i think the problem with passive mode is "correct":-(
In passive mode the client first connects port 21 of the server. This is covered by your snat and filter rules.
In step 2 the server sends a message back to the client with the port, that the server wants to use for data-transmission. This is a port in the range 1024 - 65535! After this the client connects to this port for data-transmission. This is not covered by your snat+filterrules!
If you want to make passive ftp with snat on the clientside you need a ruleset for snating and filtering (accept!) every port > 1023! This means your firewall is open for nearly every connection. This (rfc-conform) behaviour of passive ftp is the reason for your problem with passive ftp.
Have you tried to switch the connection tracking helper for ftp on Networksecurity->Packetfilter->Advanced ? Perhaps it helps for passive ftp.
I know the ftp protocol...but here the problem is the connection tracking module used by Astaro.
It is enabled (by default) in the advaced packet filter configuration and I verified that it is loaded on the kernel by lsmod
With ASG 6 there was not need to modify the FTP service definition because the connection tracking module did its job.
However I opened a troble ticket with Astaro support and now I'm waiting for an answer...I let you know.
Any news on this "issue" ? When it will be possible, to change the used outgoing interface for http proxy ?
We also are using a 2 MBps leased line (standard gateway) and a cheap 5/0.5 Mbps ADSL line which I would like to use for http traffic (but with enabled http proxy for security reasons and http filtering).
