Cannot connect to FTP from WAN side.

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Author Message
ReptileX
DD-WRT Novice


Joined: 08 Nov 2015
Posts: 11
Location: The Netherlands

PostPosted: Sun Nov 15, 2015 15:42    Post subject: Cannot connect to FTP from WAN side. Reply with quote
I have some issues when I try to connect my FTP from outside my network, connecting from LAN side is working, even if I use the WAN side IP or my DNS from LAN side is working but whenever I try to connect from internet on another location I have issues.

There is a lot topics about this issue and tried them all, like the suggestions here from wiki page:
http://www.dd-wrt.com/wiki/index.php/ProFTPd

But nothing helps, I cannot use port 21 since it is blocked by ISP so I am using port 2121

FTP client seems to connect but gives a “227 Entering Passive Mode” than it disconnects with a I/O error. I have used different FTP clients, I don’t think it is a firewall problem since it connects without any errors.

Here a log from the client, I did change the WAN IP and DNS for security reasons.
Code:
Connecting  FTP server my.dns.com on port 2121
my.dns.com resolved to  12.345.67.89 
220 ProFTPD 1.3.5a Server (DD-WRT) [12.345.67.89] 
FEAT 
211-Features:
 TVFS
 MFMT
 SIZE
 MFF modify;UNIX.group;UNIX.mode;
 REST STREAM
 MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
 EPRT
 EPSV
 MDTM
211 End 
USER xxxx
331 Password required for xxxx
PASS •••••••••• 
230 User xxxx logged in 
CWD /FTPROOT
250 CWD command successful
PASV 
227 Entering Passive Mode (62,163,81,51,135,111). 
MLSD 
I/O error


I know that FTP is not really secure but I don’t have top secret stuff on it so I wouldn’t care less if people could see or not.

Does anyone have a suggestion for me?
Router is on last firmware, see my sing for more information.

_________________
  • TP-Link TL-WDR4900v1 @ r30949
  • Netgear WNDR3700v1 @ r29621
Sponsor
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5431
Location: Texas

PostPosted: Sun Nov 15, 2015 17:47    Post subject: Reply with quote
You will have to do a port range forward in your router to use passive FTP.

Connection port (normally 21) must be open
and
must have a range set in your FTP server for passive which you would also open
in your router normally about 20 or so ports something like 32000-32020 open for the
passive connection.

or you can force your FTP server to use 'active FTP' but if you do that then any client trying
to connect needs to disable 'passive' FTP connection and use 'force active' ..... this normally
uses ports 20 & 21.

I didn't read the link you posted but from setting up FTP years ago I found out the more you read
the more complicated it can get ----- and really it aint Smile

I don't use the dd-wrt FTP but that is the basic of it all
ReptileX
DD-WRT Novice


Joined: 08 Nov 2015
Posts: 11
Location: The Netherlands

PostPosted: Sun Nov 15, 2015 18:12    Post subject: Reply with quote
@mrjd, thanks for your reply, the link I posted says basically same about passive ports and such, I did those but it didn’t help, and since the client logs in and even the CWD command works, it only don’t allow to list and stops there, that’s why I think it is not a port problem but I could be wrong.

This is the write up from the link above:
Quote:
FTP Option - allow WAN FTP access including passive modes
Allowing WAN access was not so simple for me. Here is what I did to make the ftp work for the WAN.
1 - First proftpd has to be configured properly for incoming connection for both Active and Passive modes. For that purpose a couple of lines need to be added to /tmp/proftpd/etc/proftpd.conf.
Add this if using a domain name(needless to say replace the domain name or IP with your domain name or IP:
Code:
MasqueradeAddress   xxx.mydomain.com  # DNS name 
#OR this if not using a domain name
MasqueradeAddress   123.45.67.89      # WAN IP

Other line to add is the Passive ports on which proftpd will be listening. I chose the port range 60000 to 61000 opening 1000 ports. Change this range to your requirement.
Code:
PassivePorts 60000 61000

The problem is that /tmp/proftpd/etc/proftpd.conf gets overwritten every time router is restarted. So add these lines using a startup[Administration->commands->startup] script. Here is how I did it:
Code:
#-------- for proftpd passive WAN access -----
echo 'MasqueradeAddress xxxxx.dyndns.org'>> /tmp/proftpd/etc/proftpd.conf   #Masquerade the responses
echo 'PassivePorts 60000 61000'>> /tmp/proftpd/etc/proftpd.conf    #Set the passive ports range
killall -HUP proftpd    #restart the ftp server

2 - Now forward these passive ports to the internal IP address of your router e.g. 192.168.1.1. I forwarded the ports using the UI. It can also be done using the iptables. However I feel comfortable with the UI
2.1 - The Iptables command to open the passive ports for the firewall are:
Code:
/usr/sbin/iptables -I INPUT -p tcp -m tcp --dport 60000:61000 --syn -j logaccept

_________________
  • TP-Link TL-WDR4900v1 @ r30949
  • Netgear WNDR3700v1 @ r29621
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5431
Location: Texas

PostPosted: Sun Nov 15, 2015 18:52    Post subject: Reply with quote
Can't help a whole lot since I don't run FTP on the dd-wrt but
ReptileX wrote:
227 Entering Passive Mode (62,163,81,51,135,111)
AFAIK would usually refer to some kind of port problem.... or a permissions
issue where it can't get a directory list.
These two things are about the same during a failed TTP connection.

