[ReptileX]

I have some issues when I try to connect my FTP from outside my network, connecting from LAN side is working, even if I use the WAN side IP or my DNS from LAN side is working but whenever I try to connect from internet on another location I have issues.

There is a lot topics about this issue and tried them all, like the suggestions here from wiki page:
http://www.dd-wrt.com/wiki/index.php/ProFTPd

But nothing helps, I cannot use port 21 since it is blocked by ISP so I am using port 2121

FTP client seems to connect but gives a “227 Entering Passive Mode” than it disconnects with a I/O error. I have used different FTP clients, I don’t think it is a firewall problem since it connects without any errors.

Here a log from the client, I did change the WAN IP and DNS for security reasons.

[mrjcd]

You will have to do a port range forward in your router to use passive FTP.

Connection port (normally 21) must be open
and
must have a range set in your FTP server for passive which you would also open
in your router normally about 20 or so ports something like 32000-32020 open for the
passive connection.

or you can force your FTP server to use 'active FTP' but if you do that then any client trying
to connect needs to disable 'passive' FTP connection and use 'force active' ..... this normally
uses ports 20 & 21.

I didn't read the link you posted but from setting up FTP years ago I found out the more you read
the more complicated it can get ----- and really it aint

I don't use the dd-wrt FTP but that is the basic of it all

[ReptileX]

@mrjd, thanks for your reply, the link I posted says basically same about passive ports and such, I did those but it didn’t help, and since the client logs in and even the CWD command works, it only don’t allow to list and stops there, that’s why I think it is not a port problem but I could be wrong.

This is the write up from the link above:

[mrjcd]

Can't help a whole lot since I don't run FTP on the dd-wrt but

[fretbuzz]

This is a "startup" Script in Administration->Commands:

#-------- for proftpd passive WAN access -----
echo 'MasqueradeAddress xxxxx.dyndns.org'>> /tmp/proftpd/etc/proftpd.conf #Masquerade the responses
echo 'PassivePorts 60000 61000'>> /tmp/proftpd/etc/proftpd.conf #Set the passive ports range
killall -HUP proftpd #restart the ftp server

This is a "firewall" script in Administration->Commands:

/usr/sbin/iptables -I INPUT -p tcp -m tcp --dport 60000:61000 --syn -j logaccept

Note that unlike the wiki wording, this script INPUTS the login rule (into the router) and doesn't FORWARD the rule past the firewall. Do not enter anything in NAT/QoS->Port Forwarding/Port Range etc. as this FORWARDS the login rules past the router, but does not INPUT them into the router (which has ProFTPD on it) and thus will conflict with your scripts. The scripts created under Administration->Commands will insert everything needed upon reboot.This is how I got it working, and it now works after each reboot. You can always manually run each script above to test it- Also, if you disable the SPI Firewall you'll get it working with a non-standard port, but I did it only for testing to see if any ports were being blocked. I tried to piece a guide together here:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1137048#1137313

[Per Yngve Berg]

Using FTP over the WAN is not very safe.

Use SSH/SFTP

Much safer and you do not have the problem with passive mode. Disable password authentication and use key authentication.

[joedow]

[joedow]

One note, still here:

The FTP on my main router is working, but on a secondary (dd wrt) one not. I still cannot access it by wan. Ports opened, startup and firewall scripts inserted...

[kernel-panic69]

It should be forwarding, not inputting, methinks. That is what opening up wan access does, forward connection to the LAN IP of the router if I am not completely losing my mind.