D-Link Forums
The Graveyard - Products No Longer Supported => DNS-323 => D-Link Storage => Beta code! => Topic started by: gunrunnerjohn on December 29, 2009, 06:23:05 AM
-
Has anyone gotten the Secure FTP working with the current beta? I can login fine with secure FTP over the local LAN, however coming from the outside it fails after connecting on the directory listing.
I get as far as trying to get a directory listing, and then it fails. I've forwarded ports 21, 22, 990, and the default passive range of 55536-55663.
I'm hoping this is something stupid that I've missed. :)
Status: Resolving address of bogus.serveftp.net
Status: Connecting to 98.114.45.241:21...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [TLS] ----------
Response: 220-You are user number 2 of 5 allowed.
Response: 220-Local time is now 08:59. Server port: 21.
Response: 220-This server supports FXP transfers
Response: 220 You will be disconnected after 5 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER bogus
Status: TLS/SSL connection established.
Response: 331 User bogus OK. Password required
Command: PASS ********
Response: 230 OK. Current restricted directory is /
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Extensions supported:
Response: EPRT
Response: IDLE
Response: MDTM
Response: SIZE
Response: REST STREAM
Response: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response: MLSD
Response: ESTP
Response: PASV
Response: EPSV
Response: SPSV
Response: 211 End.
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 534 Fallback to [C]
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (98,114,45,241,217,80)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing
-
Hi gunrunnerjohn...
Try forwarding TCP port 989 as well. Some FTPS implementations use this for data, similar to 990 for control. (I haven't tried this myself - I won't be able to test this until next week).
-DocD
-
I put the DNS-323 in the DMZ of the router, no change. Obviously, it's not just port forwarding...
-
You might want to try Shields Up!! and see if there is something going on with your ISP. Alternatively, I've had nothing but grief from 2Wire modem/routers while working with both standard and non-standard ports. Even with a computer on the DMZ side, there is some blocking going on that I was never able to switch off. Perhaps I was missing something - but I went back to a Speedstream (DSL) or D-Link (cable) modem and a router behind it.
Shields Up!! is at Gibson Research... https://www.grc.com/x/ne.dll?bh0bkyd2 (https://www.grc.com/x/ne.dll?bh0bkyd2), but you probably know about them already.
-DocD
-
I did go to shields up, and predictably when I had the NAS in the DMZ, there were LOTS of ports that were closed (not stealth). Only port 21 was open.
-
Hi gunrunnerjohn...
Forgive me for asking, but wouldn't you need to put your PC (that's running ShieldsUp!!) in the DMZ zone to see if the ports of interest are open? I was thinking of using ShieldsUp!! to verify that nothing unusual is happening at the ISP (or the DMZ) with FTPS ports 990 and 989 (along with checking a few of the passive ports...).
-DocD
Admittedly, it's not something I would want to be keeping exposed for long...
-
Forgive me for asking, but wouldn't you need to put your PC (that's running ShieldsUp!!) in the DMZ zone to see if the ports of interest are open?
Nope. The ports on the WAN side of the NAT layer, and the DNS-323 is where they're pointing. The FTP server isn't running on my PC, right? ;)
-
True enough - but Shields Up!! is probing the ports for a connection to your PC, not the NAS. Unless I misunderstand how ShieldsUp!! works. ::)
I ran a quick test with my local NAS. I probed 990 with SSL/TLS enabled on the NAS - 990 port forwarded to the NAS, ShieldsUp!! reports it closed. I then probed 990 port forwarded to my PC, ShieldsUp!! reports stealth. At this point, I can conclude that my ISP (between Gibson Research and me) isn't doing something funky with port 990 and my router is letting the traffic through with port forwarding. I can't say anything about how the NAS receives port 990 from grc.com. From your original posts - I can login fine with secure FTP over the local LAN
and I put the DNS-323 in the DMZ of the router, no change.
it seems that the finger is pointing to the ISP - but I still don't trust the router's DMZ to be completely free - at least with some mfr's... Although I admit to being jaded by past experience ;D
I've heard of RoadRunner fiddling around with the FTP ports (20,21)...
