It's the first time i post here, so if i make some mistakes, or your eyes bleed 'cause my english is epic, pls excuse me.
I have a misterious issue with the FTP NAT helper on 2 CCR, when a machine behind the CCR's try to connect to an Internet FTP Server (connecting as a client).
From the first CCR, the machine is unable to make a "dir" command to an FTP (Active) from Windows command-line, but, from a Explorer window, works like a charm. At first, i thought that behaviour happens because cmd must work on active mode, because don't support passive, and on explorer window yes, because you can configure it to work as passive. (I have previously read that an active FTP requires an incoming connection to the CCR port 20, and the problems that arise when translating that connection to the requesting machine).
But my surprise come when, from the second CCR, the machine is totally able to make a "dir" command to an FTP (Active) from Windows command-line, and explorer window too, with the same configuration (backup and restore).
The firewall is correctly configured on both CCR, all machines tested are behind the firewall and only a masquerade rule on NAT, but for some reason, all mentioned earlier happens.
Then various questions arise me...
- The first CCR works as intended, or the second one?
- It's the NAT Helper able to translate the port 20 connections from the Internet Server, to the machine that originated the ftp "dir" petition behind the CCR, without a manually configured NAT rule?
- What are the workaround to make all the machines behind a CCR, reach and work with an Active/Passive FTP?
Regards,
