Reply

How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

spaceobh
Aspirant

How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

I'm having this problem.

 

Remote site is connected to the internet in a fixet, multiple IP-adress MPLS setup.
The LAN side is presently protected by a Zyxel Zywall, but for a variety of reasons I want to replace the Zyxel, and for that I chose a NETGEAR FVS318N.
Manual: http://www.downloads.netgear.com/files/GDC/FVS318N/FVS318N_RM_26Apr2013.pdf

 

From the LAN-side a device is transferring files to our FTP server, and this has been working as expected with the Zyxel firewall.
The files for transfer are being renamed on the receiving FTP-server, after a succesful transmission.

 

Now after the introduction af the FSV318 the rename operation is never completed, and the connection is timing out.

 

I have configured the appropiate incoming firewall rules as well as the NAT translations between LAN- and WAN-IP adresses, and they have been tested to be correct.

 

Routing mode on the NETGEAR FVS318N is set to NAT (p. 29 in the manual)
1. Select Network Configuration > WAN Settings, radio 'NAT' is selected.

 

Neither VPN, Wireless or DHCP are active.

 

Now I belive I have found what causes the error, by looking in the FTP-server's logfile:

----- start NETGEAR -----
Wed Sep 23 21:47:10 2015 300 111.111.111.101 77 /data/upload.file_1442964300.sea a _ i r olh ftp 0 * c
Wed Sep 23 21:53:11 2015 301 111.111.111.101 41 /data/upload.file_1442964600.met a _ i r olh ftp 0 * c
Wed Sep 23 21:59:12 2015 300 111.111.111.101 41 /data/upload.file_1442964900.met a _ i r olh ftp 0 * c
Wed Sep 23 22:05:12 2015 301 111.111.111.101 77 /data/upload.file_1442964900.sea a _ i r olh ftp 0 * c
----- end NETGEAR –------
----- start ZYXEL -------
Wed Sep 23 22:12:11 2015 1 111.111.111.102 41 /data/upload.file_1442965200.met a _ i r olh ftp 0 * c
Wed Sep 23 22:12:18 2015 1 111.111.111.102 41 /data/upload.file_1442965500.met a _ i r olh ftp 0 * c
Wed Sep 23 22:18:11 2015 1 111.111.111.102 77 /data/upload.file_1442965200.sea a _ i r olh ftp 0 * c
Wed Sep 23 22:18:17 2015 1 111.111.111.102 41 /data/upload.file_1442965800.met a _ i r olh ftp 0 * c
----- end ZYXEL ---------

 

NETGEAR-WAN-IP: 111.111.111.101
LAN-DEVICE-NAT-WAN-IP: 111.111.111.102
LAN-DEVICE-LAN-IP: 192.168.001.102

 

Incoming firewall rule is mapping 111.111.111.102 to 192.168.001.102, and is verified to work.

 

In the FTP-server logfile it can be seen that when the NETGEAR is used, it (the NETGEAR) transmits its WAN-IP in stead of the NAT'ed WAN-IP of the transmitting LAN device.

 

Since the FTP-client expects an answer to its own IP, it times out, because the response is sent to the WAN-IP of the NETGEAR.

 

Both passive and active ftp has been tested, neither overcomes the problem.

 

So the question is:
How do is the NETGEAR FVS318N configured to transmit the NAT'ed WAN-IP of the transmitting LAN device in stead of the WAN-IP of the NETGEAR for FTP transfers?

 

Thanks
Ole

 

Message 1 of 19

Accepted Solutions
spaceobh
Aspirant

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

Hi Samir

 

Apologies for my delayed response.

 

I'll try to test the setup you are suggesting the next time I'm at the location, but since it's in east Greenland there are no planned trips - I only go there when absolutely necessary.

 

I will need to close my post here for now, and I'd like to thank all of you for your help.

 

When I initially opened the case I thought I had just missed to set a checkmark somewhere, and that I could sort of just "copy-paste" the rules etc. from the Zyxel to the netgear.

 

Cheers

 

 

 

View solution in original post

Message 16 of 19

All Replies
DaneA
NETGEAR Moderator

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

Hi spaceobh,

 

It seems that you have already contacted NETGEAR Support about your concern.  What I think is that you need to have an outbound rule for that FTP server to send traffic out on that secondary wan address of 111.111.111.102 instead of the device NAT IP of .101.  

 

Welcome to the community! Smiley Happy

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 19
spaceobh
Aspirant

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

Hi DaneA

 

Thanks for your reply Smiley Happy

 

Yes, I did submit my problem to Netgear support, however, I have been receiving more questions than answers Smiley Frustrated

 

Ahhh, It may be the case, that I need to create a specific outbound rule in addition to the Any-Any rule that already exists.

Like:

Index    Service      Filter          LAN users           WAN Users       Qos  Bandwth

1 or 2?     Any        ALLOW     192.168.1.102      "FTP-server IP"        -           -

 

Is there a hierachy in the position of those rules?

If so, must the specific outbound rule be no 1 or no 2?

