Cannot connect via FTP

gregeeh

Hi all,

I have configured pfSense (2.3.4) on a MiniPC and installed OpenVPN to connect to my VPN provider.  All is working great except I cannot FTP to one FTP Server.  Others are fine.  I'm using CuteFTP Pro as the client and below are the logs of one that connects and one that does not.

		*** CuteFTP 9.0 - build Nov  9 2012 ***

STATUS:>  	[5/10/2017 10:02:44 AM] Getting listing "downloads"...
STATUS:>  	[5/10/2017 10:02:44 AM] Connecting to FTP server... 5.79.98.171:21 (ip = 5.79.98.171)...
STATUS:>  	[5/10/2017 10:02:45 AM] Socket connected. Waiting for welcome message...
		[5/10/2017 10:02:45 AM] 220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:5.79.98.171]
STATUS:>  	[5/10/2017 10:02:45 AM] Connected. Authenticating...
COMMAND:>	[5/10/2017 10:02:45 AM] USER dp
		[5/10/2017 10:02:45 AM] 331 Password required for dp
COMMAND:>	[5/10/2017 10:02:45 AM] PASS *****
		[5/10/2017 10:02:45 AM] 230 User dp logged in
STATUS:>  	[5/10/2017 10:02:45 AM] Login successful.
COMMAND:>	[5/10/2017 10:02:45 AM] SYST
		[5/10/2017 10:02:46 AM] 215 UNIX Type: L8
STATUS:>  	[5/10/2017 10:02:46 AM] Host type detected: Unix.
COMMAND:>	[5/10/2017 10:02:46 AM] PWD
		[5/10/2017 10:02:46 AM] 257 "/" is the current directory
STATUS:>  	[5/10/2017 10:02:46 AM] Home directory: /
COMMAND:>	[5/10/2017 10:02:46 AM] FEAT
		[5/10/2017 10:02:46 AM] Informational Message Only:
		211-Features:
		 CCC
		 SITE MKDIR
		 PBSZ
		 AUTH TLS
		 REST STREAM
		 UTF8
		 EPRT
		 SITE SYMLINK
		 EPSV
		 SITE UTIME
		 MDTM
		 SITE RMDIR
		 SITE COPY
		 SIZE
		 PROT
		 LANG en-US.UTF-8;en-US*
		211 End
STATUS:>  	[5/10/2017 10:02:46 AM] This site supports features.
STATUS:>  	[5/10/2017 10:02:46 AM] This site supports SIZE.
STATUS:>  	[5/10/2017 10:02:46 AM] This site supports UTF-8.
STATUS:>  	[5/10/2017 10:02:46 AM] This site supports LANG.
COMMAND:>	[5/10/2017 10:02:46 AM] OPTS UTF8 on
		[5/10/2017 10:02:47 AM] 200 UTF8 set to on
STATUS:>  	[5/10/2017 10:02:47 AM] This site can resume broken downloads.
COMMAND:>	[5/10/2017 10:02:47 AM] REST 0
		[5/10/2017 10:02:47 AM] 350 Restarting at 0\. Send STORE or RETRIEVE to initiate transfer
COMMAND:>	[5/10/2017 10:02:47 AM] CWD /downloads
		[5/10/2017 10:02:47 AM] 250 CWD command successful
STATUS:>  	[5/10/2017 10:02:47 AM] PWD skipped. Current folder: "/downloads".
COMMAND:>	[5/10/2017 10:02:47 AM] PASV
		[5/10/2017 10:02:47 AM] 227 Entering Passive Mode (5,79,98,171,223,237).
COMMAND:>	[5/10/2017 10:02:47 AM] LIST
STATUS:>  	[5/10/2017 10:02:47 AM] Connecting FTP data socket... 5.79.98.171:57325...
		[5/10/2017 10:02:48 AM] 150 Opening ASCII mode data connection for file list
		[5/10/2017 10:02:49 AM] 226 Transfer complete
STATUS:>  	[5/10/2017 10:02:49 AM] Directory listing completed.

