Since the address of the USG5100 address pool and the interface address are not in the same network segment, the firewall needs to configure black-hole route for the address pool segment. After that, configure nat server ftp server service is anomaly. The data channel can not be built up normally. Need to wait about 10 minutes to establish. Without configuring black-hole route , it will be built up quickly .
client ------- internet ------- USG ------- ftp_serve
1.Configure black-hole routing, ftp service exception, can not see the corresponding session in the firewall. If there is no black-hole routing configuration, the session can be saw.
2. Obtain packet on the client, the client using pasv mode. Data channel connection is initiated by the client. The corresponding address is the private network address of the ftp server .
3. View firewall found that the state detection function has been closed. Change the client into port mode, the data channel connections initiated by the server, there is no problem.
4. Close the black-hole routing, seize packet in the client. The client displays using pass mode ,and then change into port mode immediately .The data channel connections initiated by the server. It is possible to create a data channel normally.
To sum up: when there isn’t configured the black-hole routing, match to the default route, and the uplink device turn packet sent back to the firewall, so that it will form a loop. Soon the TTL timeout willl send to the client. After the client receives it, change into port mode immediately, and change connect by the server, so it can be established successfully.
After configuring nat ,the firewall state inspection can’t be closed. If you turn off, the state detection similar to the FTP multi-channel protocol can’t play its role, led to the service abnormal.