Joined: 08 Nov 2015 Posts: 11 Location: The Netherlands
Posted: Sun Nov 15, 2015 15:42 Post subject: Cannot connect to FTP from WAN side.
I have some issues when I try to connect my FTP from outside my network, connecting from LAN side is working, even if I use the WAN side IP or my DNS from LAN side is working but whenever I try to connect from internet on another location I have issues.
But nothing helps, I cannot use port 21 since it is blocked by ISP so I am using port 2121
FTP client seems to connect but gives a “227 Entering Passive Mode” than it disconnects with a I/O error. I have used different FTP clients, I don’t think it is a firewall problem since it connects without any errors.
Here a log from the client, I did change the WAN IP and DNS for security reasons.
Code:
Connecting FTP server my.dns.com on port 2121
my.dns.com resolved to 12.345.67.89
220 ProFTPD 1.3.5a Server (DD-WRT) [12.345.67.89]
FEAT
211-Features:
TVFS
MFMT
SIZE
MFF modify;UNIX.group;UNIX.mode;
REST STREAM
MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
EPRT
EPSV
MDTM
211 End
USER xxxx
331 Password required for xxxx
PASS ••••••••••
230 User xxxx logged in
CWD /FTPROOT
250 CWD command successful
PASV
227 Entering Passive Mode (62,163,81,51,135,111).
MLSD
I/O error
I know that FTP is not really secure but I don’t have top secret stuff on it so I wouldn’t care less if people could see or not.
Does anyone have a suggestion for me?
Router is on last firmware, see my sing for more information. _________________
You will have to do a port range forward in your router to use passive FTP.
Connection port (normally 21) must be open
and
must have a range set in your FTP server for passive which you would also open
in your router normally about 20 or so ports something like 32000-32020 open for the
passive connection.
or you can force your FTP server to use 'active FTP' but if you do that then any client trying
to connect needs to disable 'passive' FTP connection and use 'force active' ..... this normally
uses ports 20 & 21.
I didn't read the link you posted but from setting up FTP years ago I found out the more you read
the more complicated it can get ----- and really it aint
I don't use the dd-wrt FTP but that is the basic of it all
Joined: 08 Nov 2015 Posts: 11 Location: The Netherlands
Posted: Sun Nov 15, 2015 18:12 Post subject:
@mrjd, thanks for your reply, the link I posted says basically same about passive ports and such, I did those but it didn’t help, and since the client logs in and even the CWD command works, it only don’t allow to list and stops there, that’s why I think it is not a port problem but I could be wrong.
This is the write up from the link above:
Quote:
FTP Option - allow WAN FTP access including passive modes
Allowing WAN access was not so simple for me. Here is what I did to make the ftp work for the WAN.
1 - First proftpd has to be configured properly for incoming connection for both Active and Passive modes. For that purpose a couple of lines need to be added to /tmp/proftpd/etc/proftpd.conf.
Add this if using a domain name(needless to say replace the domain name or IP with your domain name or IP:
Code:
MasqueradeAddress xxx.mydomain.com # DNS name
#OR this if not using a domain name
MasqueradeAddress 123.45.67.89 # WAN IP
Other line to add is the Passive ports on which proftpd will be listening. I chose the port range 60000 to 61000 opening 1000 ports. Change this range to your requirement.
Code:
PassivePorts 60000 61000
The problem is that /tmp/proftpd/etc/proftpd.conf gets overwritten every time router is restarted. So add these lines using a startup[Administration->commands->startup] script. Here is how I did it:
Code:
#-------- for proftpd passive WAN access -----
echo 'MasqueradeAddress xxxxx.dyndns.org'>> /tmp/proftpd/etc/proftpd.conf #Masquerade the responses
echo 'PassivePorts 60000 61000'>> /tmp/proftpd/etc/proftpd.conf #Set the passive ports range
killall -HUP proftpd #restart the ftp server
2 - Now forward these passive ports to the internal IP address of your router e.g. 192.168.1.1. I forwarded the ports using the UI. It can also be done using the iptables. However I feel comfortable with the UI
2.1 - The Iptables command to open the passive ports for the firewall are:
Can't help a whole lot since I don't run FTP on the dd-wrt but
ReptileX wrote:
227 Entering Passive Mode (62,163,81,51,135,111)
AFAIK would usually refer to some kind of port problem.... or a permissions
issue where it can't get a directory list.
These two things are about the same during a failed TTP connection.
You might try a client in 'active mode' to your 2121 port to see what you can get.
Also not sure about the dd-wrt FTP character encoding or text vs binary ... but I
susppose that should be fine if you can connect within the LAN.... so look at what's blocking it
EDIT: looks to be a little tricky getting a WAN FTP connection thru ... and that that wiki was
last updated over 3 years ago. Lot's have changed in dd-wrt but not sure about the FTP... maybe
someone running it can chime in.
good luck
you can always ask in the 'advanced networking forum' lots good folks travel thru there
This is a "startup" Script in Administration->Commands:
#-------- for proftpd passive WAN access -----
echo 'MasqueradeAddress xxxxx.dyndns.org'>> /tmp/proftpd/etc/proftpd.conf #Masquerade the responses
echo 'PassivePorts 60000 61000'>> /tmp/proftpd/etc/proftpd.conf #Set the passive ports range
killall -HUP proftpd #restart the ftp server
This is a "firewall" script in Administration->Commands:
Note that unlike the wiki wording, this script INPUTS the login rule (into the router) and doesn't FORWARD the rule past the firewall. Do not enter anything in NAT/QoS->Port Forwarding/Port Range etc. as this FORWARDS the login rules past the router, but does not INPUT them into the router (which has ProFTPD on it) and thus will conflict with your scripts. The scripts created under Administration->Commands will insert everything needed upon reboot.This is how I got it working, and it now works after each reboot. You can always manually run each script above to test it- Also, if you disable the SPI Firewall you'll get it working with a non-standard port, but I did it only for testing to see if any ports were being blocked. I tried to piece a guide together here:
This is a "startup" Script in Administration->Commands:
#-------- for proftpd passive WAN access -----
echo 'MasqueradeAddress xxxxx.dyndns.org'>> /tmp/proftpd/etc/proftpd.conf #Masquerade the responses
echo 'PassivePorts 60000 61000'>> /tmp/proftpd/etc/proftpd.conf #Set the passive ports range
killall -HUP proftpd #restart the ftp server
This is a "firewall" script in Administration->Commands:
Note that unlike the wiki wording, this script INPUTS the login rule (into the router) and doesn't FORWARD the rule past the firewall. Do not enter anything in NAT/QoS->Port Forwarding/Port Range etc. as this FORWARDS the login rules past the router, but does not INPUT them into the router (which has ProFTPD on it) and thus will conflict with your scripts. The scripts created under Administration->Commands will insert everything needed upon reboot.This is how I got it working, and it now works after each reboot. You can always manually run each script above to test it- Also, if you disable the SPI Firewall you'll get it working with a non-standard port, but I did it only for testing to see if any ports were being blocked. I tried to piece a guide together here:
The FTP on my main router is working, but on a secondary (dd wrt) one not. I still cannot access it by wan. Ports opened, startup and firewall scripts inserted...
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Fri Jul 17, 2020 2:37 Post subject:
It should be forwarding, not inputting, methinks. That is what opening up wan access does, forward connection to the LAN IP of the router if I am not completely losing my mind. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net