-DocD
-
There has to be something about the local and remote that I'm missing, hard to believe this is the ISP. The reason is, from a truly remote location or just using the NAT loopback on the router, I have the same failure. Also, port 21 works fine, I can some in with standard FTP with no issues, it's just the secure mode that I can't get working.
-
I can't believe it's the ISP either - I'm scratching my head... ???
Especially since normal FTP works fine...
I've been playing around with my remote NAS in a different city. I'm using FileZilla and my connection is working only with Explicit FTPS (a.k.a. FTPES). Implicit FTPS does not work.
Response: 220---------- Welcome to Pure-FTPd [TLS] ----------
Response: 220-You are user number 1 of 10 allowed.
Response: 220-Local time is now 21:09. Server port: 21.
Response: 220-This server supports FXP transfers
Response: 220 You will be disconnected after 5 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER bogus
Status: TLS/SSL connection established.
Response: 331 User bogus OK. Password required
Command: PASS ********
Response: 230 OK. Current restricted directory is /
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 534 Fallback to [C]
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (192,168,0,1,217,12)
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Response: 150 Accepted data connection
Response: 226-ASCII
Response: 226-Options: -l
Response: 226 1 matches total
Status: Directory listing successful
Status: Disconnected from server
One setting I needed to make sure in FileZilla was that the external IP address was being used (one of the settings in the passive mode options)...
I guess there is a "proof" concept that it works... Does this help you at all?
-DocD
-
I have those settings enabled, so I'm not sure what else I can do in the unit to change the behavior. It's hard to believe this is a Verizon issue, though it may well be.
(http://i726.photobucket.com/albums/ww264/gunrunnerjohn/Misc%20Graphics/secureFTP.jpg)
-
Hi, I have a question. I assume the "External IP" shown in the above figure is IP assigned by your ISP. Most of the ISP use dynamic IP addresses which means your external IP would be changed by time. Do you have to go to the configuration utility and keep changing this line (External IP) every time?
-
The external IP address is snagged by the NAS, probably from the DynDNS client that is running in the box.
-
I originally set up my DynDNS client in the router. I have read couple of threads about the DNS-323 issues with the update of DynDNS (possible previous versions) that updated too often and cause peopole to be banned form the server. Threfore, I set it up in router and no problem so far. I assume by uograding to the Beta version and using the Passive FTP, have to cancel the DynDNs in the Routher and set it up in the DNS-323.
-
I tried the DynDNS client in several D-Link routers, but they had issues of renewing the account. So far, the DNS-323 has worked fine, and it appears it is renewing the client, so that's good. :)
I like having it there, since that's on all the time, the computers snooze much of the time.
-
Hopefully, you can find an answer to your problem and please let us know as well. I am having similar issues.
-
There must be something silly I'm missing, just don't know what it is. :D
-
Hi gunrunnerjohn,
Your NAS box settings look like a duplicate of mine. Out of curiosity, what FTP client are you using? With FileZilla, I can consistently connect with TLS enabled.
Two settings are critical, however...
1) FTPS must be defined as "explicit" - shown below:
(http://ye-olde-alchemist.com/fileZilla1.jpg)
2) In the passive FTP settings options (in the client), the external IP option must be selected (shown below)
(http://ye-olde-alchemist.com/fileZilla2.jpg)
Everything else was pretty much the default settings for a passive FTP setup.
Hangeth in there... ;)
-DocD
-
Hi
It is possible that the external IP address in DynDNS is the issue, if you use it. I installed the new bin (ver 1.08) and could finally make it work with net2ftp.com in passive mode with SLS. I have not yet tried it with standalone FTP client (such as filezilla), I can try it tomorrow morning in the office. I loged in to my DynDNS server (which is dlinkddns.com) and the IP was not correct. IT showed the internal IP of the DNS-323 as external IP. Apparently, the DNS-323 was not updating the real external IP to the server and was sending internal IP to the server. I disabled the feature in the DNS-323 and put it back in the router. It is working fine now.
