Problem with passive FTP and multiple links

Hello guys,

This is my scenario:

I have a linux gateway using four network interface cards: eth0: intranet / eth1: loadbalancer / eth2: link X / eth3: link Y

The default gateway to my linux is the eth1 interface (it's connected to a routerboard device which manages the loadbalancing with all links connected to it).

I have two more links connected directly to my linux box (eth2 and eth3).

When I leave the connection going directly to the loadbalancer (coming from eth0 and being forwarded to eth1) I get a error: "550 Passive connection must come from same host as control connection."

I tried to set the output to the FTP protocols (ports 20 and 21) to one of the links (eth2) using iptables postrouting... didn't work...

I tried to set the output to the FTP protocols using the iptables MARK module and using the iproute2 to lookup the table for the link at interface eth2... without success too.

Please... may someone help me with this? I'm losing the few hairs I still have and I'm awake for three days now (with virtually no sleep).

Thanks in advance!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FTP uses special ports for the passive transfers. Port 20 and 21 are NOT enough. Depending on which FTP server you use, you can fix these passive ports, and make sure you input it as well (so all ftp traffic comes from one IP address).

Example proftpd/proftpd.conf

PassivePorts 50000 50100

Open in new window

These are just 100 ports, but should be more than enough even if 50 users are continuously busy on it (AT THE SAME TIME!).
Now make sure ports 50000 through 50100 are added to your firewall config.
You need to convince loadbalancers to take care of session affinity.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FabioConsultantAuthor Commented:
Hello Kimputer: Thanks indeed for your help, but sadly is not the case. The problem I'm facing in the network is about the client side... For the "extra" ports used for passive connections, the iptables connection tracking uses the "stablished" and/or "related" configuration... that does the job for the extra ports without explicit declare them.

Hello gheist: Thanks indeed for your reply too!! I'm using a mikrotik router as loadbalancer... The method I'm using to loadbalance is PCC (both-addresses-and-ports) and I have no clue what's wrong...

To clarify the scenario a bit more:

[local network]--->[Linux gateway]--->[link x / link y / loadbalancer (default gateway) ]

All ftp connection tracking modules are enabled in the linux gateway.

The ftp "Service Ports" /ip firewall service-port is enabled too.

I really don't know where's the problem!

I probably know the answer to the question I'll ask now... :) ... (my mind is so confused with the lack of sleep that maybe I'm missing something and another person can show me another/better solution): Using linux prerouting, postrouting and forward how may I force a port/protocol to use only one of the links connected to the linux box (ignoring the default gateway)?

Thanks in advance for your help and patience!
Best Regards
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

You say the extra ports are taken care of, but the other side (client) has an error message clearly telling you otherwise.
FTP to port 20/21 comes from one IP address, while the passive ports comes from the other. If you don't believe it, test your ftp connection externally (laptop or PC on another internet connection, use Wireshark to display all your traffic).
FabioConsultantAuthor Commented:

Thanks indeed for your attention and I'm sorry for the delayed reply... I was on a business trip and simply forgot to reply... sorry.

Unfortunately I think you did not understand the problem... Or I didn't make myself clear enough.

The users inside my network are getting trouble to access servers outside my network...  The problem is clearly the load balance, but it's not the session affinity as gheist wrote! I know that isn't the session affinity because the Routerboard router is configured with PCC (both-addresses-and-ports).

I already used a workaround untill be able to solve it definitively... I created two mangle rules in Routerboard router excluding all the FTP accesses from the load balance and fixing them in just one of the links... It's not what I need, but is working right now... What I need is the load balance system be able to keep the FTP connection (passive or active) in the same link as it was requested.

Best Regards!
FabioConsultantAuthor Commented:
I needed to create a new mangle rules we.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.