Forum Discussion
t-roy
Nimbostratus
NimbostratusCan an FTP vip maintain the server FTP port?
version 11.2.1
I created an FTP VIP and loadbalance to 2 FTP servers that use priority groups. The servers use Passive FTP and the problem I have is when the servers send the PASV command the F5 is translating the port. We only allow clients to connect to this VIP on port 4000-4100 and the F5 is translating this to a disallowed port.
I could not find any FTP iRule events or profile setting that I could use to change this.
4 Replies
t-royHopefully save someone else some time-
I was able to get this working by creating an FTP virtual server that listens on all ports (with NO ftp profile) with a forwarding virtual server on the serverside vlan.
A stream profile translates the server's IP address in the pasv command to the VIP IP, an iRule on the forwarding virtual SNATs when CLIENT_ACCEPTED to the IP of the VIP as well.
Matt_Pitts_6390Thank you for the update. I'm running into a similar situation and was wondering if you could share the irule you created to perform the logic of the FTP profile?
Martin_58375any update on it ?- nitass
Employee
not sure if this is similar to what t-roy uses. anyway, this is what i tested here.
client is 172.28.20.17
ftp virtual server is 172.28.20.111
ftp server is 200.200.200.101
i use 1 virtual server for control channel and 2 virtual servers for data channel; one is on external vlan and the other one is on internal vlan. there are 2 virtual servers because i do not want to have connection entry for data channel traffic (i.e. i do not have to worry whether control channel is timeout or not).ftp control channel root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual ftpctl ltm virtual ftpctl { destination 172.28.20.111:21 ip-protocol tcp mask 255.255.255.255 pool ftpp profiles { mystream { } tcp { } } source 0.0.0.0/0 translate-port disabled vs-index 11 } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm profile stream mystream ltm profile stream mystream { app-service none defaults-from stream source 200,200,200,101, target 172,28,20,111, } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool ftpp ltm pool ftpp { members { 200.200.200.101:0 { address 200.200.200.101 } } } ftp data channel root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual ftpdta-ext ltm virtual ftpdta-ext { destination 172.28.20.111:0 ip-protocol tcp mask 255.255.255.255 pool ftpp profiles { fastl4_0s { } } source 0.0.0.0/0 translate-port disabled vlans { external } vlans-enabled vs-index 19 } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual ftpdta-int ltm virtual ftpdta-int { destination 172.28.20.17:0 ip-forward mask 255.255.255.255 profiles { fastl4_0s { } } source 0.0.0.0/0 source-address-translation { pool ftpvip type snat } translate-address disabled translate-port disabled vlans { internal } vlans-enabled vs-index 20 } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm profile fastl4 fastl4_0s ltm profile fastl4 fastl4_0s { app-service none defaults-from fastL4 idle-timeout immediate loose-close disabled loose-initialization enabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm snatpool ftpvip ltm snatpool ftpvip { members { 172.28.20.111 } } test [root@centos17 ~] ftp 172.28.20.111 Connected to 172.28.20.111. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (172.28.20.111:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -l 227 Entering Passive Mode (172,28,20,111,252,78) 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Apr 06 2012 pub 226 Directory send OK. ftp> cd pub 250 Directory successfully changed. ftp> ls -l 227 Entering Passive Mode (172,28,20,111,52,97) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 1012865024 Apr 06 2012 BIGIP-11.1.0.1943.0.iso 226 Directory send OK. ftp> bye 221 Goodbye. packet trace [root@ve11a:Active:Changes Pending] config tcpdump -nni 0.0 -s0 host 172.28.20.111 or host 200.200.200.101 and 'tcp[13] & 2 = 2' and not port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes ----- control channel ----- 13:22:18.431240 IP 172.28.20.17.40360 > 172.28.20.111.21: S 982826903:982826903(0) win 5840 in slot1/tmm1 lis= 13:22:18.431297 IP 172.28.20.111.21 > 172.28.20.17.40360: S 2048968823:2048968823(0) ack 982826904 win 4380 out slot1/tmm1 lis=/Common/ftpctl 13:22:18.433182 IP 172.28.20.17.40360 > 200.200.200.101.21: S 3266297137:3266297137(0) win 4380 out slot1/tmm1 lis=/Common/ftpctl 13:22:18.435030 IP 200.200.200.101.21 > 172.28.20.17.40360: S 4036093744:4036093744(0) ack 3266297138 win 5792 in slot1/tmm1 lis=/Common/ftpctl ----- data channel ----- 13:22:24.974061 IP 172.28.20.17.58245 > 172.28.20.111.64590: S 417456275:417456275(0) win 5840 in slot1/tmm1 lis= 13:22:24.974111 IP 172.28.20.17.58245 > 200.200.200.101.64590: S 417456275:417456275(0) win 5840 out slot1/tmm1 lis=/Common/ftpdta-ext 13:22:24.975995 IP 200.200.200.101.64590 > 172.28.20.17.58245: S 2840256948:2840256948(0) ack 417456276 win 5792 in slot1/tmm1 lis= 13:22:24.976024 IP 172.28.20.111.64590 > 172.28.20.17.58245: S 2840256948:2840256948(0) ack 417456276 win 5792 out slot1/tmm1 lis=/Common/ftpdta-int 13:22:28.462043 IP 172.28.20.17.52950 > 172.28.20.111.13409: S 1192817272:1192817272(0) win 5840 in slot1/tmm1 lis= 13:22:28.462095 IP 172.28.20.17.52950 > 200.200.200.101.13409: S 1192817272:1192817272(0) win 5840 out slot1/tmm1 lis=/Common/ftpdta-ext 13:22:28.464143 IP 200.200.200.101.13409 > 172.28.20.17.52950: S 916139666:916139666(0) ack 1192817273 win 5792 in slot1/tmm1 lis= 13:22:28.464200 IP 172.28.20.111.13409 > 172.28.20.17.52950: S 916139666:916139666(0) ack 1192817273 win 5792 out slot1/tmm1 lis=/Common/ftpdta-int
hope this helps.
