No remote FTP server access after static IP > DHCP change

himi · December 19, 2023, 3:03pm

Hi all,

I'm having a problem connecting to outside FTP servers. All was working fine before the requested change from ISP. They requested change from static IP to DHCP. So I changed it (Network > Interfaces > WAN > Edit > Protocol: DHCP client) and this was the only change I made. Everything else is working smoothly as before, the only problem is that I cannot get to any outside FTP server. I'm using Total Commander.

The router is Xiaomi Mi Router 4A Gigabit Edition running OpenWrt 23.05.2 r23630-842932a63d, Kernel Version 5.15.137. It was running v22.03.5, flashed it today but no change.

When connected to the router (wired or wireless) I tried several FTP servers, different PCs, also mobile .. always the same result.
Then I tried with my mobile using mobile data, it works fine. Created hotspot from my mobile and both PCs connected without a problem.
I even checked with ISP, provided them with a test login, they can connect no problem.

So the issue is in the router but I don't really know where to look and what should I change.

Below are the settings.

Many thanks!

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fda5:e7b3:d090::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.1.223'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option hostname '*'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fc00::/6
        option dest_ip          fc00::/6
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

# allow interoperability with traceroute classic
# note that traceroute uses a fixed port range, and depends on getting
# back ICMP Unreachables.  if we're operating in DROP mode, it won't
# work so we explicitly REJECT packets on these ports.
config rule
        option name             Support-UDP-Traceroute
        option src              wan
        option dest_port        33434:33689
        option proto            udp
        option family           ipv4
        option target           REJECT
        option enabled          false

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user

frollic · December 19, 2023, 3:21pm

Checked both PASV and PORT mode ?

himi · December 19, 2023, 3:41pm

Yes, sorry forgot to mention that, tried both PASV and PORT modes.
See TC logs below. They show status 200 and "Connect ok!" but eventually it times out and I am not able to see dir structure or do anything. This only happens when connected through the router. When connected via mobile / mobile hotspot it's ok.

PORT mode

----------
Connect to: (19.12.2023 16:37:33)
hostname=XXX.XXX.XXX.XXX
username=myusername
startdir=
XXX.XXX.XXX.XXX=XXX.XXX.XXX.XXX
220 Welcome! Please note that all activity is logged.
USER myusername
331 Please specify the password.
PASS ***********
230 Login successful.
SYST
215 UNIX Type: L8
FEAT
211-Features:
 UTF8
 EPRT
 EPSV
 MDTM
 PASV
 PBSZ
 PROT
 REST STREAM
 SIZE
 TVFS
211 End
HELP SITE
214-The following commands are recognized.
 ABOR ACCT ALLO APPE CDUP CWD  DELE EPRT EPSV FEAT HELP LIST MDTM MKD
 MODE NLST NOOP OPTS PASS PASV PORT PWD  QUIT REIN REST RETR RMD  RNFR
 RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD
 XPWD XRMD
214 Help OK.
OPTS UTF8 ON
200 Always in UTF8 mode.
Connect ok!
PWD
257 "/" is the current directory
Get directory
TYPE A
200 Switching to ASCII mode.
PORT 192,168,1,157,241,193
OFFLINE4, no reply

PASV mode

----------
Connect to: (19.12.2023 16:38:06)
hostname=XXX.XXX.XXX.XXX
username=myusername
startdir=
XXX.XXX.XXX.XXX=XXX.XXX.XXX.XXX
220 Welcome! Please note that all activity is logged.
USER myusername
331 Please specify the password.
PASS ***********
230 Login successful.
SYST
215 UNIX Type: L8
FEAT
211-Features:
 UTF8
 EPRT
 EPSV
 MDTM
 PASV
 PBSZ
 PROT
 REST STREAM
 SIZE
 TVFS
211 End
HELP SITE
214-The following commands are recognized.
 ABOR ACCT ALLO APPE CDUP CWD  DELE EPRT EPSV FEAT HELP LIST MDTM MKD
 MODE NLST NOOP OPTS PASS PASV PORT PWD  QUIT REIN REST RETR RMD  RNFR
 RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD
 XPWD XRMD
214 Help OK.
OPTS UTF8 ON
200 Always in UTF8 mode.
Connect ok!
PWD
257 "/" is the current directory
Get directory
TYPE A
200 Switching to ASCII mode.
PASV
OFFLINE4, no reply

himi · December 19, 2023, 5:39pm

I was about to test some other tool than Total Commander .. just to be sure. But before doing so I tried last thing that came to mind. On connection settings there is "SSL/TLS" check box. By default it is not checked. When I checked it and tried to connect I was asked about the certificate, I allowed it and it connected with no problem!

I'm happy it works but I still wanna know why and when router is not allowing secure connections .. Any ideas?

frollic · December 19, 2023, 5:43pm

you're here, this site uses HTTPS, your router is allowing secure connections.

himi · December 19, 2023, 5:48pm

Why does it not work as before or as with any other connection (not via router)? Is there any settings for that?

lleachii · December 19, 2023, 5:49pm

This is WAN DHCP config is wrong, you don't issue IPs to users on the ISP network. The default is OK (just not sure how parameters got added to a disabled config):

config dhcp 'wan'            
        option interface 'wan' 
        option ignore '1'

Provide the output:

ifstatus wan

Redact sensitive information.

himi · December 19, 2023, 5:56pm

Hmm, that DHCP config is default OpenWRT, I did not change anything, just switched from static IP to DHCP. Should I change it / remove those three lines as you suggested?

ifstatus wan:

{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 11541,
        "l3_device": "wan",
        "proto": "dhcp",
        "device": "wan",
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "XXX.XXX.12.73",
                        "mask": 16
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "0.0.0.0",
                        "mask": 0,
                        "nexthop": "XXX.XXX.0.1",
                        "source": "XXX.XXX.12.73/32"
                }
        ],
        "dns-server": [
                "XXX.XXX.XXX.120",
                "XXX.XXX.XXX.140"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {
                "dhcpserver": "XXX.XXX.0.1",
                "leasetime": 1800,
                "ntpserver": "XXX.XXX.202.100"
        }
}