NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.
I'm having this problem.
Remote site is connected to the internet in a fixet, multiple IP-adress MPLS setup.
The LAN side is presently protected by a Zyxel Zywall, but for a variety of reasons I want to replace the Zyxel, and for that I chose a NETGEAR FVS318N.
Manual: http://www.downloads.netgear.com/files/GDC/FVS318N/FVS318N_RM_26Apr2013.pdf
From the LAN-side a device is transferring files to our FTP server, and this has been working as expected with the Zyxel firewall.
The files for transfer are being renamed on the receiving FTP-server, after a succesful transmission.
Now after the introduction af the FSV318 the rename operation is never completed, and the connection is timing out.
I have configured the appropiate incoming firewall rules as well as the NAT translations between LAN- and WAN-IP adresses, and they have been tested to be correct.
Routing mode on the NETGEAR FVS318N is set to NAT (p. 29 in the manual)
1. Select Network Configuration > WAN Settings, radio 'NAT' is selected.
Neither VPN, Wireless or DHCP are active.
Now I belive I have found what causes the error, by looking in the FTP-server's logfile:
----- start NETGEAR -----
Wed Sep 23 21:47:10 2015 300 111.111.111.101 77 /data/upload.file_1442964300.sea a _ i r olh ftp 0 * c
Wed Sep 23 21:53:11 2015 301 111.111.111.101 41 /data/upload.file_1442964600.met a _ i r olh ftp 0 * c
Wed Sep 23 21:59:12 2015 300 111.111.111.101 41 /data/upload.file_1442964900.met a _ i r olh ftp 0 * c
Wed Sep 23 22:05:12 2015 301 111.111.111.101 77 /data/upload.file_1442964900.sea a _ i r olh ftp 0 * c
----- end NETGEAR –------
----- start ZYXEL -------
Wed Sep 23 22:12:11 2015 1 111.111.111.102 41 /data/upload.file_1442965200.met a _ i r olh ftp 0 * c
Wed Sep 23 22:12:18 2015 1 111.111.111.102 41 /data/upload.file_1442965500.met a _ i r olh ftp 0 * c
Wed Sep 23 22:18:11 2015 1 111.111.111.102 77 /data/upload.file_1442965200.sea a _ i r olh ftp 0 * c
Wed Sep 23 22:18:17 2015 1 111.111.111.102 41 /data/upload.file_1442965800.met a _ i r olh ftp 0 * c
----- end ZYXEL ---------
NETGEAR-WAN-IP: 111.111.111.101
LAN-DEVICE-NAT-WAN-IP: 111.111.111.102
LAN-DEVICE-LAN-IP: 192.168.001.102
Incoming firewall rule is mapping 111.111.111.102 to 192.168.001.102, and is verified to work.
In the FTP-server logfile it can be seen that when the NETGEAR is used, it (the NETGEAR) transmits its WAN-IP in stead of the NAT'ed WAN-IP of the transmitting LAN device.
Since the FTP-client expects an answer to its own IP, it times out, because the response is sent to the WAN-IP of the NETGEAR.
Both passive and active ftp has been tested, neither overcomes the problem.
So the question is:
How do is the NETGEAR FVS318N configured to transmit the NAT'ed WAN-IP of the transmitting LAN device in stead of the WAN-IP of the NETGEAR for FTP transfers?
Thanks
Ole
Hi Samir
Apologies for my delayed response.
I'll try to test the setup you are suggesting the next time I'm at the location, but since it's in east Greenland there are no planned trips - I only go there when absolutely necessary.
I will need to close my post here for now, and I'd like to thank all of you for your help.
When I initially opened the case I thought I had just missed to set a checkmark somewhere, and that I could sort of just "copy-paste" the rules etc. from the Zyxel to the netgear.
Cheers
18 Replies
Replies have been turned off for this discussion
Hi spaceobh,
It seems that you have already contacted NETGEAR Support about your concern. What I think is that you need to have an outbound rule for that FTP server to send traffic out on that secondary wan address of 111.111.111.102 instead of the device NAT IP of .101.
Welcome to the community! :smileyhappy:
Regards,
DaneA
NETGEAR Community Team
Hi DaneA
Thanks for your reply :smileyhappy:
Yes, I did submit my problem to Netgear support, however, I have been receiving more questions than answers :smileyfrustrated:
Ahhh, It may be the case, that I need to create a specific outbound rule in addition to the Any-Any rule that already exists.
Like:
Index Service Filter LAN users WAN Users Qos Bandwth
1 or 2? Any ALLOW 192.168.1.102 "FTP-server IP" - -
Is there a hierachy in the position of those rules?
If so, must the specific outbound rule be no 1 or no 2?
Just to be nit-picky: Its a FTP-client pushing files from 192.168.1.102/111.111.111.102 to the receiving FTP-server on "FTP-server IP"
Thanks again :smileyhappy:
Hi spaceobh,
spaceobh wrote:
Ahhh, It may be the case, that I need to create a specific outbound rule in addition to the Any-Any rule that already exists.
Like:
Index Service Filter LAN users WAN Users Qos Bandwth
1 or 2? Any ALLOW 192.168.1.102 "FTP-server IP" - -
Is there a hierachy in the position of those rules?
If so, must the specific outbound rule be no 1 or no 2?
Yes, hierarchy should be observed on which rule should be first be checked. You may specify the rule as no. 1.
Regards,
DaneA
NETGEAR Community Team
This sounds like more of an issue with the ftp client. Is the client assigned the wan IP or a NAT one?
It's not - it's a NETGEAR configuration íssue - I have the installation running in working order behind a Zyxel firewall.
The problem is that the FTP-.transfer arrives at the receiving server with the WAN-IP of the NETGEAR.
In the current setup works fine - the Zyxel passes the WAN-IP that corresponds to its NET'ed LAN device, and such the receiving server sees the WAN-IP of the transmitting LAN device and not the firewall.
This is obvious if you look at the log on the FTP-server in the first post in the thread.
Br
Ole
- It could definitely not be a netgear issue. Ive looked at all the information youve provided. There is no reason for any router to change an address like you indicate unless theres a rule that youve put in to do so.
I connect to ftp servers all the time from behind our 318s and have never had such an issue. Are you using passive mode for the ftp?
Personally, i wouldnt change out the zyxel router for the netgear. Zyxel products are more enterprise grade.Hmmm, you may be right, but if so I don't understand a thing.
I've set the necessary incoming rules (they work) and I've tried with and without any outgoing rules. I realize I may just lack the understadning of the various terms used in the NETGEAR documentation, but I would think that I do understand enough to set it up to meet my needs.
I use passive - both as the default, and forced, and from a number of different ftp clients (FileZilla, ncftpput, MS ftp, perl ftp and an unknown native and they behave the same. The file is transferred, but the ACK for completion never reaches the transmitting unit.
I like your statement that you prefer Zyxel to NETGEAR, but I was inclined to belive that the (old) Zyxel was somewhat defective and causing a variety of errors (still do) but for the time being I'll stick with the Zyxel. This also to the fact the swapping firewalls on the ISP equipment confuses the ARP tables, so that when I returned the Zyxel to operation it woulnd work until I had the ISP clear the ARP table - I some scary moments there :smileyfrustrated:
Thanks for chipping in.
Br
Ole
If there's no server on the netgear lan, there's no need for any rules for ftp to work (unless you have a double nat, but it doesn't sound like you do). I think the incoming rule may actually be the issue. Could you try removing it and see what happens? In fact, just connect the netgear behind the zyxel--even though it's a double nat scenario, if you're using passive mode it shouldn't be an issue.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
