FTPS / FTP TLS does not work in 380.67

[AirMaxVI]

Hi Folks,

I am trying to make use of the new feature FTPS (FTP TLS) in 380.67 version but without success.
I enable the TLS for the FTP and also the access from WAN and when try to connect to the router's FTPS service from a remote location with FileZilla client, the connection is established (control channel) over port 21 but listing of directories fails. From the debug log of the FTP client the connection is in PASSIVE mode and Explicit FTP over SSL/TLS.

According to my troubleshooting it seems that FileZilla client fails to establish the DATA channel which is initiated from FTP client towards a random port on the FTPS server (router). This was confirmed by looking at the SYSLOG dropped packets on the router. It seems that the random ports provisioned during the CONTROL channel are closed and no communication can be established from outside (WAN port).

Not sure whether I am getting it right or completely wrong, so I am asking if anybody has tried or tested the FTPS over the WAN.

Any ideas are welcome.

Thank you.

 

[Makaveli]

Asuswrt-Merlin does not contain an SFTP server. FTP TLS/FTPS is not the same thing as SFTP (as confusing as it might be).

 

[AirMaxVI]

I am aware of SFTP which is using SSH tunnel. The problem which I have is purely regarding FTP service with TLS, which according to the debug log from FTP client is FTPES (Explicit FTP over TLS) working in PASSIVE mode.
Basically what I see from the router's syslog is that the ports for the DATA channel provided from the router are not open which leads the requests from the FTP client to be dropped.

 

[Makaveli]

I will have to test this on my ftp but it will be abit later.

Can you detail what settings you are using in filezilla to connect.

Screenshots would help.

 

[AirMaxVI]

I will have to test this on my ftp but it will be abit later.

Can you detail what settings you are using in filezilla to connect.

Screenshots would help.

Hi Makaveli,
Thanks for the input.
Here are the screenshots of FileZilla config:

View attachment 10042

And here are the logs from the FileZilla client (debug) and the SYSLOG from the router.

---------------------------------------FileZilla-debug-log-------------------------------------------------

Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 0
Status:   Resolving address of xxxxxxxxxxx
Status:   Connecting to x.x.x.159:21...
Status:   Connection established, waiting for welcome message...
Trace:   CFtpControlSocket::OnReceive()
Response:   220 Welcome to ASUS RT-AC66U FTP service.
Trace:   CFtpLogonOpData::ParseResponse() in state 1
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 2
Command:   AUTH TLS
Trace:   CFtpControlSocket::OnReceive()
Response:   234 Proceed with negotiation.
Trace:   CFtpLogonOpData::ParseResponse() in state 2
Status:   Initializing TLS...
Trace:   CTlsSocketImpl::Handshake()
Trace:   CTlsSocketImpl::ContinueHandshake()
Trace:   TLS handshake: About to send CLIENT HELLO
Trace:   TLS handshake: Sent CLIENT HELLO
Trace:   CTlsSocketImpl::OnSend()
Trace:   CTlsSocketImpl::OnRead()
Trace:   CTlsSocketImpl::ContinueHandshake()
Trace:   CTlsSocketImpl::OnRead()
Trace:   CTlsSocketImpl::ContinueHandshake()
Trace:   TLS handshake: Received SERVER HELLO
Trace:   TLS handshake: Processed SERVER HELLO
Trace:   TLS handshake: Received CERTIFICATE
Trace:   TLS handshake: Processed CERTIFICATE
Trace:   TLS handshake: Received SERVER KEY EXCHANGE
Trace:   TLS handshake: Processed SERVER KEY EXCHANGE
Trace:   TLS handshake: Received CERTIFICATE REQUEST
Trace:   TLS handshake: Processed CERTIFICATE REQUEST
Trace:   TLS handshake: Received SERVER HELLO DONE
Trace:   TLS handshake: Processed SERVER HELLO DONE
Trace:   TLS handshake: About to send CERTIFICATE
Trace:   TLS handshake: Sent CERTIFICATE
Trace:   TLS handshake: About to send CLIENT KEY EXCHANGE
Trace:   TLS handshake: Sent CLIENT KEY EXCHANGE
Trace:   TLS handshake: About to send FINISHED
Trace:   TLS handshake: Sent FINISHED
Trace:   CTlsSocketImpl::OnRead()
Trace:   CTlsSocketImpl::ContinueHandshake()
Trace:   TLS handshake: Received NEW SESSION TICKET
Trace:   TLS handshake: Processed NEW SESSION TICKET
Trace:   TLS handshake: Received FINISHED
Trace:   TLS handshake: Processed FINISHED
Trace:   TLS Handshake successful
Trace:   Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
Status:   Verifying certificate...
Status:   TLS connection established.
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 5
Command:   USER xxxxx
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   331 Please specify the password.
Trace:   CFtpLogonOpData::ParseResponse() in state 5
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 5
Command:   PASS ********
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   230 Login successful.
Trace:   CFtpLogonOpData::ParseResponse() in state 5
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 9
Command:   OPTS UTF8 ON
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   200 Always in UTF8 mode.
Trace:   CFtpLogonOpData::ParseResponse() in state 9
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 10
Command:   PBSZ 0
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   200 PBSZ set to 0.
Trace:   CFtpLogonOpData::ParseResponse() in state 10
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 11
Command:   PROT P
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   200 PROT now Private.
Trace:   CFtpLogonOpData::ParseResponse() in state 11
Status:   Logged in
Trace:   Measured latency of 82 ms
Trace:   CFtpControlSocket::ResetOperation(0)
Trace:   CControlSocket::ResetOperation(0)
Trace:   CFileZillaEnginePrivate::ResetOperation(0)
Status:   Retrieving directory listing...
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpListOpData::ListSend() in state 0
Trace:   CFtpChangeDirOpData::Send() in state 0
Trace:   CFtpChangeDirOpData::Send() in state 1
Command:   PWD
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   257 "/" is the current directory
Trace:   CFtpChangeDirOpData::ParseResponse() in state 1
Trace:   CFtpControlSocket::ResetOperation(0)
Trace:   CControlSocket::ResetOperation(0)
Trace:   CControlSocket::ParseSubcommandResult(0)
Trace:   CFtpListOpData::SubcommandResult() in state 1
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpListOpData::ListSend() in state 2
Trace:   CFtpRawTransferOpData::Send() in state 1
Command:   TYPE I
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   200 Switching to Binary mode.
Trace:   CFtpRawTransferOpData::ParseResponse() in state 1
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpRawTransferOpData::Send() in state 2
Command:   PASV
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   227 Entering Passive Mode (x,x,x,159,88,96).
Trace:   CFtpRawTransferOpData::ParseResponse() in state 2
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpRawTransferOpData::Send() in state 4
Trace:   Binding data connection source IP to control connection source IP 192.168.1.200
Command:   LIST
Error:   Connection timed out after 20 seconds of inactivity
Trace:   CRealControlSocket::DoClose(2050)
Trace:   CControlSocket::DoClose(2050)
Trace:   CFtpControlSocket::ResetOperation(2114)
Trace:   CControlSocket::ResetOperation(2114)
Trace:   CFtpControlSocket::ResetOperation(2114)
Trace:   CControlSocket::ResetOperation(2114)
Error:   Failed to retrieve directory listing
Trace:   CFileZillaEnginePrivate::ResetOperation(2114)

--------------------------------SYSLOG----------------------------------------------------

Aug  9 19:52:41 kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=x.x.x.5 DST=x.x.x.159 <1>LEN=52 TOS=0x00 PREC=0xE0 TTL=113 ID=22927 DF PROTO=TCP <1>SPT=11992 DPT=32044 SEQ=2693763319 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030701010402)
Aug  9 19:52:44 kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=x.x.x.5 DST=x.x.x.159 <1>LEN=52 TOS=0x00 PREC=0xE0 TTL=113 ID=22929 DF PROTO=TCP <1>SPT=11992 DPT=32044 SEQ=2693763319 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030701010402)
Aug  9 19:52:50 kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=x.x.x.5 DST=x.x.x.159 <1>LEN=52 TOS=0x00 PREC=0xE0 TTL=113 ID=22945 DF PROTO=TCP <1>SPT=11992 DPT=32044 SEQ=2693763319 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030701010402)

I have tried with UPNP enabled and disabled but no success. I will try local connection within the local LAN instead of the WAN and post the result.

Thanks again.

