0

Background

I have two routers, Router_A and Router_B.

Router_A LAN side IP address is 172.16.0.1. Router_A has two clients, Computer_A (IP 172.16.0.11) and Router_B (IP 172.16.0.2).

Router_B WAN side IP address is 172.16.0.2. Router_B LAN side IP address is 10.0.0.1. Router_B has one client, FTP_Server_B (IP 10.0.0.2).

In Router_B, the FTP ports (21, 990, and a range of predefined ports) are forwarded to 10.0.0.2.

Static Routing (which does not work)

In Router_A, I have set Static Routing as follow:

Destination Address     Subnet Mask     Gateway     Metric
10.0.0.0                255.255.255.0   172.16.0.2  15

As far as I understand, this static routing rule means, within Router_A 172.16.0.xxx subnet, when a packet needs to go to 10.0.0.xxx, it reaches Router_A. According to the rule, 172.16.0.2 knows about 10.0.0.xxx addresses. So Router_A will forward the packet to 172.16.0.2.

Problem

From Computer_A, I try to connect to the FTP_Server_B.

  1. Using ftp://172.16.0.2, I can login to the FTP server. Then the server replies its passive mode address 10.0.0.2. At this point, 10.0.0.2 is unreachable and the client cannot list the directories and files.

  2. Using ftp://10.0.0.2, I even cannot login. I even cannot reach the server.

midnite
  • 151
  • 5

1 Answers1

0

You have two different problems:

Using ftp://172.16.0.2, I can login to the FTP server. Then the server replies its passive mode address 10.0.0.2.

You're port forwarding FTP in Router_B and you haven't loaded the FTP helper module(s) that will rewrite the PASV response of the FTP server to the public IP-address of Router_B (in Linux by loading the kernel module nf_nat_ftp) and you haven't configured your system to dynamically allow port forwarding of the data connection (in Linux with the ip_conntrack_ftp kernel module and allowing --state RELATED in your iptables rule sets).

Using ftp://10.0.0.2, I even cannot reach the server.

Setting up the static route on Router_A for 10.0.0.0/24 should deliver those packets to 172.16.0.2, but Router_B still has to be configured accept incoming for traffic 10.0.0.0/24 on the public interface and to route those packets to your LAN. Your question doesn't show that you have done so.

HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • Thanks for reply! For problem (1), I use FileZilla on Win7 (unfortunately). In FileZilla, I have set it to reply with public IP addr in pasv mode. But this makes it replies the WAN side IP of Router_A. The FTP server is accessible from the Internet. I am not sure about "dynamic port forwarding". I have set FileZilla to use port 60000-65000, and forwarded these ports in Router_B. For problem (2), I did think about this is the case. But I cannot find this setting in Router_B. – midnite May 14 '17 at 08:15