schotty
September 19th, 2002, 13:24
Hey all!

I got two DSL lines at work here. A rather interesting setup we have is that our ftp connections need to originate on a specific DSL line. The one that is not the default gateway. Is there a way to NAT any request to these specific ftp requests to the other DSL line?

To clarify what I have:

DSL A == Email and FTP
DSL B == Web apps and general surfage
Gateway == nats on DSL B right now.

I figure that there should be a way to NAT all ftp requests in general to the DSL A line, and work from there. But for some reason, I feel that there is something to do with the default gateway setting that may hinder this a tad.

elmore
September 19th, 2002, 14:29
I guess you could use a redirect for this. That wouldn't stop the initial request though from coming to the wrong DSL line. You need to modify your DNS for that.

schotty
September 19th, 2002, 16:46
no, its outgoing only. But the remote severs block all IP's except the trusted business partners. So unless your company deals with them, even if I give you the IP, you WILL NOT be able to connect. Hence why my one dynamic ADSL line wont cut it. My boss wants to be able to ftp from his desk -- someting that is currently not possible with the current setup.

I did try RDR, but I am stillg etting odd results. But I **HIGHLY** doubt that its the gateway's fault. for some reason, any client on the LAN that tries to connect gets booted when the user tries to look at a directory in ANY GUI app. My GFTP gets booted. All 3 locations of AutoFTP get canned too. However, depending on where I log into, the CLI can usually work.

The BSD bridge and Gateway both work. My desktop sometimes works. And the Win98 VMWare guest can't ever (wll as of now, never has).

This is getting weird.....

But thanks for the help.

frisco
September 19th, 2002, 18:36
any client on the LAN that tries to connect gets booted when the user tries to look at a directory in ANY GUI app. My GFTP gets booted. All 3 locations of AutoFTP get canned too. However, depending on where I log into, the CLI can usually work


this is probably due to passive vs. active ftp connections. find out if the gui's are doing one or the other and i bet the cli you're using is doing the other.

schotty
September 19th, 2002, 19:42
nah that aint it.

Thought the same thing :)

I really feel its a routing issue. If I can redirect specific connections to the other DSL pipe I got, then I should be golden. I only have like 6 or 7 ftp connections that are ever made like this. And only 1 needs to be routed like this. Its getting the jive of doing route commands thats taking me a bit. I am not a god, but getting alot better than I ever have been at TCP/IP netwroking. Show you how much Wndows guys are required to know!

elmore
September 19th, 2002, 20:04
I gues what you'd need to do here is an outgoing nat rule. An actual route here would probably only confuse things, I'm not exacty sure how youd go about redirecting outbound traffic from a specific port but I'm sure it can be done. I've just never had to do it.

|MiNi0n|
September 19th, 2002, 23:09
nah that aint it.

I think frisco is on the right track. NATing ftp isn't easy because of the way ftp connections are made see the FAQ on openbsd.org for more, but here's the key snippit:

With active FTP, when a user connects to a remote FTP server and requests information or file, the FTP client sends the server a random port number that the FTP server will make a connection to on the client and transfer the info. This is a problem for users attempting to gain access to FTP servers from within the LAN. When the FTP server sends its information it sends it to the external NIC at a random port. The NAT machine will receive this, but because it has no mappings for the unknown packet and doesn't have any mappings for that port, it will drop the packet and won't deliver it.

So if you're using active you can redirect the initial request on port 21 but after that it's random so yer f&#*@d. See the FAQ and use ftp-proxy and passive mode, I don't see any other solution.

schotty
September 20th, 2002, 13:07
Well whatever the hell I did, worked. Now my gFTP, my boss's AutoFTP and every CLI/dos client all work fine. Thanks for the help. really appreciated!

elmore
September 20th, 2002, 15:07
Well at least it's fixed, what did you do?

schotty
September 20th, 2002, 15:11
Well, I tried like all hell to do a rdr rule, and that didnt work. So I went on down the "route" road, and failed there. Went back to see exactly what was going on, and do do a traceroute and tcpdump to see exactly what the hell is going on. I fired them tools up, fired up gFTP. And I got in and could see files again. Installed AutoFTP on my guest OS in VMWare, and it works too with the exact same settings as my boss's box. I didnt try it on his box yet, but I am sure that it works. Either that or its some crazy NT issue on his side now.

But yeah, spooks the hell ou of me. I literally spent a good chunk of yesterday trying to figure this bastard out. Perhaps there is something I changed and never reverted -- but I cant see it. My pf and nat .conf's are identical. My routing table is as normal, I removed each entry I made.

Weird......

schotty
September 20th, 2002, 15:15
[quote:8620cfcb3f="schotty"]nah that aint it.
So if you're using active you can redirect the initial request on port 21 but after that it's random so yer f&#*@d. See the FAQ and use ftp-proxy and passive mode, I don't see any other solution.[/quote:8620cfcb3f]

Its using passive already. Sofar I have been able to ftp from a variety of hosts (OpenBSD.org, RedHat.com, gnome.org, XFree86.org.....). So this was genuinely a first. But the circumstances are wayyyy different, due to the fact that it isnt a public ftp. But either way, I am glad that I got this fucker figured out....