 

[Jack Yaz]

View attachment 10045 View attachment 10041 View attachment 10043 View attachment 10044


Hi Makaveli,
Thanks for the input.
Here are the screenshots of FileZilla config:

View attachment 10041 View attachment 10042 View attachment 10043 View attachment 10044

And here are the logs from the FileZilla client (debug) and the SYSLOG from the router.

---------------------------------------FileZilla-debug-log-------------------------------------------------

Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 0
Status:   Resolving address of xxxxxxxxxxx
Status:   Connecting to x.x.x.159:21...
Status:   Connection established, waiting for welcome message...
Trace:   CFtpControlSocket::OnReceive()
Response:   220 Welcome to ASUS RT-AC66U FTP service.
Trace:   CFtpLogonOpData::ParseResponse() in state 1
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 2
Command:   AUTH TLS
Trace:   CFtpControlSocket::OnReceive()
Response:   234 Proceed with negotiation.
Trace:   CFtpLogonOpData::ParseResponse() in state 2
Status:   Initializing TLS...
Trace:   CTlsSocketImpl::Handshake()
Trace:   CTlsSocketImpl::ContinueHandshake()
Trace:   TLS handshake: About to send CLIENT HELLO
Trace:   TLS handshake: Sent CLIENT HELLO
Trace:   CTlsSocketImpl::OnSend()
Trace:   CTlsSocketImpl::OnRead()
Trace:   CTlsSocketImpl::ContinueHandshake()
Trace:   CTlsSocketImpl::OnRead()
Trace:   CTlsSocketImpl::ContinueHandshake()
Trace:   TLS handshake: Received SERVER HELLO
Trace:   TLS handshake: Processed SERVER HELLO
Trace:   TLS handshake: Received CERTIFICATE
Trace:   TLS handshake: Processed CERTIFICATE
Trace:   TLS handshake: Received SERVER KEY EXCHANGE
Trace:   TLS handshake: Processed SERVER KEY EXCHANGE
Trace:   TLS handshake: Received CERTIFICATE REQUEST
Trace:   TLS handshake: Processed CERTIFICATE REQUEST
Trace:   TLS handshake: Received SERVER HELLO DONE
Trace:   TLS handshake: Processed SERVER HELLO DONE
Trace:   TLS handshake: About to send CERTIFICATE
Trace:   TLS handshake: Sent CERTIFICATE
Trace:   TLS handshake: About to send CLIENT KEY EXCHANGE
Trace:   TLS handshake: Sent CLIENT KEY EXCHANGE
Trace:   TLS handshake: About to send FINISHED
Trace:   TLS handshake: Sent FINISHED
Trace:   CTlsSocketImpl::OnRead()
Trace:   CTlsSocketImpl::ContinueHandshake()
Trace:   TLS handshake: Received NEW SESSION TICKET
Trace:   TLS handshake: Processed NEW SESSION TICKET
Trace:   TLS handshake: Received FINISHED
Trace:   TLS handshake: Processed FINISHED
Trace:   TLS Handshake successful
Trace:   Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
Status:   Verifying certificate...
Status:   TLS connection established.
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 5
Command:   USER xxxxx
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   331 Please specify the password.
Trace:   CFtpLogonOpData::ParseResponse() in state 5
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 5
Command:   PASS ********
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   230 Login successful.
Trace:   CFtpLogonOpData::ParseResponse() in state 5
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 9
Command:   OPTS UTF8 ON
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   200 Always in UTF8 mode.
Trace:   CFtpLogonOpData::ParseResponse() in state 9
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 10
Command:   PBSZ 0
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   200 PBSZ set to 0.
Trace:   CFtpLogonOpData::ParseResponse() in state 10
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpLogonOpData::Send() in state 11
Command:   PROT P
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   200 PROT now Private.
Trace:   CFtpLogonOpData::ParseResponse() in state 11
Status:   Logged in
Trace:   Measured latency of 82 ms
Trace:   CFtpControlSocket::ResetOperation(0)
Trace:   CControlSocket::ResetOperation(0)
Trace:   CFileZillaEnginePrivate::ResetOperation(0)
Status:   Retrieving directory listing...
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpListOpData::ListSend() in state 0
Trace:   CFtpChangeDirOpData::Send() in state 0
Trace:   CFtpChangeDirOpData::Send() in state 1
Command:   PWD
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   257 "/" is the current directory
Trace:   CFtpChangeDirOpData::ParseResponse() in state 1
Trace:   CFtpControlSocket::ResetOperation(0)
Trace:   CControlSocket::ResetOperation(0)
Trace:   CControlSocket::ParseSubcommandResult(0)
Trace:   CFtpListOpData::SubcommandResult() in state 1
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpListOpData::ListSend() in state 2
Trace:   CFtpRawTransferOpData::Send() in state 1
Command:   TYPE I
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   200 Switching to Binary mode.
Trace:   CFtpRawTransferOpData::ParseResponse() in state 1
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpRawTransferOpData::Send() in state 2
Command:   PASV
Trace:   CTlsSocketImpl::OnRead()
Trace:   CFtpControlSocket::OnReceive()
Response:   227 Entering Passive Mode (87,120,20,159,88,96).
Trace:   CFtpRawTransferOpData::ParseResponse() in state 2
Trace:   CControlSocket::SendNextCommand()
Trace:   CFtpRawTransferOpData::Send() in state 4
Trace:   Binding data connection source IP to control connection source IP 192.168.1.200
Command:   LIST
Error:   Connection timed out after 20 seconds of inactivity
Trace:   CRealControlSocket::DoClose(2050)
Trace:   CControlSocket::DoClose(2050)
Trace:   CFtpControlSocket::ResetOperation(2114)
Trace:   CControlSocket::ResetOperation(2114)
Trace:   CFtpControlSocket::ResetOperation(2114)
Trace:   CControlSocket::ResetOperation(2114)
Error:   Failed to retrieve directory listing
Trace:   CFileZillaEnginePrivate::ResetOperation(2114)

