FTP access from second local subnet - Auxiliary parameters help

dscapec · Dec 7, 2021

Hello to everyone.

I have a problem that I can't solve. This is the inability to access FTP through another network.
example:
Behind dhcp server i have two network. 192.168.41.0/24 and 192.168.40.0/24 (dns and gw is 192.168.41.2)and they can communicate each to other without any limits.
My TrueNas is on address 192.168.41.9 and i setup it as ftp server which work fine except i can't access to ftp from 192.168.40.0/24 network.

log says this:Dec 7 12:51:47 freenas proftpd[2835]: 127.0.0.1 (192.168.41.2[192.168.41.2]) - SECURITY VIOLATION: Passive connection from foreign IP address 192.168.40.56 rejected (does not match client IP address 192.168.41.2).

from example - address 192.168.41.5 can access to ftp server without any problems.

for 100% we can be sure that the dhcp server is not a problem because i have small qnap nas device located on adress 192.168.41.80/24 with dns and gw 192.168.41.2 and have ftp on it and all computers from 40 network can access to his FTP .

I read that it should be added Auxiliary parameters in Truenas, and i know where to add it but i dont know what to add.

Please can anyone write what i should write in auxiliary parameters so Truenas will accept connections from second network.

thank you

sretalla · Dec 7, 2021

It sounds very much to me like you have a double-NAT situation there.

Is your second network actually routing, or is it NATting?

You probably only have clients on the .40 network so you haven't noticed that something on the .41 actually can't just directly connect to something on the .40 network.

You'll need to sort that out if you want it to work without having to disable security checking.

dscapec · Dec 8, 2021

from any pc on .41 I can connect directly to every pc on .40. There is no any restrictions between this two networks. And like i said another FTP which i have on same same network structure work fine.

I just need to allow connection from foreign ip adress.

sretalla · Dec 8, 2021

dscapec said:
I just need to allow connection from foreign ip adress.

Or you need to stop NATting them from the router...

SECURITY VIOLATION: Passive connection from foreign IP address 192.168.40.56 rejected (does not match client IP address 192.168.41.2)

Maybe I had the networks backwards...

dscapec said:
from any pc on .41 I can connect directly to every pc on .40.

Can you connect equally well in the opposite direction?

dscapec · Dec 10, 2021

sretalla said:
Is your second network actually routing, or is it NATting?

there is no nat on this two network.

sretalla said:
Maybe I had the networks backwards...

Can you connect equally well in the opposite direction?

Yes, except the ftp on TrueNas.

from .41 i can access all shares on .40 that i have configured, and also to be sure ill just set qnap NAS to one .40 address and try ftp connect on it and it work perfectly.

:(

sretalla · Dec 10, 2021

Your log entry is telling you that the FTP service thinks the IP it got the packet from is 192.168.41.2 (the router) even though the communication is with a client that says inside the session that its address is 192.168.40.56 (the real IP)... that sounds a lot like NAT to me.

Maybe it isn't, but it's your problem to work out, so if you don't want to investigate that to understand why the server thinks that there's a mismatch, you'll need to look for ways to have the server ignore that problem... I don't know about that, so can't help with it.

Have you set a masquerade address in the FTP service settings?

Important Announcement for the TrueNAS Community.

FTP access from second local subnet - Auxiliary parameters help

dscapec

Cadet

sretalla

Powered by Neutrality

dscapec

Cadet

sretalla

Powered by Neutrality

dscapec

Cadet

sretalla

Powered by Neutrality

Similar threads