Issue with FTP Passive?
-
Hi,
I was wondering if someone could shed some light on the issue im having, I currently have pfSense 2.3.5 working and behind an FTP server. I have ports open 21, 50000-51000 but when i FTP using the external IP i connect to the server but getting this errorServer sent passive reply with unroutable address 192.168.1.208, using host address instead. Transfer channel can't be opened. Reason: No connection could be made because the target machine actively refused it. Could not retrieve directory listing
i check on states on pfSense
LAN udp 192.168.1.208:55162 -> 192.168.1.255:5002 NO_TRAFFIC:SINGLE 24 / 0 8 KiB / 0 B LAN tcp 192.168.1.208:61409 -> 217.146.21.135:5938 ESTABLISHED:ESTABLISHED 12 / 8 644 B / 456 B WAN tcp 181.xx.xx.5:51675 (192.168.1.208:61409) -> 217.146.21.135:5938 ESTABLISHED:ESTABLISHED 12 / 8 644 B / 456 B LAN tcp 192.168.1.208:61410 -> 18.210.135.81:443 ESTABLISHED:ESTABLISHED 11 / 11 2 KiB / 4 KiB WAN tcp 181.xx.xx.5:52125 (192.168.1.208:61410) -> 18.210.135.81:443 ESTABLISHED:ESTABLISHED 11 / 11 2 KiB / 4 KiB WAN tcp 181.33.164.130:50856 -> 192.168.1.208:21 (181.xx.xx.5:21) ESTABLISHED:ESTABLISHED 31 / 16 1 KiB / 1 KiB LAN tcp 181.33.164.130:50856 -> 192.168.1.208:21 ESTABLISHED:ESTABLISHED 31 / 16 1 KiB / 1 KiB WAN tcp 181.33.164.130:51566 -> 192.168.1.208:5760 (181.xx.xx.5:50760) TIME_WAIT:TIME_WAIT 1 / 1 60 B / 40 B LAN tcp 181.33.164.130:51566 -> 192.168.1.208:5760 TIME_WAIT:TIME_WAIT 1 / 1 60 B / 40 B WAN tcp 181.33.164.130:52495 -> 192.168.1.208:5730 (181.xx.xx.5:50730) TIME_WAIT:TIME_WAIT 1 / 1 60 B / 40 B LAN tcp 181.33.164.130:52495 -> 192.168.1.208:5730 TIME_WAIT:TIME_WAIT 1 / 1 60 B / 40 B LAN tcp 192.168.1.167:49330 -> 192.168.1.208:21 (181.xx.xx.5:21) FIN_WAIT_2:FIN_WAIT_2 19 / 19 908 B / 1 KiB LAN tcp 192.168.1.254:1397 (192.168.1.167:49330) -> 192.168.1.208:21 FIN_WAIT_2:FIN_WAIT_2 19 / 19 908 B / 1 KiB LAN tcp 192.168.1.167:49395 -> 192.168.1.208:21 (181.xx.xx.5:21) ESTABLISHED:ESTABLISHED 17 / 16 828 B / 1 KiB LAN tcp 192.168.1.254:51942 (192.168.1.167:49395) -> 192.168.1.208:21 ESTABLISHED:ESTABLISHED 17 / 16 828 B / 1 KiB LAN tcp 192.168.1.167:49396 -> 192.168.1.208:5794 (181.xx.xx.5:50794) TIME_WAIT:TIME_WAIT 1 / 1 52 B / 40 B LAN tcp 192.168.1.254:38121 (192.168.1.167:49396) -> 192.168.1.208:5794 TIME_WAIT:TIME_WAIT 1 / 1 52 B / 40 B LAN udp 192.168.1.208:63703 -> 192.168.1.255:1947 NO_TRAFFIC:SINGLE 1 / 0 68 B / 0 B
any ideas?
Thank you
-
The server also tells the client which port to connect to. It looks like you have the server set to 5000-6000 so that is what the client will try to connect to. You can't translate the ports like that unless you can tell the server to listen on 5000-6000 but instruct the clients to connect to 50000-51000.
While you're in there, tell your server to send the WAN address instead of its inside address. Some clients will not make that change to the host address and will dutifully do exactly what the server tells them to do - connect to the RFC1918 address which will be, of course, impossible.
-
Thanks for the reply, sorry i made a mistake on the port i fixed it but still no luck
when you say send your WAN address instead of its inside you mean on the FTP server? currently using filezilla and using passive ports 50000-51000 and using the WAN ip instead of the LAN
LAN tcp 192.168.1.208:61409 -> 217.146.21.135:5938 ESTABLISHED:ESTABLISHED 370 / 249 21 KiB / 13 KiB WAN tcp 181.xx.xx.5:51675 (192.168.1.208:61409) -> 217.146.21.135:5938 ESTABLISHED:ESTABLISHED 370 / 249 21 KiB / 13 KiB LAN tcp 192.168.1.208:61410 -> 18.210.135.81:443 ESTABLISHED:ESTABLISHED 153 / 153 7 KiB / 22 KiB WAN tcp 181.xx.xx.5:52125 (192.168.1.208:61410) -> 18.210.135.81:443 ESTABLISHED:ESTABLISHED 153 / 153 7 KiB / 22 KiB WAN tcp 181.143.42.187:11959 -> 192.168.1.208:21 (181.xx.xx.5:21) ESTABLISHED:ESTABLISHED 13 / 11 770 B / 1 KiB LAN tcp 181.143.42.187:11959 -> 192.168.1.208:21 ESTABLISHED:ESTABLISHED 13 / 11 770 B / 1 KiB WAN tcp 181.143.42.187:43024 -> 192.168.1.208:5397 (181.xx.xx.5:50397) TIME_WAIT:TIME_WAIT 1 / 1 60 B / 40 B LAN tcp 181.143.42.187:43024 -> 192.168.1.208:5397 TIME_WAIT:TIME_WAIT 1 / 1 60 B / 40 B LAN udp 192.168.1.208:56741 -> 192.168.1.255:5002 NO_TRAFFIC:SINGLE 30 / 0 10 KiB / 0 B LAN udp 192.168.1.208:63703 -> 192.168.1.255:1947 NO_TRAFFIC:SINGLE 1 / 0 68 B / 0 B LAN udp 192.168.1.208:56742 -> 192.168.1.255:5002 NO_TRAFFIC:SINGLE 2 / 0 668 B / 0 B
-
@killmasta93 said in Issue with FTP Passive?:
Server sent passive reply with unroutable address 192.168.1.208, using host address instead.
With those settings you would not be getting that error.
Everything looks fine on the rules based on that last screen shot.
Packet capture the port 21 traffic on WAN or, better yet, capture all traffic from the IP address you are testing from on the WAN. I'll PM you a link you can upload it to so I can look at it.
-
Thanks i send you the upload