Problem with passive FTP and multiple links
Hello guys,
This is my scenario:
I have a linux gateway using four network interface cards: eth0: intranet / eth1: loadbalancer / eth2: link X / eth3: link Y
The default gateway to my linux is the eth1 interface (it's connected to a routerboard device which manages the loadbalancing with all links connected to it).
I have two more links connected directly to my linux box (eth2 and eth3).
When I leave the connection going directly to the loadbalancer (coming from eth0 and being forwarded to eth1) I get a error: "550 Passive connection must come from same host as control connection."
I tried to set the output to the FTP protocols (ports 20 and 21) to one of the links (eth2) using iptables postrouting... didn't work...
I tried to set the output to the FTP protocols using the iptables MARK module and using the iproute2 to lookup the table for the link at interface eth2... without success too.
Please... may someone help me with this? I'm losing the few hairs I still have and I'm awake for three days now (with virtually no sleep).
Thanks in advance!
This is my scenario:
I have a linux gateway using four network interface cards: eth0: intranet / eth1: loadbalancer / eth2: link X / eth3: link Y
The default gateway to my linux is the eth1 interface (it's connected to a routerboard device which manages the loadbalancing with all links connected to it).
I have two more links connected directly to my linux box (eth2 and eth3).
When I leave the connection going directly to the loadbalancer (coming from eth0 and being forwarded to eth1) I get a error: "550 Passive connection must come from same host as control connection."
I tried to set the output to the FTP protocols (ports 20 and 21) to one of the links (eth2) using iptables postrouting... didn't work...
I tried to set the output to the FTP protocols using the iptables MARK module and using the iproute2 to lookup the table for the link at interface eth2... without success too.
Please... may someone help me with this? I'm losing the few hairs I still have and I'm awake for three days now (with virtually no sleep).
Thanks in advance!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello Kimputer: Thanks indeed for your help, but sadly is not the case. The problem I'm facing in the network is about the client side... For the "extra" ports used for passive connections, the iptables connection tracking uses the "stablished" and/or "related" configuration... that does the job for the extra ports without explicit declare them.
Hello gheist: Thanks indeed for your reply too!! I'm using a mikrotik router as loadbalancer... The method I'm using to loadbalance is PCC (both-addresses-and-ports)
To clarify the scenario a bit more:
[local network]--->[Linux gateway]--->[link x / link y / loadbalancer (default gateway) ]
All ftp connection tracking modules are enabled in the linux gateway.
The ftp "Service Ports" /ip firewall service-port is enabled too.
I really don't know where's the problem!
I probably know the answer to the question I'll ask now... :) ... (my mind is so confused with the lack of sleep that maybe I'm missing something and another person can show me another/better solution): Using linux prerouting, postrouting and forward how may I force a port/protocol to use only one of the links connected to the linux box (ignoring the default gateway)?
Thanks in advance for your help and patience!
Best Regards
Hello gheist: Thanks indeed for your reply too!! I'm using a mikrotik router as loadbalancer... The method I'm using to loadbalance is PCC (both-addresses-and-ports)
To clarify the scenario a bit more:
[local network]--->[Linux gateway]--->[link x / link y / loadbalancer (default gateway) ]
All ftp connection tracking modules are enabled in the linux gateway.
The ftp "Service Ports" /ip firewall service-port is enabled too.
I really don't know where's the problem!
I probably know the answer to the question I'll ask now... :) ... (my mind is so confused with the lack of sleep that maybe I'm missing something and another person can show me another/better solution): Using linux prerouting, postrouting and forward how may I force a port/protocol to use only one of the links connected to the linux box (ignoring the default gateway)?
Thanks in advance for your help and patience!
Best Regards
You say the extra ports are taken care of, but the other side (client) has an error message clearly telling you otherwise.
FTP to port 20/21 comes from one IP address, while the passive ports comes from the other. If you don't believe it, test your ftp connection externally (laptop or PC on another internet connection, use Wireshark to display all your traffic).
FTP to port 20/21 comes from one IP address, while the passive ports comes from the other. If you don't believe it, test your ftp connection externally (laptop or PC on another internet connection, use Wireshark to display all your traffic).
ASKER
Kimputer:
Thanks indeed for your attention and I'm sorry for the delayed reply... I was on a business trip and simply forgot to reply... sorry.
Unfortunately I think you did not understand the problem... Or I didn't make myself clear enough.
The users inside my network are getting trouble to access servers outside my network... The problem is clearly the load balance, but it's not the session affinity as gheist wrote! I know that isn't the session affinity because the Routerboard router is configured with PCC (both-addresses-and-ports)
I already used a workaround untill be able to solve it definitively... I created two mangle rules in Routerboard router excluding all the FTP accesses from the load balance and fixing them in just one of the links... It's not what I need, but is working right now... What I need is the load balance system be able to keep the FTP connection (passive or active) in the same link as it was requested.
Best Regards!
Thanks indeed for your attention and I'm sorry for the delayed reply... I was on a business trip and simply forgot to reply... sorry.
Unfortunately I think you did not understand the problem... Or I didn't make myself clear enough.
The users inside my network are getting trouble to access servers outside my network... The problem is clearly the load balance, but it's not the session affinity as gheist wrote! I know that isn't the session affinity because the Routerboard router is configured with PCC (both-addresses-and-ports)
I already used a workaround untill be able to solve it definitively... I created two mangle rules in Routerboard router excluding all the FTP accesses from the load balance and fixing them in just one of the links... It's not what I need, but is working right now... What I need is the load balance system be able to keep the FTP connection (passive or active) in the same link as it was requested.
Best Regards!
ASKER
I needed to create a new mangle rules we.
Example proftpd/proftpd.conf
Open in new window
These are just 100 ports, but should be more than enough even if 50 users are continuously busy on it (AT THE SAME TIME!).Now make sure ports 50000 through 50100 are added to your firewall config.