The question is, does anybody else have this problem (DNS feature not providing correct external IP address to the DynDNS server). if the answer is yes, then the solution is to put the feature in the router to update the DynDNS server correctly.
If the above is confirmed and we end up disabling the DNS in the DNS-323, how the "external IP" line in the FTP section of Web UI would update itself.
-
I'm using FileZilla and I have the above settings. I'm beginning to think there may be some issue with my router passing the proper data. Since it's a Verizon FiOS router, and it also controls my TV guide and On-Demand, I can't really lose the router.
I'm going to have to fire up WireShark and see what is actually going on and see if I can find out where this is going bad.
-
Hi gunrunnerjohn
What about the Dyn DNS server. Does your DNS-323 update/provide correct external IP address to the DynDNS server or like mine, it was a wrong address. HAve you logged in to youe accound in the DynDNS to verify it?
-
The DynDNS is working properly, and the address they have is really my address here. :)
-
I am surprised why the DDNS feature is not working properly in my DNS-323 (sending wrong IP address to DynDNS). I had to disable it in DNS-323 and put it in my Linksys router.
Just to let you know. I tried my home FTP (DNS-323) from the office today. I tested four different client as below:
1 - www.net2ftp.com: it worked fine under SLS as last night from home
2 - WinSCP for U3: I did not worked at all
3 - FireFTP (an add-on to Mozilla FireFox in U3): It worked only under "Auth TLS". It worked fine. The two other methods "Auth SLS" and "Implicit SLS" did not work.
4 - FileZille for U3: It worked fine only under "FTP over TLS". The other two method of "FTP over SLS" did not work. However, the setting menu is different that what DocD is shown above. Maybe, mine is different as it is for U3. The pictures shown by DocD might be for standard FileZilla, not the U3.
-
I'm getting the idea that maybe I'm not destined to have secure FTP working here. :)
I'm thinking of looking for a 3rd party add-on for SFTP, which seems to be more common than FTP over SSL, which seems to be what the DNS-323 is offering. It also bothers me that even when I run locally, it switches over to clear mode for the file transfer, I'd like all of the transaction to be encrypted.
-
Hi gunrunnerjohn
I am wondering if you could solve your problem. As I noted before, it was working for me after removing the Dyn DNS update feature from DNS-323 and put it back in my router. Since then, the secure FTP was working for me with the FileZilla and the setting recommended by DocD above.
However, I moved to a new office and the FTP is not working with FileZilla any more. I get the folliwng message.
Status: Connection attempt failed with "ECONNREFUSED - Connection refused by server".
Nothing has changed, same setting in DNS-323 and same setting in FileZilla, I just fo not understand. It might have something to do with being in a new office. Any idea?
-
Probably something in the network topology at the new location. I still haven't gotten secure FTP to work here through my Verizon FiOS connection, don't know why. I get logged in, but FileZilla can't get a directory listing.
I've dropped back to standard FTP, and I only enable the server when I need it. Not an ideal solution, and I'm still looking for a better way to do this.
-
Have you tried checking the Dynamic DNS. In my case, when I enabled the Dyn DNS in the DNS-323, it cuased the problem. During the initital connection it was Ok, however, it could not get the directiry list. I went to the Dyn DNS web site (in my case Dlink.ddns.com) and noticed that my IP address is wrong. Appreantly, when the FTP server is called, it screws up the IP address and send the local IP address of the DNS-323 to the website. I suggest, try to connect to the FTP sever by using FileZilla, however, this time enter you IP address directy (e.g., 209.34.......), insted of the Dyn DSS link. Try it if you have not done that before.
-
Well, my IP address at DynDNS is correct, and if you look at the log in my first message, it has the correct public IP address. It certainly appears that this is OK.
-
I get as far as trying to get a directory listing, and then it fails. I've forwarded ports 21, 22, 990, and the default passive range of 55536-55663.
I dont know much about Secured FTP, but I noticed something...