		*** CuteFTP 9.0 - build Nov  9 2012 ***

STATUS:>  	[5/10/2017 10:04:20 AM] Getting listing ""...
STATUS:>  	[5/10/2017 10:04:20 AM] Resolving host name ftp.thebriars.net.au...
STATUS:>  	[5/10/2017 10:04:20 AM] Host name ftp.thebriars.net.au resolved: ip = 110.232.140.75.
STATUS:>  	[5/10/2017 10:04:20 AM] Connecting to FTP server... ftp.thebriars.net.au:21 (ip = 110.232.140.75)...
STATUS:>  	[5/10/2017 10:04:20 AM] Socket connected. Waiting for welcome message...
		[5/10/2017 10:04:20 AM] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
		220-You are user number 2 of 50 allowed.
		220-Local time is now 09:04\. Server port: 21.
		220-This is a private system - No anonymous login
		220-IPv6 connections are also welcome on this server.
		220 You will be disconnected after 15 minutes of inactivity.
STATUS:>  	[5/10/2017 10:04:20 AM] Connected. Authenticating...
COMMAND:>	[5/10/2017 10:04:20 AM] USER thebriar
		[5/10/2017 10:04:20 AM] 331 User thebriar OK. Password required
COMMAND:>	[5/10/2017 10:04:20 AM] PASS *****
		[5/10/2017 10:04:20 AM] 230 OK. Current restricted directory is /
STATUS:>  	[5/10/2017 10:04:20 AM] Login successful.
COMMAND:>	[5/10/2017 10:04:20 AM] SYST
		[5/10/2017 10:04:20 AM] 215 UNIX Type: L8
STATUS:>  	[5/10/2017 10:04:20 AM] Host type detected: Unix.
COMMAND:>	[5/10/2017 10:04:20 AM] PWD
		[5/10/2017 10:04:20 AM] 257 "/" is your current location
STATUS:>  	[5/10/2017 10:04:20 AM] Home directory: /
COMMAND:>	[5/10/2017 10:04:20 AM] FEAT
		[5/10/2017 10:04:20 AM] Informational Message Only:
		211-Extensions supported:
		 EPRT
		 IDLE
		 MDTM
		 SIZE
		 MFMT
		 REST STREAM
		 MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
		 MLSD
		 AUTH TLS
		 PBSZ
		 PROT
		 UTF8
		 TVFS
		 ESTA
		 PASV
		 EPSV
		 SPSV
		 ESTP
		211 End.
STATUS:>  	[5/10/2017 10:04:20 AM] This site supports features.
STATUS:>  	[5/10/2017 10:04:20 AM] This site supports SIZE.
STATUS:>  	[5/10/2017 10:04:20 AM] This site supports UTF-8.
STATUS:>  	[5/10/2017 10:04:20 AM] Setting up character encoding.
COMMAND:>	[5/10/2017 10:04:20 AM] OPTS UTF8 on
		[5/10/2017 10:04:20 AM] 200 OK, UTF-8 enabled
STATUS:>  	[5/10/2017 10:04:20 AM] Using UTF-8.
STATUS:>  	[5/10/2017 10:04:20 AM] This site can resume broken downloads.
COMMAND:>	[5/10/2017 10:04:20 AM] REST 0
		[5/10/2017 10:04:20 AM] 350 Restarting at 0
COMMAND:>	[5/10/2017 10:04:20 AM] PASV
		[5/10/2017 10:04:20 AM] 227 Entering Passive Mode (110,232,140,75,203,179)
COMMAND:>	[5/10/2017 10:04:20 AM] LIST
STATUS:>  	[5/10/2017 10:04:20 AM] Connecting FTP data socket... 110.232.140.75:52147...
ERROR:>   	[5/10/2017 10:05:21 AM] Timeout (60000 ms) occurred on receiving server response.

Can someone please let me know how I can fix this.

TIA

Greg

Derelict

STATUS:>  [5/10/2017 10:04:20 AM] Connecting FTP data socket… 110.232.140.75:52147...

Nothing much for your firewall to do there. Looks like they are not responding to the PASV request.

The connection is being made exactly where instructed to:

[5/10/2017 10:04:20 AM] 227 Entering Passive Mode (110,232,140,75,203,179)

110.232.140.75:52147 (203*256+179=52147)

They are not responding. Perhaps that passive FTP server is misconfigured as to what ports are forwarded to it.

gregeeh

Oh, one thing I should of mentioned, sorry.

I can connect the this problem site via FTP in Passive Mode if I disable OpenVPN.

Derelict

Don't know what to tell you. Maybe they are blocking those connections from your OpenVPN provider? Maybe your routing the FTP connection out the VPN provider but not the passive connection? Maybe your VPN provider is filtering it?
Connect, start a transfer, start a LIST, then quickly look at Diagnostics > States and filter on the server IP address and see what's there.

gregeeh

Tired your suggestion and got this:-

https://i.imgur.com/qa6gTkW.jpg

110.232.140.75:21 is the destination
192.168.10.13 is my PC LAN IP
10.10.127.34 is the OvenVPN IP.

Thanks for your assistance it is greatly appreciated.

Derelict

You have a bunch of NAT that shouldn't be happening. Did you enable the ftp client proxy or something?

That won't help with passive - only active. And active data is never, ever going to be forwarded back from your VPN provider anyway.

If you enabled the proxy, disable it and try again and post the same thing.

gregeeh

@Derelict:

You have a bunch of NAT that shouldn't be happening. Did you enable the ftp client proxy or something?

That won't help with passive - only active. And active data is never, ever going to be forwarded back from your VPN provider anyway.

If you enabled the proxy, disable it and try again and post the same thing.

Sorry, FTP Client Proxy was enabled.  Have disabled it and repeated the test.

https://i.imgur.com/DG1x32T.jpg

Derelict

Looks perfect. There is no reason there it should not be working. It looks to be something at or upstream of the OpenVPN provider.

gregeeh

@Derelict:

Looks perfect. There is no reason there it should not be working. It looks to be something at or upstream of the OpenVPN provider.

Thanks, I imagine you mean VPN Provider and not OpenVPN Provider.  Looks like it's off to my VPN Provider.  It is strange that I can connect with some FTP Servers and not others.  Makes me think it's not the VPN Provider.

Thanks again.

Derelict

I have no idea what VPN you have. The one on OPT1.