Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue with FTP Passive?

    NAT
    2
    5
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      killmasta93
      last edited by killmasta93

      Hi,
      I was wondering if someone could shed some light on the issue im having, I currently have pfSense 2.3.5 working and behind an FTP server. I have ports open 21, 50000-51000 but when i FTP using the external IP i connect to the server but getting this error

                  Server sent passive reply with unroutable address 192.168.1.208, using host address instead.
            Transfer channel can't be opened. Reason: No connection could be made because the target machine actively refused it.
            Could not retrieve directory listing

      i check on states on pfSense

      LAN 	udp 	192.168.1.208:55162 -> 192.168.1.255:5002 	NO_TRAFFIC:SINGLE 	24 / 0 	8 KiB / 0 B 	
LAN 	tcp 	192.168.1.208:61409 -> 217.146.21.135:5938 	ESTABLISHED:ESTABLISHED 	12 / 8 	644 B / 456 B 	
WAN 	tcp 	181.xx.xx.5:51675 (192.168.1.208:61409) -> 217.146.21.135:5938 	ESTABLISHED:ESTABLISHED 	12 / 8 	644 B / 456 B 	
LAN 	tcp 	192.168.1.208:61410 -> 18.210.135.81:443 	ESTABLISHED:ESTABLISHED 	11 / 11 	2 KiB / 4 KiB 	
WAN 	tcp 	181.xx.xx.5:52125 (192.168.1.208:61410) -> 18.210.135.81:443 	ESTABLISHED:ESTABLISHED 	11 / 11 	2 KiB / 4 KiB 	
WAN 	tcp 	181.33.164.130:50856 -> 192.168.1.208:21 (181.xx.xx.5:21) 	ESTABLISHED:ESTABLISHED 	31 / 16 	1 KiB / 1 KiB 	
LAN 	tcp 	181.33.164.130:50856 -> 192.168.1.208:21 	ESTABLISHED:ESTABLISHED 	31 / 16 	1 KiB / 1 KiB 	
WAN 	tcp 	181.33.164.130:51566 -> 192.168.1.208:5760 (181.xx.xx.5:50760) 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
LAN 	tcp 	181.33.164.130:51566 -> 192.168.1.208:5760 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
WAN 	tcp 	181.33.164.130:52495 -> 192.168.1.208:5730 (181.xx.xx.5:50730) 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
LAN 	tcp 	181.33.164.130:52495 -> 192.168.1.208:5730 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
LAN 	tcp 	192.168.1.167:49330 -> 192.168.1.208:21 (181.xx.xx.5:21) 	FIN_WAIT_2:FIN_WAIT_2 	19 / 19 	908 B / 1 KiB 	
LAN 	tcp 	192.168.1.254:1397 (192.168.1.167:49330) -> 192.168.1.208:21 	FIN_WAIT_2:FIN_WAIT_2 	19 / 19 	908 B / 1 KiB 	
LAN 	tcp 	192.168.1.167:49395 -> 192.168.1.208:21 (181.xx.xx.5:21) 	ESTABLISHED:ESTABLISHED 	17 / 16 	828 B / 1 KiB 	
LAN 	tcp 	192.168.1.254:51942 (192.168.1.167:49395) -> 192.168.1.208:21 	ESTABLISHED:ESTABLISHED 	17 / 16 	828 B / 1 KiB 	
LAN 	tcp 	192.168.1.167:49396 -> 192.168.1.208:5794 (181.xx.xx.5:50794) 	TIME_WAIT:TIME_WAIT 	1 / 1 	52 B / 40 B 	
LAN 	tcp 	192.168.1.254:38121 (192.168.1.167:49396) -> 192.168.1.208:5794 	TIME_WAIT:TIME_WAIT 	1 / 1 	52 B / 40 B 	
LAN 	udp 	192.168.1.208:63703 -> 192.168.1.255:1947 	NO_TRAFFIC:SINGLE 	1 / 0 	68 B / 0 B

      any ideas?

      Thank you

      0_1542130964426_Clipboarder.2018.11.13-002.png

      Tutorials:

      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        The server also tells the client which port to connect to. It looks like you have the server set to 5000-6000 so that is what the client will try to connect to. You can't translate the ports like that unless you can tell the server to listen on 5000-6000 but instruct the clients to connect to 50000-51000.

        While you're in there, tell your server to send the WAN address instead of its inside address. Some clients will not make that change to the host address and will dutifully do exactly what the server tells them to do - connect to the RFC1918 address which will be, of course, impossible.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • K
          killmasta93
          last edited by killmasta93

          Thanks for the reply, sorry i made a mistake on the port i fixed it but still no luck
          when you say send your WAN address instead of its inside you mean on the FTP server? currently using filezilla and using passive ports 50000-51000 and using the WAN ip instead of the LAN
          0_1542136671184_Clipboarder.2018.11.13-003.png

          LAN 	tcp 	192.168.1.208:61409 -> 217.146.21.135:5938 	ESTABLISHED:ESTABLISHED 	370 / 249 	21 KiB / 13 KiB 	
WAN 	tcp 	181.xx.xx.5:51675 (192.168.1.208:61409) -> 217.146.21.135:5938 	ESTABLISHED:ESTABLISHED 	370 / 249 	21 KiB / 13 KiB 	
LAN 	tcp 	192.168.1.208:61410 -> 18.210.135.81:443 	ESTABLISHED:ESTABLISHED 	153 / 153 	7 KiB / 22 KiB 	
WAN 	tcp 	181.xx.xx.5:52125 (192.168.1.208:61410) -> 18.210.135.81:443 	ESTABLISHED:ESTABLISHED 	153 / 153 	7 KiB / 22 KiB 	
WAN 	tcp 	181.143.42.187:11959 -> 192.168.1.208:21 (181.xx.xx.5:21) 	ESTABLISHED:ESTABLISHED 	13 / 11 	770 B / 1 KiB 	
LAN 	tcp 	181.143.42.187:11959 -> 192.168.1.208:21 	ESTABLISHED:ESTABLISHED 	13 / 11 	770 B / 1 KiB 	
WAN 	tcp 	181.143.42.187:43024 -> 192.168.1.208:5397 (181.xx.xx.5:50397) 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
LAN 	tcp 	181.143.42.187:43024 -> 192.168.1.208:5397 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
LAN 	udp 	192.168.1.208:56741 -> 192.168.1.255:5002 	NO_TRAFFIC:SINGLE 	30 / 0 	10 KiB / 0 B 	
LAN 	udp 	192.168.1.208:63703 -> 192.168.1.255:1947 	NO_TRAFFIC:SINGLE 	1 / 0 	68 B / 0 B 	
LAN 	udp 	192.168.1.208:56742 -> 192.168.1.255:5002 	NO_TRAFFIC:SINGLE 	2 / 0 	668 B / 0 B

          0_1542137106040_Clipboarder.2018.11.13-004.png

          Tutorials:

          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            @killmasta93 said in Issue with FTP Passive?:

            Server sent passive reply with unroutable address 192.168.1.208, using host address instead.

            With those settings you would not be getting that error.

            Everything looks fine on the rules based on that last screen shot.

            Packet capture the port 21 traffic on WAN or, better yet, capture all traffic from the IP address you are testing from on the WAN. I'll PM you a link you can upload it to so I can look at it.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • K
              killmasta93
              last edited by

              Thanks i send you the upload

              Tutorials:

              https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.