Unable to connect to FTP Server connected to Merlin 384.17 (ECONNREFUSED)

[Jo Sidarta]

Hi,

Currently using Asus RT-AC68U with Merlin 384.17 (192.168.1.1)
I have FTP with SSL/TLS (explicit) server on QNAP TS-453be (192.168.1.26)

External IP > Asus (192.168.1.1) port 2021 > QNAP (192.168.1.26) port 1025

I have disabled FTP server on the Asus router:

Asus Port forwarding configuration:

QNAP FTP setup:

1. When I tried to login from internal network using WAN IP address - it throws ECONNREFUSED error

Status:          Connecting to MASKED_PUBLIC_IP:2021...
Status:          Connection established, waiting for welcome message...
Status:          Initializing TLS...
Status:          Verifying certificate...
Status:          TLS connection established.
Status:          Logged in
Status:          Retrieving directory listing...
Command:    PWD
Response:     257 "/" is the current directory
Command:    TYPE I
Response:     200 Type set to I
Command:    PASV
Response:     227 Entering Passive Mode (MASKED_PUBLIC_IP,219,61).
Command:    MLSD
Error:            The data connection could not be established: ECONNREFUSED - Connection refused by server

Asus Log:

Jun 13 21:53:56 kernel: ACCEPT IN=br0 OUT=br0 SRC=SOURCE_IP DST=192.168.1.26 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=49259 DPT=1025 SEQ=2364610297 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303050101080A07D5F96D0000000004020000) MARK=0x1

2. When I tried to login from external network - it just times out during 'retrieving directory listing'

Status:          Connecting to MASKED_PUBLIC_IP:2021...
Status:          Connection established, waiting for welcome message...
Status:          Initializing TLS...
Status:          Verifying certificate...
Status:          TLS connection established.
Status:          Logged in
Status:          Retrieving directory listing...
Command:    PWD
Response:     257 "/" is the current directory
Command:    TYPE I
Response:     200 Type set to I
Command:    PASV
Response:     227 Entering Passive Mode (MASKED_PUBLIC_IP,220,191).
Command:    MLSD
Error:            Connection timed out after 20 seconds of inactivity

Asus log stated:

Jun 13 21:41:20 kernel: ACCEPT IN=eth0 OUT=br0 SRC=SOURCE_IP DST=192.168.1.26 LEN=64 TOS=0x08 PREC=0x20 TTL=51 ID=0 DF PROTO=TCP SPT=3357 DPT=1025 SEQ=1181126840 ACK=0 WINDOW=65535 RES=0x00 CWR ECE SYN URGP=0 OPT (0204058C010303050101080A07CAA4880000000004020000)

QNAP stated it logins successfully:

I have a suspicion this have been caused by Asus?

Thanks

 

[ColinTaylor]

The issue is caused by using SSL/TLS and switching to passive mode. Passive mode needs the router to forward additional ports which are randomly created. Because the traffic is encrypted the router has no way of knowing what ports are needed.

Look at the advanced options for the FTP server and see if it has anything related to passive mode ports. Sometimes there's an option to either use UPnP to open the ports, or restrict the range to something manageable that can be forwarded manually on the router.

EDIT: According to this QNAP document there are passive port settings under the advanced options. The default passive ports are 55536-56559 so these are the ports you need to forward on your router. To my mind a port range of 1024 is excessive. Merlin's FTPS server uses 30 ports by comparison, which is more sensible (unless you expect to have many users connected concurrently).