--------------------------------SYSLOG----------------------------------------------------

Aug  9 19:52:41 kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=x.x.x.5 DST=x.x.x.159 <1>LEN=52 TOS=0x00 PREC=0xE0 TTL=113 ID=22927 DF PROTO=TCP <1>SPT=11992 DPT=32044 SEQ=2693763319 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030701010402)
Aug  9 19:52:44 kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=x.x.x.5 DST=x.x.x.159 <1>LEN=52 TOS=0x00 PREC=0xE0 TTL=113 ID=22929 DF PROTO=TCP <1>SPT=11992 DPT=32044 SEQ=2693763319 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030701010402)
Aug  9 19:52:50 kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=x.x.x.5 DST=x.x.x.159 <1>LEN=52 TOS=0x00 PREC=0xE0 TTL=113 ID=22945 DF PROTO=TCP <1>SPT=11992 DPT=32044 SEQ=2693763319 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030701010402)

I have tried with UPNP enabled and disabled but no success. I will try local connection within the local LAN instead of the WAN and post the result.

Thanks again.

If works over LAN, try a manual portforward.

 

[AirMaxVI]

Update:
I have just tested the connectivity within the local LAN and it works fine.
So the problem is down to when the connection to the FTP is over WAN only.
Frankly, do not have an idea how to solve or workaround this problem.

 

[AirMaxVI]

If works over LAN, try a manual portforward.

The problem with the manual port forwarding is that I do not know which port is used by the FTP service for the DATA channel in PASSIVE mode. It might be that it is randomly generated by the service itself.
A help might be to get access to the ftp service config file where this might be defined but not sure.
I was expecting that if WAN access is enabled for the FTP then the port will be open dynamically upon successful authentication.

 

[Jack Yaz]

The problem with the manual port forwarding is that I do not know which port is used by the FTP service for the DATA channel in PASSIVE mode. It might be that it is randomly generated by the service itself.
A help might be to get access to the ftp service config file where this might be defined but not sure.
I was expecting that if WAN access is enabled for the FTP then the port will be open dynamically upon successful authentication.

I know FileZilla client lets you specify a range, I'm unsure if the same is possible with Merlin. But yes exposing to WAN should allow. Are you running any custom blocking scripts?

 

[AirMaxVI]

I know FileZilla client lets you specify a range, I'm unsure if the same is possible with Merlin. But yes exposing to WAN should allow. Are you running any custom blocking scripts?

No scripts at all.
Just the firmware with some basic configs and uPnP disabled.
About the specifying the ports within FileZilla it is only if you use ACTIVE mode which is not applicable in this case.
In PASSIVE mode the port range is specify on the server side not client, as far as I know.