 

Just to be nit-picky: Its a FTP-client pushing files from 192.168.1.102/111.111.111.102 to the receiving FTP-server on "FTP-server IP"

 

Thanks again Smiley Happy

Message 3 of 19
DaneA
NETGEAR Moderator

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

Hi @spaceobh,

 


@spaceobh wrote:

Ahhh, It may be the case, that I need to create a specific outbound rule in addition to the Any-Any rule that already exists.

Like:

Index    Service      Filter          LAN users           WAN Users       Qos  Bandwth

1 or 2?     Any        ALLOW     192.168.1.102      "FTP-server IP"        -           -

 

Is there a hierachy in the position of those rules?

If so, must the specific outbound rule be no 1 or no 2?


Yes, hierarchy should be observed on which rule should be first be checked.  You may specify the rule as no. 1.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 4 of 19
spaceobh
Aspirant

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

Well, this is not easy to solve, primarily because the FVS318 is at a very remote place on a very, very slow connection and testing impairs production.

 

Since teh current Zyxel is still functioning I will put the efforts to configure the FVS318 on hold until action is needed.

 

Thanks a lot for your contribution.

 

 

 

Message 5 of 19
DaneA
NETGEAR Moderator

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

Hi spaceobh,

 

You're welcome. Smiley Happy

 

Feel free to post your concerns anytime here in the community.

 

 

Regards,

 

DaneA
NETGEAR Community Team

Message 6 of 19
SamirD
Prodigy

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

This sounds like more of an issue with the ftp client.  Is the client assigned the wan IP or a NAT one?

Message 7 of 19
spaceobh
Aspirant

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

It's not - it's a NETGEAR configuration íssue - I have the installation running in working order behind a Zyxel firewall.

The problem is that the FTP-.transfer arrives at the receiving server with the WAN-IP of the NETGEAR.

 

In the current setup works fine - the Zyxel passes the WAN-IP that corresponds to its NET'ed LAN device, and such the receiving server sees the WAN-IP of the transmitting LAN device and not the firewall.

 

This is obvious if you look at the log on the FTP-server in the first post in the thread.

 

Br

Ole

 

Message 8 of 19
SamirD
Prodigy

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

It could definitely not be a netgear issue. Ive looked at all the information youve provided. There is no reason for any router to change an address like you indicate unless theres a rule that youve put in to do so.

I connect to ftp servers all the time from behind our 318s and have never had such an issue. Are you using passive mode for the ftp?

Personally, i wouldnt change out the zyxel router for the netgear. Zyxel products are more enterprise grade.
Message 9 of 19
spaceobh
Aspirant

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

Hmmm, you may be right, but if so I don't understand a thing.

 

I've set the necessary incoming rules (they work) and I've tried with and without any outgoing rules. I realize I may just lack the understadning of the various terms used in the NETGEAR documentation, but I would think that I do understand enough to set it up to meet my needs.

 

I use passive - both as the default, and forced, and from a number of different ftp clients (FileZilla, ncftpput, MS ftp, perl ftp and an unknown native and they behave the same. The file is transferred, but the ACK for completion never reaches the transmitting unit.

 

I like your statement that you prefer Zyxel to NETGEAR, but I was inclined to belive that the (old) Zyxel was somewhat defective and causing a variety of errors (still do) but for the time being I'll stick with the Zyxel. This also to the fact the swapping firewalls on the ISP equipment confuses the ARP tables, so that when I returned the Zyxel to operation it woulnd work until I had the ISP clear the ARP table - I some scary moments there Smiley Frustrated

 

Thanks for chipping in.

 

Br

Ole

Message 10 of 19
SamirD
Prodigy

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

If there's no server on the netgear lan, there's no need for any rules for ftp to work (unless you have a double nat, but it doesn't sound like you do).  I think the incoming rule may actually be the issue.  Could you try removing it and see what happens?  In fact, just connect the netgear behind the zyxel--even though it's a double nat scenario, if you're using passive mode it shouldn't be an issue.

Message 11 of 19
spaceobh
Aspirant

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

 

"If there's no server on the netgear lan, there's no need for any rules for ftp to work (unless you have a double nat, but it doesn't sound like you do)."

That's what I was thinking - no outgoing rules needed. (yes, no double NAT)

I need incoming rules to filter unwanted traffic, right?

My initial configuration was any-any for outgoing, plus the desired incoming rules in order to filter unwanted traffic and setup NAT.

 

"I think the incoming rule may actually be the issue. Could you try removing it and see what happens?"

No, can't do that - the unit is at the remote (very remote) location, and I don't want to risk intrusion, in a situation where I'm not present at the site.

 

"In fact, just connect the netgear behind the zyxel--even though it's a double nat scenario, if you're using passive mode it shouldn't be an issue."

Can't do that either, the netgear is configured with a fixed WAN-IP (same as the Zyxel, obviously) so I don't see that can be done?