Could you issue be port related ? I see that it times out after setting he passive ports
and the ports set are NOT in your PASV port range...
I dont think you issue is IP related since it "connects" to the server fine and authenticates you.
The connection times out after trying to get the file list...
Try "forcing" the passive port range to 55536-55663 instead of using "default"
-
What would be the difference between using the default and forcing it. I wondered about that, since they specify the same port ranges! ???
FWIW, standard FTP works fine remotely.
-
Not quite sure... should be the same thing...
but, hey, i've seen stranger things with this firmware....
I personaly never used / setup a Secured FTP server... just standard FTP
But I just did some testing... enabling FTP and puting the checkmark in SSL/TLS
And I tried connecting with CuteFTP localy and it worked fine when using my 192.168.xxx.xxx address
So I tried again from inside my network, but using my external IP, and it worked fine again....
At some point it even substitued my PASV address from my internal 192.168.xxx.xxx to my external IP
So on to the next point... tried accessing my FTP from an external site using my DNS name (DynDNS.org)
and it also worked fine.
The only difference I saw is that my FTP Client never used the MLSD command
just the LIST command.
Im using CuteFTP 8.0 Pro.... not sure how to make it used MLSD instead of LIST....
-
Not sure whether it's related or not but my secure FTP would not work until I checked the SSL/TLS box.
It continued to work after unchecking the box again.
-
If you don't check the SSL/TLS on the DNS-323, you aren't using secure FTP.
-
Sorry to disagree, but I think I am. The checkbox says allow SSL/TLS ONLY, which I assume means do not allow unsecure FTP. With the box unticked I can connect both secure and unsecure using FileZilla remotely and locally.
First I connect unsecure using servertype: FTP Transfer Protocol
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [TLS] ----------
Response: 220-You are user number 1 of 10 allowed.
Response: 220-Local time is now 20:43. Server port: 21.
Response: 220-This server supports FXP transfers
Response: 220 You will be disconnected after 10 minutes of inactivity.
Command: USER ******
Response: 331 User ****** OK. Password required
Command: PASS ******
Then I connect secure using servertype: FTPES - FTP over explicit TLS/SSL
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [TLS] ----------
Response: 220-You are user number 1 of 10 allowed.
Response: 220-Local time is now 20:44. Server port: 21.
Response: 220-This server supports FXP transfers
Response: 220 You will be disconnected after 10 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER ******
Status: TLS/SSL connection established.
Response: 331 User ****** OK. Password required
Command: PASS ******
When I connect securely I get a message box with the RSA 2048 bit certificate. Like I get with other SFTP sites.
-
Well, the whole point of the exercise was to require secure connections, at least for me. :)
-
I get as far as trying to get a directory listing, and then it fails. I've forwarded ports 21, 22, 990, and the default passive range of 55536-55663.
I'll take one more stab at this :D...
I may have alluded to it some time back, but not sure if I asked the question - did you ever forward port 989 on your router? For secure FTP, IIRC, 990 is control and 989 is data. Worth a shot...
-DocD
-
I put the DNS-323 in the DMZ of the router, it still didn't work. :)
-
I remember you trying that. Still, my client had a 2Wire router that I was trying to do Remote Assistance session with. Even though the client put their computer in the DMZ, the ports were not open and I could not connect. We got it to work on occasion by rebooting the router after every change - but it was not consistent. We ended up replacing the bugger with an older D-Link Wireless-G router - one not supplied by the telco. Not a single problem since - I can connect upon invitation and the client is happy.
Not sure if opening the port would work - but based on my 2Wire & ATT DSL experience, unless I have access to the vendor screens, I'm not sure what blocking is going on. My experience has been that the DMZ is open for common ports - but is it open for everything? It supposed to be - but depending on the vendor (2Wire is a prime example) - I'm not so sure anymore... ???
Of course, your mileage may vary... I'll put away my soapbox now... :D
-DocD
-
The problem with replacing my router is that I have FiOS TV, and the router provides the Guide and On Demand features, so a replacement isn't in the cards.