Passive FTP through WatchGuard FireBox

I am using FileZilla on a windows PC to share out FTP.  I had this configured to support active and passive ftp through a linksys rv082 gateway/router.

I have upgraded to the WatchGuard Firebox x550e.  All other services work fine using the same configs as the linksys.  Active FTP using command line or a ftp client works great, but passive does not work.  Using a web browser, the password/login challenge dialog comes up, but hangs beyond that.  Connecting to the server within the LAN works with no problems.

I put through ports 20-21 and passive ports 5000-5025.  i also set filezilla to use the static external ip for passive.  The linksys worked fine, but the WatchGuard box does not like this.

I am not using a FTP proxy.  I am using a custom tcp filter for 20-21 & 5000-5025 from any external to a static NAT.

I am talking to support, but their second level support is not understanding this, They claim ftp is working, but are not trying a browser.  I have been down now for 5 days and I am getting a bit upset and so are my customers.  Any help would be appreciated.

-nick
nmonroeAsked:
Who is Participating?
 
dpk_walConnect With a Mentor Commented:
I would suggest you to use 1-1 NAT rather than using static NAT; also many a time in passive ftp the incoming ports are unknown so if the client is trusted I would suggest to open ANY service for troubleshooting, note all the ports and then configure a custom service to selectively allow the ports.

Give this a shot and things should start rolling. Please update on results.

Thank you.
0
 
nmonroeAuthor Commented:
Clarification: FileZilla 0.923b
0
 
nmonroeAuthor Commented:
Thanks for the response dpk_wal
Watchguard support had me try the same thing.  this was their final response:

"
did get a chance to run some tests, and have been getting some odd results. Active FTP works just fine. PASV does in fact hang in the browser.
Packet captures from the client appears to be fine. Oddly, the Firebox is not logging the inbound allowed TCP 21 traffic at the moment, when using PASV mode. Even via telnet to 21, setting PASV mode, the inbound 21 traffic doesn't show in Traf Mon. However, once the connection is killed, the Allowed-FIN on TCP 21 does show.

I believe some work has been done on the FTP Proxy, for the upcoming release of Fireware v10.0. Until the public release, I'll continue to look into this futher, as I have not been able to uncover any specific BUGs related to these symptoms.
"

I guess I need to wait for v10.  It is annoying since my Linksys rv082 handled it without an issue.  I guess it is time to go to something better than FTP anyway.  Other than this, I really like the firebox.  The fail over for multiple ISP's works awesome.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
nmonroeAuthor Commented:
Points awarded for quick response and the fact was that it was the same solution tech support gave when troubleshooting.
-nick
0
 
dpk_walCommented:
Thank you for the info; I would also keep an eye on v10. :)
0
 
nmonroeAuthor Commented:
Just looking at my old posts, and I have an update:

I upgraded to v10, and had issues, but the FTP proxy worked.  I did have to set the passive IP in the FileZilla Settings to the local IP of the server.  With my linksys, I needed to set it to be the external IP on the Internet.

Once I did this, it worked.
-Nick
0
All Courses

From novice to tech pro — start learning today.