 

This is the setup:

NETGEAR03a.jpg

 

Rules

NETGEAR01a.jpg

WAN-IP

NETGEAR02a.jpg

 

Message 12 of 19
SamirD
Prodigy

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

Thank you for the diagrams as it makes it very clear.  I wish others could do that in their threads!

 

So normally (and probably your current setup), the zyxel is in place of the netgear in the diagram showing the computer on the lan, correct?  If so, you can plug a [i]default configuration[/i] 318n wan port into the lan port of the zyxel and then the computer on the lan into the lan port on the 318n.  By default, the 318n will allow traffic to pass to the zyxel which will in turn pass it on to the Internet.  This should work without an issue.

 

All those rules and services may be the issue.  By default, the netgear will pass ZERO traffic to your lan, so you're actually punching holes in the firewall rather than securing the device.

 

If you have remote management configured on the netgear and someone there who could physically make the cable changes, you can easily test without physically being there.

Message 13 of 19
spaceobh
Aspirant

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

@SamirD wrote:

Thank you for the diagrams as it makes it very clear.  I wish others could do that in their threads!

 

Yep, a picture is always good

 

So normally (and probably your current setup), the zyxel is in place of the netgear in the diagram showing the computer on the lan, correct?  If so, you can plug a *default configuration* 318n wan port into the lan port of the zyxel and then the computer on the lan into the lan port on the 318n.  By default, the 318n will allow traffic to pass to the zyxel which will in turn pass it on to the Internet.  This should work without an issue.

 

I hear what you are saying, but this make the 318 a simple hub, right?

 

All those rules and services may be the issue.  By default, the netgear will pass ZERO traffic to your lan, so you're actually punching holes in the firewall rather than securing the device.

 

Yeah, well, that was the intention, allow access for legal external IP adresses, and preventing unwanted.

 

If you have remote management configured on the netgear and someone there who could physically make the cable changes, you can easily test without physically being there.

 

I did that too, before I threw the towel, but after the futile attemtps to make the 318 forward the LAN/NAT/WAN-IP of the transmitting unit, I re-inserted the Zyxel.

The local hands are not able to fiddle with the 318, and since it's voluntary aid I don't want to exhaust my goodwill on an activity that will take a rather long time (already have) with little chance of success.

 

I may even consider getting another make unit for installation at the site.

 

Thanks for your contributions Smiley Happy


 

Message 14 of 19
SamirD
Prodigy

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

No, in this case, it's actually two routers with the netgear being the last router in the chain. But as far as ftp is concerned, all the routers should route the packets correctly. This is how the whole Internet works.

 

If you want someone from the outside to be able to connect to the computer connected to the netgear lan, then yes, you might need some rules. But let's tackle that after we figure out why a completely normal ftp transfer is acting funny.

 

I hear you on the voluntary aid. Well, here's what I would do the next time you are able to get there:

- Factory default the Netgear by holding down the reset. You can do this after printing out or noting down the current configuration.
- Connect the wan of the netgear to the lan of the zyxel
- Connect the lan of the netgear to the computer.

In effect this will put the netgear in between the computer and the zyxel.

- Try your ftp again. It should work.

- Replace the Zyxel with the Netgear and try the ftp test again. It should work now too.
- Enable remote configuration on the netgear, but don't set up any rules or static routes yet.
- Post here with what you'd like to block/not block and we'll set up the rules via the remote configuration.

Message 15 of 19
spaceobh
Aspirant

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

Hi Samir

 

Apologies for my delayed response.

 

I'll try to test the setup you are suggesting the next time I'm at the location, but since it's in east Greenland there are no planned trips - I only go there when absolutely necessary.

 

I will need to close my post here for now, and I'd like to thank all of you for your help.

 

When I initially opened the case I thought I had just missed to set a checkmark somewhere, and that I could sort of just "copy-paste" the rules etc. from the Zyxel to the netgear.

 

Cheers

 

 

 

Message 16 of 19
SamirD
Prodigy

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

All good.  It's amazing how far and wide these devices allow our networks to reach.

 

No problem, just come back to this thread and update the results--even if it's years in advance.  That's the benefit of a forum--the knowledge builds with every passing day.

 

Yeah, the Zyxel and Netgear interfaces are totally different.  I recently set up a watchguard and that's totally different too.  You'd think that products that work together would at least have similar names for things in their interfaces, lol.

Message 17 of 19
spaceobh
Aspirant

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

 

"Yeah, the Zyxel and Netgear interfaces are totally different.  I recently set up a watchguard and that's totally different too.  You'd think that products that work together would at least have similar names for things in their interfaces, lol."

 

 

Right - sort of "We (whatever manufacturer) are strong supporters of standards - that's why we've made our own" Smiley LOL

Message 18 of 19
SamirD
Prodigy

Re: How to configure FVS318N to transmit NAT'ed LAN IP in FTP tranfers in stead of Firewalls WAN-IP.

Hahaha!  Good one!

Message 19 of 19
Top Contributors
Discussion stats
  • 18 replies
  • 6860 views
  • 0 kudos
  • 3 in conversation
Announcements