FTP not working from outside LAN

[john9527]

Its not possible to access FTP from WAN from ASUS because the firmware port forwarding only works in the forward chain not input. You would have to go into the linux file system and configure FTP to listen onto WAN.

I don't think that's true....I just enabled FTP with WAN access and the following rule was generated (in iptables -S output). So the firewall rule generation is working.

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

But I did have another thought....lets switch out of passive mode....

Make a vsftpd.postconf script in /jffs/scripts (don't forget to make it executable)

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
 
pc_replace "pasv_enable=YES" "pasv_enable=NO" $CONFIG
 
exit

 

[Jimbo]

Hi,

Thanks for the input. Unfortunately, now with active mode not even via LAN works. I get the following error from Filezilla.
WAN results, which is the important one, is still the same "connection refused by server".

Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PORT 31,131,249,221,207,91
Response: 500 Illegal PORT command.

 

[john9527]

Did you also set your client to disable passive mode? Which now that I think about it some more, would have been easier.

The failing port command is trying to open port 53083

 

[Jimbo]

Yes, only active. No idea on the port you mention, coz the connection clearly is to port 21.

 

[octopus]

Maby you can have some suggestions from this postings.
http://www.snbforums.com/threads/vsftpd-support-ssl-tls-encryption-support.17939/

 

[john9527]

Yes, only active. No idea on the port you mention, coz the connection clearly is to port 21.

Port 21 is only the control channel. The data is actually sent across a different port that the client tells the server to use. My understanding is that's what that port command is doing. In active mode, it should use port 20. Since the server is now in active mode, I'm guessing it's rejecting the request to use a different port.

 

[john9527]

Just as an FYI....I had to do some VPN testing today, so borrowed my neighbors connection for a bit (different ISP). I went to a straight connection (no VPN client since I already knew my VPN blocked some things), and fired up the FTP server with WAN access. Using ASUS's DDNS service and just the Windows ftp client everything worked just fine using my fork code. Windows FTP client is flakey with PASV, hence the use PASV msgs.

ftp
ftp> open xxxxx.asuscomm.com
Connected to xxxxx.asuscomm.com.
220 Welcome to ASUS RT-AC68R FTP service.
User (xxxxx.asuscomm.com:(none)): XXXXX
331 Please specify the password.
Password:
230 Login successful.
ftp> quote PASV
227 Entering Passive Mode (XXX,XXX,XXX,XXX,199,178)
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
/ASUS
/Router_Share
226 Directory send OK.
ftp: 22 bytes received in 0.01Seconds 1.47Kbytes/sec.
ftp> cd /ASUS/backup
250 Directory successfully changed.
ftp> get nvram-usr-20150618-XXXX.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for /tmp/mnt/ASUS/backup/nvram-usr-20150618-BC88.txt (22873 bytes).
226 File send OK.
ftp: 22873 bytes received in 0.20Seconds 112.67Kbytes/sec.
ftp>

 

[octopus]

Ftp set PASV random port range when its started, you have to set it maually in config file like this:

port_enable=YES
pasv_min_port=10500
pasv_max_port=10520

and firewall rule:
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 10500:10520 -j ACCEPT

227 Entering Passive Mode (XXX,XXX,XXX,XXX,199,178) => is port : 51122

EDIT: if you want to use ftp 0n port 21 rx/tx then you must use SFTP, not included i Merlins SW.

 

[Jimbo]

Thanks all for your great ideas and support.

I have finally not succeeded, either Passive or Active mode, to connect from the internet through the VPN provider.
Hence, best shot will be to finally turn to the dark side (accept business plan switch). On the positive side, my uplink will go up to 5Mbps, which is not huge, but every bit will count as I'll try to set up a proper stream service as well. Hopefully will not find further issues on the Asus Merlin with the new (more standard) setup with a (WOW!) normal IPv4, and the AiDisk, etc.

 

[ColinTaylor]

Ftp set PASV random port range when its started, you have to set it maually in config file like this:

You shouldn't need to do this if the conntrack_ftp module is loaded as the "--state RELATED,ESTABLISHED" rule should take care of everything.

That said, it frequently doesn't work as expected so the extra rule can't hurt

 

[Jimbo]

My VPN provider re-reconfirmed that port 21 is opened on their side.
I still see it closed via www.canyouseeme.org.
I understand there is something weird on the Asus/Merlin. I allowed the port via ip tables (nothing on GUI as per RMerlin's directions since it's the routers' default FTP).
As I mentioned I'm on rev. 378.54.

More interestingly, is that my VPN provider also confirmed I can also access an own home VPN via their VPN IP.
This is really twisted, but the router would become VPN client and server to/from the same VPN external IP.
So I gave this a shot and set the Asus as server (client VPN setup was done already) following the tutorial and links from the Asus GUI, installing OpenVPN client on my Windows PC.
Unfortunately, I get an error on the OpenVPN client saying something like "can't authenticate using self-signed certificate". I googled a bit, and looks to me it might have to do with invalid certificates. I'm using the exported file from the Asus GUI, with the only modification of the WAN IP (to my VPN's one, instead of the Asus WAN internal IP) and port.

The VPN connection would be great as it'd solve the FTP issue and beyond completely, specially now that my VPN provider confirmed it as possible.

Would anyone be able to quickly enlighten me on this OpenVPN certificate error?. I need to get back to my ISP on whether I take the switch proposal or not .

 

[ob manu]

OK I was having the same issue and like you I want to access my FTP via WAN.

I know people say don't forward the port but this is what I did to get it working

I created a forwarding port under Virtual Server / Port Forwarding with with the following details but I also enabled Respond Ping Request from WAN under Firewall General Settings.

Mine worked fine before last firmware update but I am having to resort to this to get it working.

Dont forget to Turn router off for 10sec and back on again after applying settings.

Hope you have the same joy.

 

[Rankdropper84]

Sorry to ask the obvious, but for confirmation....did you switch on the 'Enable WAN access' switch on the FTP setup page?

Even with it off I can still access my FTP share over the wan FWIW.

 

[john9527]

Even with it off I can still access my FTP share over the wan FWIW.

Are you really accessing it from a different internet connection? If you are just trying to use an external DDNS address from your local network, the router is smart enough to know you are really local and will give you access.

 

[Rankdropper84]

Are you really accessing it from a different internet connection? If you are just trying to use an external DDNS address from your local network, the router is smart enough to know you are really local and will give you access.

Yes. I have accessed it multiple times from multiple different IP addresses over the wan. My buddy from Texas can also mount my ftp share on his Linux PC and upload/download files.