Passive FTP through WatchGuard FireBox

I am using FileZilla on a windows PC to share out FTP.  I had this configured to support active and passive ftp through a linksys rv082 gateway/router.

I have upgraded to the WatchGuard Firebox x550e.  All other services work fine using the same configs as the linksys.  Active FTP using command line or a ftp client works great, but passive does not work.  Using a web browser, the password/login challenge dialog comes up, but hangs beyond that.  Connecting to the server within the LAN works with no problems.

I put through ports 20-21 and passive ports 5000-5025.  i also set filezilla to use the static external ip for passive.  The linksys worked fine, but the WatchGuard box does not like this.

I am not using a FTP proxy.  I am using a custom tcp filter for 20-21 & 5000-5025 from any external to a static NAT.

I am talking to support, but their second level support is not understanding this, They claim ftp is working, but are not trying a browser.  I have been down now for 5 days and I am getting a bit upset and so are my customers.  Any help would be appreciated.

-nick
nmonroeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nmonroeAuthor Commented:
Clarification: FileZilla 0.923b
0
dpk_walCommented:
I would suggest you to use 1-1 NAT rather than using static NAT; also many a time in passive ftp the incoming ports are unknown so if the client is trusted I would suggest to open ANY service for troubleshooting, note all the ports and then configure a custom service to selectively allow the ports.

Give this a shot and things should start rolling. Please update on results.

Thank you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nmonroeAuthor Commented:
Thanks for the response dpk_wal
Watchguard support had me try the same thing.  this was their final response:

"
did get a chance to run some tests, and have been getting some odd results. Active FTP works just fine. PASV does in fact hang in the browser.
Packet captures from the client appears to be fine. Oddly, the Firebox is not logging the inbound allowed TCP 21 traffic at the moment, when using PASV mode. Even via telnet to 21, setting PASV mode, the inbound 21 traffic doesn't show in Traf Mon. However, once the connection is killed, the Allowed-FIN on TCP 21 does show.

I believe some work has been done on the FTP Proxy, for the upcoming release of Fireware v10.0. Until the public release, I'll continue to look into this futher, as I have not been able to uncover any specific BUGs related to these symptoms.
"

I guess I need to wait for v10.  It is annoying since my Linksys rv082 handled it without an issue.  I guess it is time to go to something better than FTP anyway.  Other than this, I really like the firebox.  The fail over for multiple ISP's works awesome.
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

nmonroeAuthor Commented:
Points awarded for quick response and the fact was that it was the same solution tech support gave when troubleshooting.
-nick
0
dpk_walCommented:
Thank you for the info; I would also keep an eye on v10. :)
0
nmonroeAuthor Commented:
Just looking at my old posts, and I have an update:

I upgraded to v10, and had issues, but the FTP proxy worked.  I did have to set the passive IP in the FileZilla Settings to the local IP of the server.  With my linksys, I needed to set it to be the external IP on the Internet.

Once I did this, it worked.
-Nick
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.