You might try a client in 'active mode' to your 2121 port to see what you can get.

Also not sure about the dd-wrt FTP character encoding or text vs binary ... but I
susppose that should be fine if you can connect within the LAN.... so look at what's blocking it

EDIT: looks to be a little tricky getting a WAN FTP connection thru ... and that that wiki was
last updated over 3 years ago. Lot's have changed in dd-wrt but not sure about the FTP... maybe
someone running it can chime in.

good luck

you can always ask in the 'advanced networking forum' lots good folks travel thru there
fretbuzz
DD-WRT Novice


Joined: 07 Aug 2018
Posts: 5

PostPosted: Fri Aug 10, 2018 15:06    Post subject: Reply with quote
This is a "startup" Script in Administration->Commands:

#-------- for proftpd passive WAN access -----
echo 'MasqueradeAddress xxxxx.dyndns.org'>> /tmp/proftpd/etc/proftpd.conf #Masquerade the responses
echo 'PassivePorts 60000 61000'>> /tmp/proftpd/etc/proftpd.conf #Set the passive ports range
killall -HUP proftpd #restart the ftp server

This is a "firewall" script in Administration->Commands:

/usr/sbin/iptables -I INPUT -p tcp -m tcp --dport 60000:61000 --syn -j logaccept

Note that unlike the wiki wording, this script INPUTS the login rule (into the router) and doesn't FORWARD the rule past the firewall. Do not enter anything in NAT/QoS->Port Forwarding/Port Range etc. as this FORWARDS the login rules past the router, but does not INPUT them into the router (which has ProFTPD on it) and thus will conflict with your scripts. The scripts created under Administration->Commands will insert everything needed upon reboot.This is how I got it working, and it now works after each reboot. You can always manually run each script above to test it- Also, if you disable the SPI Firewall you'll get it working with a non-standard port, but I did it only for testing to see if any ports were being blocked. I tried to piece a guide together here:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1137048#1137313
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6140
Location: Romerike, Norway

PostPosted: Fri Aug 10, 2018 18:28    Post subject: Reply with quote
Using FTP over the WAN is not very safe.

Use SSH/SFTP

Much safer and you do not have the problem with passive mode. Disable password authentication and use key authentication.
joedow
DD-WRT Novice


Joined: 11 Feb 2018
Posts: 45

PostPosted: Sun Jul 12, 2020 9:37    Post subject: Reply with quote
fretbuzz wrote:
This is a "startup" Script in Administration->Commands:

#-------- for proftpd passive WAN access -----
echo 'MasqueradeAddress xxxxx.dyndns.org'>> /tmp/proftpd/etc/proftpd.conf #Masquerade the responses
echo 'PassivePorts 60000 61000'>> /tmp/proftpd/etc/proftpd.conf #Set the passive ports range
killall -HUP proftpd #restart the ftp server

This is a "firewall" script in Administration->Commands:

/usr/sbin/iptables -I INPUT -p tcp -m tcp --dport 60000:61000 --syn -j logaccept

Note that unlike the wiki wording, this script INPUTS the login rule (into the router) and doesn't FORWARD the rule past the firewall. Do not enter anything in NAT/QoS->Port Forwarding/Port Range etc. as this FORWARDS the login rules past the router, but does not INPUT them into the router (which has ProFTPD on it) and thus will conflict with your scripts. The scripts created under Administration->Commands will insert everything needed upon reboot.This is how I got it working, and it now works after each reboot. You can always manually run each script above to test it- Also, if you disable the SPI Firewall you'll get it working with a non-standard port, but I did it only for testing to see if any ports were being blocked. I tried to piece a guide together here:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1137048#1137313


THIS worked! thank you
joedow
DD-WRT Novice


Joined: 11 Feb 2018
Posts: 45

PostPosted: Fri Jul 17, 2020 2:33    Post subject: Reply with quote
One note, still here:

The FTP on my main router is working, but on a secondary (dd wrt) one not. I still cannot access it by wan. Ports opened, startup and firewall scripts inserted...
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 9022
Location: Texas, USA

PostPosted: Fri Jul 17, 2020 2:37    Post subject: Reply with quote
It should be forwarding, not inputting, methinks. That is what opening up wan access does, forward connection to the LAN IP of the router if I am not completely losing my mind.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum