• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Issue with FTP Passive?

Scheduled Pinned Locked Moved NAT
5 Posts 2 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    killmasta93
    last edited by killmasta93 Nov 13, 2018, 5:42 PM Nov 13, 2018, 5:38 PM

    Hi,
    I was wondering if someone could shed some light on the issue im having, I currently have pfSense 2.3.5 working and behind an FTP server. I have ports open 21, 50000-51000 but when i FTP using the external IP i connect to the server but getting this error

                Server sent passive reply with unroutable address 192.168.1.208, using host address instead.
            Transfer channel can't be opened. Reason: No connection could be made because the target machine actively refused it.
            Could not retrieve directory listing

    i check on states on pfSense

    LAN 	udp 	192.168.1.208:55162 -> 192.168.1.255:5002 	NO_TRAFFIC:SINGLE 	24 / 0 	8 KiB / 0 B 	
LAN 	tcp 	192.168.1.208:61409 -> 217.146.21.135:5938 	ESTABLISHED:ESTABLISHED 	12 / 8 	644 B / 456 B 	
WAN 	tcp 	181.xx.xx.5:51675 (192.168.1.208:61409) -> 217.146.21.135:5938 	ESTABLISHED:ESTABLISHED 	12 / 8 	644 B / 456 B 	
LAN 	tcp 	192.168.1.208:61410 -> 18.210.135.81:443 	ESTABLISHED:ESTABLISHED 	11 / 11 	2 KiB / 4 KiB 	
WAN 	tcp 	181.xx.xx.5:52125 (192.168.1.208:61410) -> 18.210.135.81:443 	ESTABLISHED:ESTABLISHED 	11 / 11 	2 KiB / 4 KiB 	
WAN 	tcp 	181.33.164.130:50856 -> 192.168.1.208:21 (181.xx.xx.5:21) 	ESTABLISHED:ESTABLISHED 	31 / 16 	1 KiB / 1 KiB 	
LAN 	tcp 	181.33.164.130:50856 -> 192.168.1.208:21 	ESTABLISHED:ESTABLISHED 	31 / 16 	1 KiB / 1 KiB 	
WAN 	tcp 	181.33.164.130:51566 -> 192.168.1.208:5760 (181.xx.xx.5:50760) 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
LAN 	tcp 	181.33.164.130:51566 -> 192.168.1.208:5760 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
WAN 	tcp 	181.33.164.130:52495 -> 192.168.1.208:5730 (181.xx.xx.5:50730) 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
LAN 	tcp 	181.33.164.130:52495 -> 192.168.1.208:5730 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
LAN 	tcp 	192.168.1.167:49330 -> 192.168.1.208:21 (181.xx.xx.5:21) 	FIN_WAIT_2:FIN_WAIT_2 	19 / 19 	908 B / 1 KiB 	
LAN 	tcp 	192.168.1.254:1397 (192.168.1.167:49330) -> 192.168.1.208:21 	FIN_WAIT_2:FIN_WAIT_2 	19 / 19 	908 B / 1 KiB 	
LAN 	tcp 	192.168.1.167:49395 -> 192.168.1.208:21 (181.xx.xx.5:21) 	ESTABLISHED:ESTABLISHED 	17 / 16 	828 B / 1 KiB 	
LAN 	tcp 	192.168.1.254:51942 (192.168.1.167:49395) -> 192.168.1.208:21 	ESTABLISHED:ESTABLISHED 	17 / 16 	828 B / 1 KiB 	
LAN 	tcp 	192.168.1.167:49396 -> 192.168.1.208:5794 (181.xx.xx.5:50794) 	TIME_WAIT:TIME_WAIT 	1 / 1 	52 B / 40 B 	
LAN 	tcp 	192.168.1.254:38121 (192.168.1.167:49396) -> 192.168.1.208:5794 	TIME_WAIT:TIME_WAIT 	1 / 1 	52 B / 40 B 	
LAN 	udp 	192.168.1.208:63703 -> 192.168.1.255:1947 	NO_TRAFFIC:SINGLE 	1 / 0 	68 B / 0 B

    any ideas?

    Thank you

    0_1542130964426_Clipboarder.2018.11.13-002.png

    Tutorials:

    https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Nov 13, 2018, 6:27 PM

      The server also tells the client which port to connect to. It looks like you have the server set to 5000-6000 so that is what the client will try to connect to. You can't translate the ports like that unless you can tell the server to listen on 5000-6000 but instruct the clients to connect to 50000-51000.

      While you're in there, tell your server to send the WAN address instead of its inside address. Some clients will not make that change to the host address and will dutifully do exactly what the server tells them to do - connect to the RFC1918 address which will be, of course, impossible.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • K
        killmasta93
        last edited by killmasta93 Nov 13, 2018, 7:25 PM Nov 13, 2018, 7:21 PM

        Thanks for the reply, sorry i made a mistake on the port i fixed it but still no luck
        when you say send your WAN address instead of its inside you mean on the FTP server? currently using filezilla and using passive ports 50000-51000 and using the WAN ip instead of the LAN
        0_1542136671184_Clipboarder.2018.11.13-003.png

        LAN 	tcp 	192.168.1.208:61409 -> 217.146.21.135:5938 	ESTABLISHED:ESTABLISHED 	370 / 249 	21 KiB / 13 KiB 	
WAN 	tcp 	181.xx.xx.5:51675 (192.168.1.208:61409) -> 217.146.21.135:5938 	ESTABLISHED:ESTABLISHED 	370 / 249 	21 KiB / 13 KiB 	
LAN 	tcp 	192.168.1.208:61410 -> 18.210.135.81:443 	ESTABLISHED:ESTABLISHED 	153 / 153 	7 KiB / 22 KiB 	
WAN 	tcp 	181.xx.xx.5:52125 (192.168.1.208:61410) -> 18.210.135.81:443 	ESTABLISHED:ESTABLISHED 	153 / 153 	7 KiB / 22 KiB 	
WAN 	tcp 	181.143.42.187:11959 -> 192.168.1.208:21 (181.xx.xx.5:21) 	ESTABLISHED:ESTABLISHED 	13 / 11 	770 B / 1 KiB 	
LAN 	tcp 	181.143.42.187:11959 -> 192.168.1.208:21 	ESTABLISHED:ESTABLISHED 	13 / 11 	770 B / 1 KiB 	
WAN 	tcp 	181.143.42.187:43024 -> 192.168.1.208:5397 (181.xx.xx.5:50397) 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
LAN 	tcp 	181.143.42.187:43024 -> 192.168.1.208:5397 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
LAN 	udp 	192.168.1.208:56741 -> 192.168.1.255:5002 	NO_TRAFFIC:SINGLE 	30 / 0 	10 KiB / 0 B 	
LAN 	udp 	192.168.1.208:63703 -> 192.168.1.255:1947 	NO_TRAFFIC:SINGLE 	1 / 0 	68 B / 0 B 	
LAN 	udp 	192.168.1.208:56742 -> 192.168.1.255:5002 	NO_TRAFFIC:SINGLE 	2 / 0 	668 B / 0 B

        0_1542137106040_Clipboarder.2018.11.13-004.png

        Tutorials:

        https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Nov 13, 2018, 7:35 PM

          @killmasta93 said in Issue with FTP Passive?:

          Server sent passive reply with unroutable address 192.168.1.208, using host address instead.

          With those settings you would not be getting that error.

          Everything looks fine on the rules based on that last screen shot.

          Packet capture the port 21 traffic on WAN or, better yet, capture all traffic from the IP address you are testing from on the WAN. I'll PM you a link you can upload it to so I can look at it.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • K
            killmasta93
            last edited by Nov 13, 2018, 8:00 PM

            Thanks i send you the upload

            Tutorials:

            https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

            1 Reply Last reply Reply Quote 0
            4 out of 5
            • First post
              4/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received