 

[AirMaxVI]

Problem is resolved using the method provided by @octopus here: https://www.snbforums.com/threads/vsftpd-support-ssl-tls-encryption-support.17939/
1. Enable /jffs partition

2. Create file vsftpd.conf.add in /jffs/configs/ with the following content:

local_max_rate=0
pasv_min_port=13300
pasv_max_port=13320

This will append the above listed options to the main vsftpd.conf file. Basically, defining the port range for DATA channel for the PASSIVE mode. You can set your own range.

3. Create another file named firewall-start in /jffs/scripts/ with the following content:

#!/bin/sh
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 13300:13320 -j ACCEPT

This will add the above iptables rule to get PASSIVE mode work over the WAN, which is actually the main problem for me . Make sure you do not mess the port range .

4. Run the command below in order to make the script in step 3 executable:

chmod a+rx /jffs/scripts/firewall-start

5. Last step is to restart the services: vsftpd and firewall or reboot the router as I did .

All the credit goes to @octopus Thank you!
Tomorrow will run some tests and check the performance and speed and will update.

Thank you all for your help.

 

[AirMaxVI]

A good read about FTP can be found at http://www.priscilla.com/troubleshootingnetworks/ftpinfo.html.

After reading bit more about the protocol I actually understood how the client knows the destination port on the FTP server to which needs to be established the DATA channel communication.

But checking my previous post with the debug log and dropped packets it seems that the FTP client does not make a call to the correct port.
From the debug log

Response:   227 Entering Passive Mode (x,x,x,159,88,96).

the values needed for the port calculation are 88 and 96 which gives (88 x 256) + 96 = 22624
And from the SYSLOG dropped packets I have the requests destined to port DPT=32044

DST=x.x.x.159 <1>LEN=52 TOS=0x00 PREC=0xE0 TTL=113 ID=22945 DF PROTO=TCP <1>SPT=11992 DPT=32044

I will run some more troubleshooting later today with Wireshark and capture the accepted packets as well to see what calls are made against the router's FTP and to which ports as well.

Hope to find something

 

[AirMaxVI]

So, I have double checked everything and it all is OK in regards to the ports. I guess I have messed a bit with the log entries .

My conclusion is that if you plan to use FTP with TLS over WAN with RMerlin's firmware you need to set manually the port range for the PASSIVE mode and also to open all these ports with the appropriate iptables rule.

Thank you all for the help!

 

[RMerlin]

So, I have double checked everything and it all is OK in regards to the ports. I guess I have messed a bit with the log entries .

My conclusion is that if you plan to use FTP with TLS over WAN with RMerlin's firmware you need to set manually the port range for the PASSIVE mode and also to open all these ports with the appropriate iptables rule.

Thank you all for the help!

I suspect that could be because in TLS mode, the NAT helper is unable to automatically handle things due to the encryption. That's at least my theory (I haven't tested it beyond from LAN side).

I'll see if I could have passive ports forwarded by default whenever TLS support is enabled.

 

[AirMaxVI]

I suspect that could be because in TLS mode, the NAT helper is unable to automatically handle things due to the encryption. That's at least my theory (I haven't tested it beyond from LAN side).

I'll see if I could have passive ports forwarded by default whenever TLS support is enabled.

That would be great.
Thanks RMerlin.

 

[RMerlin]

Done (untested yet).

 

[octopus]

Done (untested yet).

Did you apply random PASV ports or fixed, if fixed how many open ports?
EDIT: can you do this as variable as well?

fprintf(fp, "pasv_max_port=%d\n", passive_port + 30);

 

[Jack Yaz]

Did you apply random PASV ports or fixed, if fixed how many open ports?

https://github.com/RMerl/asuswrt-merlin/commit/3100a8a15c06f7992fbc407a990c06961f6758b9
+ - CHANGED: Define and forward a small range of ports
+ (57535-57565) for use for passive FTP (needed for
+ TLS over WAN).

 

[RMerlin]

Did you apply random PASV ports or fixed, if fixed how many open ports?
EDIT: can you do this as variable as well?

fprintf(fp, "pasv_max_port=%d\n", passive_port + 30);

30 ports should be sufficient for a router. I based it on the number of ports my NAS' FTP server uses for its passive range. What kind of use would require more than 30?

I only made the starting port configurable to avoid wasting nvram on a setting that 99.5% of users will never need to change.