Problem with FTP and PASV


I have a ftp server on my DMZ. I have access from my networks but I can't with external IP.

Statut :	Connexion à xx:21…
Statut :	Connexion établie, attente du message d’accueil…
Statut :	Initialisation de TLS…
Statut :	Connexion TLS établie.
Statut :	Connecté
Statut :	Récupération du contenu du dossier…
Commande :	PWD
Réponse :	257 "/" is current directory.
Commande :	TYPE I
Réponse :	200 Type set to I.
Commande :	PASV
Réponse :	227 Entering Passive Mode (xx,xx,xx,xx,218,45)
Commande :	MLSD
Erreur :	Connection interrompue après 20 secondes d’inactivité
Erreur :	Impossible de récupérer le contenu du dossier

My firewall :

config redirect
        option dest 'DMZ'
        option target 'DNAT'
        option name 'FTP - PASV'
        list proto 'tcp'
        option src 'WAN'
        option src_dport '55536-55899'
        option dest_ip ''

 config redirect
         option dest 'DMZ'
         option target 'DNAT'
         option src 'WAN'
         option dest_ip ''
         option name 'FTP'
         option src_dport '21'
         option dest_port '21'
         list proto 'tcp

My FTP server with synology :

Do you get a publicly visible IPv4 address from your ISP?

You have not enabled the ftp helper in the redirect.

1 Like

Where ? With port 21 or 55536-55899 ?

The first redirect for the port range is not needed, it is covered by the ftp helper in the second redirect for port 21.

[SOLVED] FTP port forward - #2 by vgaetera

1 Like

Like this :

 249 config redirect
    250         option dest 'DMZ'
    251         option target 'DNAT'
    252         option src 'WAN'
    253         option dest_ip ''
    254         option name 'FTP'
    255         option src_dport '21'
    256         option dest_port '21'
    257         list proto 'tcp'
    258         option helper 'ftp'

I have already do :

opkg update
opkg install kmod-nf-nathelper
service firewall restart

Yes, correct.

Now it's refused :

|Statut :|Connexion à xxx:21…|
|Statut :|Échec de la tentative de connexion avec « ECONNREFUSED - Connexion refusée par le serveur ».|
|Erreur :|Impossible d’établir une connexion au serveur|

Check that you are pointing to the correct public IP address. Most likely it changed and you are trying on someone else's router.

Where can I see that ?

Compare the wan IP of OpenWrt router with the IP the client is using.

**Protocol:** DHCP client
**Address:** 82.66.85.XXX/24

and with filezilla :

Connexion à 82.66.85.XXX:21

It's the same, no?

If the fourth octet is also the same, then yes.
Do you see hits on the ftp rule in the firewall status? (Status - Firewall)

I have in "Rules container chain "dstnat_WAN" :neutral_face:

Rule comment: FTP
0 B
Traffic matched by rule: 0 Packets, 0 Bytes
Address family is IPv4TCP destination port is 21ct.helper is ftp	Rewrite destination to, port 21

and :

Rule comment: FTP (reflection)
Source IP is IP is 82.66.85.XXTCP destination port is 21ct.helper is ftp	Rewrite destination to, port 21

It's my IP

If there are no matches on the rule, it means that the packets never reach the firewall.
You can verify with a tcpdump which captures the packets on the cable before they reach the firewall.
Then you'd need to check with the equipment before OpenWrt (some other router or your ISP).

It's very difficult to forward a basic ftp :neutral_face:

It is not basic if you are using different ports for the data.
You can change to sftp which only uses one port and it is secure.

1 Like

Ok with ftp helper I don't have packets with tcpdump. Without, my NAS can see request.

How can I do now ?

what @trendy said, switch to sftp, or use port mode on the FTP.