Opened 2 months ago

Closed 2 months ago

Last modified 2 months ago

#12723 closed Bug report (rejected)

Un-routable server address bypasses the setting in passive mode to use control socket address

Reported by: QIU Quan Owned by:
Priority: normal Component: FileZilla Client
Keywords: passive un-routable Cc: QIU Quan
Component version: 3.60.0 Operating system type: Windows
Operating system version: Windows 10 20H2 (10.0.19042.1706)

Description (last modified by QIU Quan)

The client is connecting to a server behind an NAT router, whose IP address facing us is also a private address, as illustrated below.

+-----------+   +-------------|------+   +--------------+
| my client |   |    NAT router      |   | their server |
| 172.x.x.x +---+ 192.168.x.x | 10.x +---+   10.x.x.x   |
+-----------+   +-------------|------+   +--------------+

I left the setting for "Connection / FTP / Passive mode" by default, to "Use the server's external IP address instead". However, it did not work for me.

The attached log file 20220601-1751.log shows at lines 82 and 161 that the server replied with its private address, and a netstat command on the client at the moment showed it was actually trying to connect to exactly the server's private address.

I noticed a trace message in the log file, i.e.

Destination IP of data connection does not match peer IP of control connection. Not binding source address of data connection.

Having searched this message in the source code, I arrived at function CTransferSocket :: SetupPassiveTransfer, and found that its host argument seemed to be assigned in the function CFtpRawTransferOpData :: ParsePasvResponse.

Inside ParsePasvResponse, the condition for assigning the peerIP from the control socket to the host_ of the passive data connection is an un-routable data peer address as well as a routable control peer address. Unfortunately, with all un-routable, internal addresses for both data and control, my scenario effectively bypasses this mechanism.

At the end of the ParsePasvResponse function, I noticed that I can instruct the client to always use server address by setting the option OPTION_PASVREPLYFALLBACKMODE to 2, which is set by an option named Pasv reply fallback mode, stored in %appdata%\FileZilla\filezilla.xml. I wonder the intention on omitting this option in the settings UI, although it indeed provides a workaround for my situation in the current version.

Attachments (2)

20220601-1751.log (7.1 KB ) - added by QIU Quan 2 months ago.
20220601-2138.log (4.5 KB ) - added by QIU Quan 2 months ago.

Download all attachments as: .zip

Change History (7)

by QIU Quan, 2 months ago

Attachment: 20220601-1751.log added

comment:1 by QIU Quan, 2 months ago

Description: modified (diff)

comment:2 by Tim Kosse, 2 months ago

Resolution: rejected
Status: newclosed

The server is not configured correctly. The server sits behind a NAT, yet wrongly responds with its private IP address to clients connected from outside the NAT.

Fix the server configuration to return the correct address in the PASV reply.

Consider switching to IPv6, then you don't even need NAT to begin with.

comment:3 by QIU Quan, 2 months ago

Another workaround is to connect through a proxy, for instance, by setting a SOCKS4 proxy in "Connection / Generic proxy". This will force the client to prefer the EPSV command for passive mode, which gets a response from the server providing only the port, circumventing the IPv4 NAT issue, as demonstrated in the attached log file 20220601-2138.log.

Last edited 2 months ago by QIU Quan (previous) (diff)

by QIU Quan, 2 months ago

Attachment: 20220601-2138.log added

comment:4 by QIU Quan, 2 months ago

Description: modified (diff)

in reply to:  2 comment:5 by QIU Quan, 2 months ago

Replying to Tim Kosse:

The server is not configured correctly. The server sits behind a NAT, yet wrongly responds with its private IP address to clients connected from outside the NAT.

Fix the server configuration to return the correct address in the PASV reply.

Consider switching to IPv6, then you don't even need NAT to begin with.

Thanks. If only I could do anything with the server.

Note: See TracTickets for help on using tickets.