|
||||||||
Fred Wright said: > > On Tue, 24 Aug 2004, Neil Schneider wrote: >> Well the testing I'm doing is from a system behind m0n0wall to and >> ftp >> server NAT'ed behind m0n0wall. I opened the "ephemeral" ports you >> described, and still can't get a file listing. The client side is >> regular masqerading NAT the server is Server NAT to a specific IP. >> Clients with complaints are behind Linksys and other "DSL/Cable >> Routers". The result is the same. > > Have you tried enabling logging for that and seeing if the data > connections show up there? If you're not sure of the port range, you > could at least temporarily open 1024-65535 with logging. > > You could also use tcpdump (or I think there's a better tool called > "tcpflow" or something that I've never used) to monitor the control > connection to see what data port it's trying to use. > > Does it work in active mode? Or is that a non-option due to NAT > issues on > the client side? > >> Are you suggesting I need to Server NAT all those ports 49152-65535 >> ? > > It's possible, depending on whether NAT handles this case correctly on > its > own. It would be "Inbound NAT", not "Server NAT", though. OK, I just changed from Server NAT to 1:1 NAT, changed all my forwarding rules and tested from a remote machine behind another M0n0wall. And it works! Didn't even turn on logging. Just changed all the inbound NAT rules and then the type of NAT and tested. Still like to know what he technical difference is between Server NAT and 1:1 NAT. I also reduced the port range from 1024-65535 to 49152-65535 and it still works, at least with ncftp client and vsftp server. -- Neil Schneider pacneil_at_linuxgeek_dot_net http://www.paccomp.com Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D Fires can't be made with dead embers, nor can enthusiasm be stirred by spiritless men. Enthusiasm in our daily work lightens effort and turns even labor into pleasant tasks. --James Baldwin |