#12723 closed Bug report (rejected)
Un-routable server address bypasses the setting in passive mode to use control socket address
Reported by: | QIU Quan | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | FileZilla Client |
Keywords: | passive un-routable | Cc: | QIU Quan |
Component version: | 3.60.0 | Operating system type: | Windows |
Operating system version: | Windows 10 20H2 (10.0.19042.1706) |
Description (last modified by )
The client is connecting to a server behind an NAT router, whose IP address facing us is also a private address, as illustrated below.
+-----------+ +-------------|------+ +--------------+ | my client | | NAT router | | their server | | 172.x.x.x +---+ 192.168.x.x | 10.x +---+ 10.x.x.x | +-----------+ +-------------|------+ +--------------+
I left the setting for "Connection / FTP / Passive mode" by default, to "Use the server's external IP address instead". However, it did not work for me.
The attached log file 20220601-1751.log
shows at lines 82 and 161 that the server replied with its private address, and a netstat
command on the client at the moment showed it was actually trying to connect to exactly the server's private address.
I noticed a trace message in the log file, i.e.
Destination IP of data connection does not match peer IP of control connection. Not binding source address of data connection.
Having searched this message in the source code, I arrived at function CTransferSocket
:: SetupPassiveTransfer
, and found that its host
argument seemed to be assigned in the function CFtpRawTransferOpData
:: ParsePasvResponse
.
Inside ParsePasvResponse
, the condition for assigning the peerIP
from the control socket to the host_
of the passive data connection is an un-routable data peer address as well as a routable control peer address. Unfortunately, with all un-routable, internal addresses for both data and control, my scenario effectively bypasses this mechanism.
At the end of the ParsePasvResponse
function, I noticed that I can instruct the client to always use server address by setting the option OPTION_PASVREPLYFALLBACKMODE
to 2
, which is set by an option named Pasv reply fallback mode
, stored in %appdata%\FileZilla\filezilla.xml
. I wonder the intention on omitting this option in the settings UI, although it indeed provides a workaround for my situation in the current version.
Attachments (2)
Change History (7)
by , 2 years ago
Attachment: | 20220601-1751.log added |
---|
comment:1 by , 2 years ago
Description: | modified (diff) |
---|
follow-up: 5 comment:2 by , 2 years ago
Resolution: | → rejected |
---|---|
Status: | new → closed |
comment:3 by , 2 years ago
Another workaround is to connect through a proxy, for instance, by setting a SOCKS4 proxy in "Connection / Generic proxy". This will force the client to prefer the EPSV command for passive mode, which gets a response from the server providing only the port, circumventing the IPv4 NAT issue, as demonstrated in the attached log file 20220601-2138.log
.
by , 2 years ago
Attachment: | 20220601-2138.log added |
---|
comment:4 by , 2 years ago
Description: | modified (diff) |
---|
comment:5 by , 2 years ago
Replying to Tim Kosse:
The server is not configured correctly. The server sits behind a NAT, yet wrongly responds with its private IP address to clients connected from outside the NAT.
Fix the server configuration to return the correct address in the PASV reply.
Consider switching to IPv6, then you don't even need NAT to begin with.
Thanks. If only I could do anything with the server.
The server is not configured correctly. The server sits behind a NAT, yet wrongly responds with its private IP address to clients connected from outside the NAT.
Fix the server configuration to return the correct address in the PASV reply.
Consider switching to IPv6, then you don't even need NAT to begin with.