I'm running a local FTP server behind VyOS with the firewall opened to allow the control connection on TCP/21. Clients on the WAN side are able to interact with the FTP server up until a PASV command is issued. The FTP server responds with an internal IP and port and this is properly mangled by conntrack to VyOS's WAN IP. Client are then able to establish the data connection; however at this point the control connection is wedged. Packets from both sides, which moments before crossed the NAT, are now dropped at VyOS.
Clients which issue an ESPV command instead continue to have a functional control connection, are also able to establish the data connection, and complete an FTP transfer.
vyos@vyos:~$ show version Version: VyOS 1.5-rolling-202409210006 Release train: current Release flavor: generic Built by: [email protected] Built on: Sat 21 Sep 2024 00:06 UTC Build UUID: 2f25692e-e899-4266-b0e6-388578fea859 Build commit ID: 3f579439714481 Architecture: x86_64 Boot via: installed image System type: Xen HVM guest Secure Boot: n/a (BIOS) Hardware vendor: Xen Hardware model: HVM domU Hardware S/N: [snipped] Hardware UUID: [snipped] Copyright: VyOS maintainers and contributors
vyos@vyos# show nat destination rule 51 destination { port 21 } inbound-interface { name eth0 } protocol tcp translation { address 192.168.0.10 port 21 }
vyos@vyos# show nat source rule 100 { outbound-interface { name eth0 } source { address 192.168.0.0/24 } translation { address masquerade } } rule 110 { description Hairpin destination { address 192.168.0.0/24 } outbound-interface { name eth1 } protocol tcp_udp source { address 192.168.0.0/24 } translation { address masquerade } }
vyos@vyos# show system conntrack modules { ftp h323 nfs pptp sip sqlnet tftp }
It sounded like this worked earlier in the year, per T5376, but I'm unable to find a copy of rolling-202402230022 to confirm.