Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[gunrunnerjohn]

Has anyone gotten the Secure FTP working with the current beta?  I can login fine with secure FTP over the local LAN, however coming from the outside it fails after connecting on the directory listing.

I get as far as trying to get a directory listing, and then it fails.  I've forwarded ports 21, 22, 990, and the default passive range of 55536-55663.

I'm hoping this is something stupid that I've missed.

Status:   Resolving address of bogus.serveftp.net
Status:   Connecting to 98.114.45.241:21...
Status:   Connection established, waiting for welcome message...
Response:   220---------- Welcome to Pure-FTPd [TLS] ----------
Response:   220-You are user number 2 of 5 allowed.
Response:   220-Local time is now 08:59. Server port: 21.
Response:   220-This server supports FXP transfers
Response:   220 You will be disconnected after 5 minutes of inactivity.
Command:   AUTH TLS
Response:   234 AUTH TLS OK.
Status:   Initializing TLS...
Status:   Verifying certificate...
Command:   USER bogus
Status:   TLS/SSL connection established.
Response:   331 User bogus OK. Password required
Command:   PASS ********
Response:   230 OK. Current restricted directory is /
Command:   SYST
Response:   215 UNIX Type: L8
Command:   FEAT
Response:   211-Extensions supported:
Response:    EPRT
Response:    IDLE
Response:    MDTM
Response:    SIZE
Response:    REST STREAM
Response:    MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:    MLSD
Response:    ESTP
Response:    PASV
Response:    EPSV
Response:    SPSV
Response:   211 End.
Command:   PBSZ 0
Response:   200 PBSZ=0
Command:   PROT P
Response:   534 Fallback to [C]
Status:   Connected
Status:   Retrieving directory listing...
Command:   PWD
Response:   257 "/" is your current location
Command:   TYPE I
Response:   200 TYPE is now 8-bit binary
Command:   PASV
Response:   227 Entering Passive Mode (98,114,45,241,217,80)
Command:   MLSD
Error:   Connection timed out
Error:   Failed to retrieve directory listing

[DocD]

Hi gunrunnerjohn...
Try forwarding TCP port 989 as well.  Some FTPS implementations use this for data, similar to 990 for control.  (I haven't tried this myself - I won't be able to test this until next week).
-DocD

[gunrunnerjohn]

I put the DNS-323 in the DMZ of the router, no change.  Obviously, it's not just port forwarding...

[DocD]

You might want to try Shields Up!! and see if there is something going on with your ISP.  Alternatively, I've had nothing but grief from 2Wire modem/routers while working with both standard and non-standard ports.  Even with a computer on the DMZ side, there is some blocking going on that I was never able to switch off.  Perhaps I was missing something - but I went back to a Speedstream (DSL) or D-Link (cable) modem and a router behind it.
Shields Up!! is at Gibson Research...  https://www.grc.com/x/ne.dll?bh0bkyd2, but you probably know about them already.
-DocD

[gunrunnerjohn]

I did go to shields up, and predictably when I had the NAS in the DMZ, there were LOTS of ports that were closed (not stealth).  Only port 21 was open.

[DocD]

Hi gunrunnerjohn...
Forgive me for asking, but wouldn't you need to put your PC (that's running ShieldsUp!!) in the DMZ zone to see if the ports of interest are open?  I was thinking of using ShieldsUp!! to verify that nothing unusual is happening at the ISP (or the DMZ) with FTPS ports 990 and 989 (along with checking a few of the passive ports...).
-DocD

Admittedly, it's not something I would want to be keeping exposed for long...

[gunrunnerjohn]

Forgive me for asking, but wouldn't you need to put your PC (that's running ShieldsUp!!) in the DMZ zone to see if the ports of interest are open?

Nope.  The ports on the WAN side of the NAT layer, and the DNS-323 is where they're pointing.  The FTP server isn't running on my PC, right?

[DocD]

True enough - but Shields Up!! is probing the ports for a connection to your PC, not the NAS.  Unless I misunderstand how ShieldsUp!! works.

