Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT and vsftpd help pls

    Scheduled Pinned Locked Moved NAT
    6 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudakC
      chudak
      last edited by

      I have setup vsftpd as in https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-04

      And forwarded ports as in https://snag.gy/YmTbo0.jpg

      Is it right way to do so?

      When I check open ports, except 21 all others closed for some reason?!

      Thx

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        vsftpd won't actually respond on any of those other ports except during a real FTP connection when it will accept connections from clients only on certain ports it designates for that client.

        The only way to test the other ports, besides 21, is with an actual FTP client in passive mode outside your network (on WAN somewhere, or on the Internet)

        Also, in your vsftpd.conf, you will need to set pasv_address=x.x.x.x where x.x.x.x is your real external WAN IP address.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • chudakC
          chudak
          last edited by

          @jimp:

          vsftpd won't actually respond on any of those other ports except during a real FTP connection when it will accept connections from clients only on certain ports it designates for that client.

          The only way to test the other ports, besides 21, is with an actual FTP client in passive mode outside your network (on WAN somewhere, or on the Internet)

          Also, in your vsftpd.conf, you will need to set pasv_address=x.x.x.x where x.x.x.x is your real external WAN IP address.

          If I read you  correctly I need to keep port forwarding as is.
          ref: pasv_address - it's working now, do I still need to enable it?

          It's odd but snor seems to be throwing alerts about ftp connections ?!

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Have to wonder why you don't take their advice they give right up front and use a more secure, and easier to setup option like sftp?  Now you don't have to deal with active or passive data channel through a nat..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              @chudak:

              If I read you  correctly I need to keep port forwarding as is.

              Yes, though maybe even not all of those ports are required. Usually just 20-21 plus the pasv range.

              @chudak:

              ref: pasv_address - it's working now, do I still need to enable it?

              It may work with some clients like Filezilla which are smart enough to use the correct address anyhow, but other clients will break without that set.

              @chudak:

              It's odd but snor seems to be throwing alerts about ftp connections ?!

              That's between you and your snort config.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • B
                blex
                last edited by

                Hi,

                just in case you have problems. I just did the setup with a CARP address on wan.

                1. Create a NAT Forward for Port 21 to internal IP
                2. Create a NAT Forward for passiv Ports. (like 20000 to 20010) to internal IP
                3. Add the following lines to vsftpd.conf

                
pasv_enable=YES
pasv_address=CARPWANIP
pasv_min_port=20000
pasv_max_port=20010

                4. Search for listen_ipv6=YES comment this out and add listen=YES

                If you don't do step 4 you will see on the external FTP client somthing like:

                
ftp> dir
227 Entering Passive Mode (0,0,0,0,78,39).
ftp: connect: Connection refused
                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.