Access port-forwarderd local ftp via global IP from another local PC

SashaMa · January 5, 2022, 7:26pm

Hi.
I have Linksys EA3500 with OpenWrt Designated Driver 50108 / LuCI Master (git-17.339.51318-de4c4b8) Kernel Version 4.4.14.

I've set up ftp on my local Raspberry Pi. I have a global static ip for my EA3500. I've set up 20 and 21 port forward to raspberry. FTP works fine when I access it via global ip from a device which is outside of my local network.
It is ok when I connect to it from my local PC using local ip.

Here is the problem:
I can connect via global IP and authenticate from a local device . But it fails to transfer files. I tried both active and passive modes. I use ProFTPD 1.3.5b. Passive ports are enabled and are being forwarded through the openwrt router.

Here is how it occures. I login from my macbook (192.168.1.192) in ftp active mode via terminal, I see the following:

...
ftp> pass
Passive mode off.
ftp> dir
500 Illegal PORT command
500 LPRT not understood
425 Unable to build data connection: Connection refused

on the side of Raspberry I see in logs:

Refused PORT 192,168,1,192,240,152 (address mismatch)

when I change to passive mode, it just terminates. Here is what I see on macbook:

ftp> pass
Passive mode on.
ftp> dir
450 LIST: Connection refused
227 Entering Passive Mode (192,168,1,200,6,39).
Passive mode address scan failure. Shouldn't happen!
500 LPSV not understood

and this is what happens on the side of Rasp (which local ip is 192.168.1.200):

(OpenWrt.lan[192.168.1.1]): notice: user yicam1: aborting transfer: Data connection closed

Could you please help me to set up my openwrt router in such a way for me to be able to access it identically from both inside and outside of my local network?

slh · January 5, 2022, 11:14pm

Just two things first:

the ftp protocol is complex, difficult to firewall and plain-text/ utterly insecure, it shouldn't be used over the internet (unless for anonymous file servers publishing public data, drivers, software, etc.); if you think about user accounts, ftp is not the answer (anymore)
Designated Driver is an ancient, obsolete and unreleased random development state of 6 years ago (and coming out of turbulent times), it's insecure and shouldn't be used<fullstop>; upgrade as quickly as possible, now. Aside from the security issue, barely anyone wants to debug half a decade old software, nor remembers the quirks around it.

SashaMa · January 6, 2022, 7:15am

Thank you. I want my cameras to upload data via ftp. Cameras will be located in different networks. This functionality is built in. This is the simplest way to collect video.

SashaMa · January 9, 2022, 5:54pm

Solution is to set up internal DNS rules. I've set manual dns rule - to resolve domain name to internal ip of the router.

system · January 19, 2022, 5:55pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.