RUT300 FTP Port Forwarding - automatic conntrack nok

A customer needs WAN to LAN ftp forwarding and Filezilla got stuck on the MLSD command.

After trial and error, it turns out that the automatic conntrack rule is not working as expected for a standard Port Forward from port 21 on the wan ip to port 21 on a lan ip.

Active/Passive FTP was not the issue as such - neither worked and it has to be Passive FTP of course.

So I had to deactivate “Automatic helper assignment” and activate the appropriate conntrack helper in the WAN = DROP zone.

EDIT: In the dmsg log, I find [98485.589148] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
I suppose that this is related to the manual action to turn this of after the uptime of somewhat more than 1 day.

Hello,

Thanks for reaching us.

Could you please send me the topology for your case? That would be beneficial.

In your scenario, you may just require port forwarding on port number 21 from the internal zone LAN to the source zone WAN.

Thanks

Here is a schematic.

The FTP connection is needed from a Workstation or other device in the external network (WAN to the RUT300) towards the ftp server on 192.168.2.210.

The ftp server is provided by pure-ftpd.

I defined a port forward from the WAN network port 21 to the LAN network 192.168.2.210:21 .

This topic was automatically closed after 18 days. New replies are no longer allowed.