I ran a quick test with my local NAS.  I probed 990 with SSL/TLS enabled on the NAS - 990 port forwarded to the NAS, ShieldsUp!! reports it closed.  I then probed 990 port forwarded to my PC, ShieldsUp!! reports stealth.  At this point, I can conclude that my ISP (between Gibson Research and me) isn't doing something funky with port 990 and my router is letting the traffic through with port forwarding.  I can't say anything about how the NAS receives port 990 from grc.com.  From your original posts -

I can login fine with secure FTP over the local LAN

and

I put the DNS-323 in the DMZ of the router, no change.

it seems that the finger is pointing to the ISP - but I still don't trust the router's DMZ to be completely free - at least with some mfr's...  Although I admit to being jaded by past experience 

I've heard of RoadRunner fiddling around with the FTP ports (20,21)...

-DocD

[gunrunnerjohn]

There has to be something about the local and remote that I'm missing, hard to believe this is the ISP.  The reason is, from a truly remote location or just using the NAT loopback on the router, I have the same failure.  Also, port 21 works fine, I can some in with standard FTP with no issues, it's just the secure mode that I can't get working.

[DocD]

I can't believe it's the ISP either - I'm scratching my head... 
Especially since normal FTP works fine...

I've been playing around with my remote NAS in a different city.  I'm using FileZilla and my connection is working only with Explicit FTPS (a.k.a. FTPES).  Implicit FTPS does not work.

Response:   220---------- Welcome to Pure-FTPd [TLS] ----------
Response:   220-You are user number 1 of 10 allowed.
Response:   220-Local time is now 21:09. Server port: 21.
Response:   220-This server supports FXP transfers
Response:   220 You will be disconnected after 5 minutes of inactivity.
Command:   AUTH TLS
Response:   234 AUTH TLS OK.
Status:   Initializing TLS...
Status:   Verifying certificate...
Command:   USER bogus
Status:   TLS/SSL connection established.
Response:   331 User bogus OK. Password required
Command:   PASS ********
Response:   230 OK. Current restricted directory is /
Command:   PBSZ 0
Response:   200 PBSZ=0
Command:   PROT P
Response:   534 Fallback to [C]
Status:   Connected
Status:   Retrieving directory listing...
Command:   PWD
Response:   257 "/" is your current location
Command:   TYPE I
Response:   200 TYPE is now 8-bit binary
Command:   PASV
Response:   227 Entering Passive Mode (192,168,0,1,217,12)
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Response:   150 Accepted data connection
Response:   226-ASCII
Response:   226-Options: -l
Response:   226 1 matches total
Status:   Directory listing successful
Status:   Disconnected from server

One setting I needed to make sure in FileZilla was that the external IP address was being used (one of the settings in the passive mode options)...

I guess there is a "proof" concept that it works...  Does this help you at all?
-DocD

[gunrunnerjohn]

I have those settings enabled, so I'm not sure what else I can do in the unit to change the behavior.  It's hard to believe this is a Verizon issue, though it may well be.

[mas110]

Hi, I have a question.  I assume the "External IP" shown in the above figure is IP assigned by your ISP.  Most of the ISP use dynamic IP addresses which means your external IP would be changed by time.  Do you have to go to the configuration utility and keep changing this line (External IP) every time?

[gunrunnerjohn]

The external IP address is snagged by the NAS, probably from the DynDNS client that is running in the box.

[mas110]

I originally set up my DynDNS client in the router.  I have read couple of threads about the DNS-323 issues with the update of DynDNS (possible previous versions) that updated too often and cause peopole to be banned form the server.  Threfore, I set it up in router and no problem so far.  I assume by uograding to the Beta version and using the Passive FTP, have to cancel the DynDNs in the Routher and set it up in the DNS-323. 

[gunrunnerjohn]

I tried the DynDNS client in several D-Link routers, but they had issues of renewing the account.  So far, the DNS-323 has worked fine, and it appears it is renewing the client, so that's good.

I like having it there, since that's on all the time, the computers snooze much of the time.