#12723 closed Bug report (rejected)
Un-routable server address bypasses the setting in passive mode to use control socket address
| Reported by: | QIU Quan | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | FileZilla Client |
| Keywords: | passive un-routable | Cc: | QIU Quan |
| Component version: | 3.60.0 | Operating system type: | Windows |
| Operating system version: | Windows 10 20H2 (10.0.19042.1706) |
Description (last modified by )
The client is connecting to a server behind an NAT router, whose IP address facing us is also a private address, as illustrated below.
+-----------+ +-------------|------+ +--------------+ | my client | | NAT router | | their server | | 172.x.x.x +---+ 192.168.x.x | 10.x +---+ 10.x.x.x | +-----------+ +-------------|------+ +--------------+
I left the setting for "Connection / FTP / Passive mode" by default, to "Use the server's external IP address instead". However, it did not work for me.
The attached log file 20220601-1751.log shows at lines 82 and 161 that the server replied with its private address, and a netstat command on the client at the moment showed it was actually trying to connect to exactly the server's private address.
I noticed a trace message in the log file, i.e.
Destination IP of data connection does not match peer IP of control connection. Not binding source address of data connection.
Having searched this message in the source code, I arrived at function CTransferSocket :: SetupPassiveTransfer, and found that its host argument seemed to be assigned in the function CFtpRawTransferOpData :: ParsePasvResponse.
Inside ParsePasvResponse, the condition for assigning the peerIP from the control socket to the host_ of the passive data connection is an un-routable data peer address as well as a routable control peer address. Unfortunately, with all un-routable, internal addresses for both data and control, my scenario effectively bypasses this mechanism.
At the end of the ParsePasvResponse function, I noticed that I can instruct the client to always use server address by setting the option OPTION_PASVREPLYFALLBACKMODE to 2, which is set by an option named Pasv reply fallback mode, stored in %appdata%\FileZilla\filezilla.xml. I wonder the intention on omitting this option in the settings UI, although it indeed provides a workaround for my situation in the current version.
Attachments (2)
Change History (7)
by , 2 years ago
| Attachment: | 20220601-1751.log added |
|---|
comment:1 by , 2 years ago
| Description: | modified (diff) |
|---|
follow-up: 5 comment:2 by , 2 years ago
| Resolution: | → rejected |
|---|---|
| Status: | new → closed |
comment:3 by , 2 years ago
Another workaround is to connect through a proxy, for instance, by setting a SOCKS4 proxy in "Connection / Generic proxy". This will force the client to prefer the EPSV command for passive mode, which gets a response from the server providing only the port, circumventing the IPv4 NAT issue, as demonstrated in the attached log file 20220601-2138.log.
by , 2 years ago
| Attachment: | 20220601-2138.log added |
|---|
comment:4 by , 2 years ago
| Description: | modified (diff) |
|---|
comment:5 by , 2 years ago
Replying to Tim Kosse:
The server is not configured correctly. The server sits behind a NAT, yet wrongly responds with its private IP address to clients connected from outside the NAT.
Fix the server configuration to return the correct address in the PASV reply.
Consider switching to IPv6, then you don't even need NAT to begin with.
Thanks. If only I could do anything with the server.
The server is not configured correctly. The server sits behind a NAT, yet wrongly responds with its private IP address to clients connected from outside the NAT.
Fix the server configuration to return the correct address in the PASV reply.
Consider switching to IPv6, then you don't even need NAT to begin with.