Problems getting passive FTP to work

I recently upgraded my TP-Link WR842ND from OpenWRT 15.05.1 to LEDE 17.01. Works fine, except for passive ftp which does not work on any site. Filezilla gives the response 'ECONNREFUSED - Verbindung durch Server verweigert'

I made an image using the image builder, to include some custom packages. The image was created with
"make image PROFILE=tl-wr842n-v1 PACKAGES="kmod-usb-core kmod-usb-ohci kmod-usb2 kmod-usb-ledtrig-usbport luci-proto-3g luci-ssl kmod-usb-serial usb-modeswitch kmod-usb-serial-option kmod-usb-ohci luci-app-ntpc luci-i18n-base-de luci-i18n-firewall-de luci-i18n-ntpc-de luci-i18n-diag-core-de luci-app-mwan3 luci-app-sqm mini_snmpd"

I flashed the sysupgrade image without keeping the config. I copied over /etc/config/firewall afterwards, though. The (IMHO) relevant section looks like this:

config defaults
option synflood_protect '1'
option disable_ipv6 '1'
option drop_invalid '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option network 'lan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option conntrack '1'
option mtu_fix '1'
option network 'wan UMTS umts'

config forwarding
option src 'lan'
option dest 'wan'
option family 'ipv4'

config rule
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-request'
list icmp_type 'time-exceeded'
list icmp_type 'parameter-problem'
option limit '1000/sec'
option family 'ipv4'
option target 'ACCEPT'

config rule
option src 'lan'
option dest 'wan'
option family 'ipv4'
option proto 'tcp'
list dest_port '20'
list dest_port '21'
list dest_port ...
option target 'ACCEPT'

I have verified that the iptables-mod-conntrack package is installed, lsmod says that nf_conntrack* and xt_conntrack are loaded.

What can I do?

Thanks,
Andreas

It's best to start from scratch again and add your rules one by one. Stock firewall rules have been altered (if ever so slightly) from 15.05, so you may well have overwritten with old defaults and messed up things.

Reset your box, passive FTP works OOTB just fine.
If you want active working you need the nf-nathelper package.

This wont obviously work if you have double NAT or CGNAT.