joined: 2006-05-01 03:28
Location: Germany

Re: Problem with passive mode (urgent problem - please help)

#9 Post by boco » 2021-02-26 09:46

Obviously, they do. They might be lunatics, after all.

Quote from the OP:
Now the EC2 instance has a public elastic IP.
If truly elastic means dynamic, what good is that for a server that is supposed to home a website?
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

cpi-ivu
500 Command not understood
Posts: 5
Joined: 2021-02-22 10:25
First name: Christoph
Last name: P.

Re: Problem with passive mode (urgent problem - please help)

#10 Post by cpi-ivu » 2021-02-28 13:58

boco wrote:
2021-02-26 03:01
When the client sends PASV, FZ Server replies with the configured IP (Passive settings), which is usually the external one. For private IPs connections, it will automatically send its private one, but only IF the IP is from a private range AND the option is enabled.
Yes - that's also my observation.
boco wrote:
2021-02-26 09:46
If truly elastic means dynamic, what good is that for a server that is supposed to home a website?
No - elastic does not mean "dynamic" (see https://docs.aws.amazon.com/en_en/AWSEC ... s-eip.html).
botg wrote:
2021-02-26 08:53
If there is no IP configured, ie. "Default" is selected in FileZilla Server, it simply uses the IP address of the control connection, which should work fine unless Amazon does something really crazy with their addressing and routing.
If FZ just would use the source IP of the control connection - everything woulf be fine. But in my case (privately uses non-class-b net) is does indeed not. So if you mean anything else with "Amazon does something really crazy with their addressing and routing" that the Class-B problem it might explain that everything was working fine with de "default" setting (and one night suddenly stopped working without any known cause).

User avatar
boco
Contributor
Posts: 25490
Joined: 2006-05-01 03:28
Location: Germany

Re: Problem with passive mode (urgent problem - please help)

#11 Post by boco » 2021-03-01 00:46

Looks like they inventing fancy monikers again. Need to reinvent the wheel, big A?

So, the external and the other IP are both static. That's actually good. Running two instances of FileZilla Server would be your best option, then. One instance answers the external and the other one the internal calls.

Both can have identical configuration, except for:
- Admin port (e. g. 14147 for the first and 14148 for the second instance). You can even run two admin interfaces, one connecting to localhost:14147 and the other to localhost:14148.
Setting in the XML:

Code: Select all

        <Item name="Admin port" type="numeric">14147</Item>

- Bindings (use external IP for the first and and internal IP for the second.
Setting in the XML:

Code: Select all

        <Item name="IP Bindings" type="string">*</Item>

- Configured IPv4 in Passive settings. External IP for the first and internal for the second.
Can be configured in the GUI. Setting "Use the following IP:" and enter external/internal IP accordingly.


- Service settings. Must be set for the second instance, as two services with the same names aren't possible in the OS.

Code: Select all

        <Item name="Service name" type="string"></Item>
        <Item name="Service display name" type="string"></Item>

Best done by editing the "FileZilla Server.xml" files directly. Will run a test later, it's been a while since I did this last time.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 33411
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Problem with passive mode (urgent problem - please help)

#12 Post by botg » 2021-03-01 08:47

Are you using plain FTP or FTP over TLS?

In case of plain FTP, please compare the reply to the PASV command between the server log and the client log, the reply must be identical. If they differ, some firewall or NAT router is intentionally sabotaging FTP.

cpi-ivu
500 Command not understood
Posts: 5
Joined: 2021-02-22 10:25
First name: Christoph
Last name: P.

Re: Problem with passive mode (urgent problem - please help)

#13 Post by cpi-ivu » 2021-03-10 10:33

botg wrote:
2021-03-01 08:47
Are you using plain FTP or FTP over TLS?

In case of plain FTP, please compare the reply to the PASV command between the server log and the client log, the reply must be identical. If they differ, some firewall or NAT router is intentionally sabotaging FTP.
I have compared the messages. They match exactly...

Post Reply