Cannot connect via FTP



  • Hi all,

    I have configured pfSense (2.3.4) on a MiniPC and installed OpenVPN to connect to my VPN provider.  All is working great except I cannot FTP to one FTP Server.  Others are fine.  I'm using CuteFTP Pro as the client and below are the logs of one that connects and one that does not.

    		*** CuteFTP 9.0 - build Nov  9 2012 ***
    
    STATUS:>  	[5/10/2017 10:02:44 AM] Getting listing "downloads"...
    STATUS:>  	[5/10/2017 10:02:44 AM] Connecting to FTP server... 5.79.98.171:21 (ip = 5.79.98.171)...
    STATUS:>  	[5/10/2017 10:02:45 AM] Socket connected. Waiting for welcome message...
    		[5/10/2017 10:02:45 AM] 220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:5.79.98.171]
    STATUS:>  	[5/10/2017 10:02:45 AM] Connected. Authenticating...
    COMMAND:>	[5/10/2017 10:02:45 AM] USER dp
    		[5/10/2017 10:02:45 AM] 331 Password required for dp
    COMMAND:>	[5/10/2017 10:02:45 AM] PASS *****
    		[5/10/2017 10:02:45 AM] 230 User dp logged in
    STATUS:>  	[5/10/2017 10:02:45 AM] Login successful.
    COMMAND:>	[5/10/2017 10:02:45 AM] SYST
    		[5/10/2017 10:02:46 AM] 215 UNIX Type: L8
    STATUS:>  	[5/10/2017 10:02:46 AM] Host type detected: Unix.
    COMMAND:>	[5/10/2017 10:02:46 AM] PWD
    		[5/10/2017 10:02:46 AM] 257 "/" is the current directory
    STATUS:>  	[5/10/2017 10:02:46 AM] Home directory: /
    COMMAND:>	[5/10/2017 10:02:46 AM] FEAT
    		[5/10/2017 10:02:46 AM] Informational Message Only:
    		211-Features:
    		 CCC
    		 SITE MKDIR
    		 PBSZ
    		 AUTH TLS
    		 REST STREAM
    		 UTF8
    		 EPRT
    		 SITE SYMLINK
    		 EPSV
    		 SITE UTIME
    		 MDTM
    		 SITE RMDIR
    		 SITE COPY
    		 SIZE
    		 PROT
    		 LANG en-US.UTF-8;en-US*
    		211 End
    STATUS:>  	[5/10/2017 10:02:46 AM] This site supports features.
    STATUS:>  	[5/10/2017 10:02:46 AM] This site supports SIZE.
    STATUS:>  	[5/10/2017 10:02:46 AM] This site supports UTF-8.
    STATUS:>  	[5/10/2017 10:02:46 AM] This site supports LANG.
    COMMAND:>	[5/10/2017 10:02:46 AM] OPTS UTF8 on
    		[5/10/2017 10:02:47 AM] 200 UTF8 set to on
    STATUS:>  	[5/10/2017 10:02:47 AM] This site can resume broken downloads.
    COMMAND:>	[5/10/2017 10:02:47 AM] REST 0
    		[5/10/2017 10:02:47 AM] 350 Restarting at 0\. Send STORE or RETRIEVE to initiate transfer
    COMMAND:>	[5/10/2017 10:02:47 AM] CWD /downloads
    		[5/10/2017 10:02:47 AM] 250 CWD command successful
    STATUS:>  	[5/10/2017 10:02:47 AM] PWD skipped. Current folder: "/downloads".
    COMMAND:>	[5/10/2017 10:02:47 AM] PASV
    		[5/10/2017 10:02:47 AM] 227 Entering Passive Mode (5,79,98,171,223,237).
    COMMAND:>	[5/10/2017 10:02:47 AM] LIST
    STATUS:>  	[5/10/2017 10:02:47 AM] Connecting FTP data socket... 5.79.98.171:57325...
    		[5/10/2017 10:02:48 AM] 150 Opening ASCII mode data connection for file list
    		[5/10/2017 10:02:49 AM] 226 Transfer complete
    STATUS:>  	[5/10/2017 10:02:49 AM] Directory listing completed.
    
    		*** CuteFTP 9.0 - build Nov  9 2012 ***
    
    STATUS:>  	[5/10/2017 10:04:20 AM] Getting listing ""...
    STATUS:>  	[5/10/2017 10:04:20 AM] Resolving host name ftp.thebriars.net.au...
    STATUS:>  	[5/10/2017 10:04:20 AM] Host name ftp.thebriars.net.au resolved: ip = 110.232.140.75.
    STATUS:>  	[5/10/2017 10:04:20 AM] Connecting to FTP server... ftp.thebriars.net.au:21 (ip = 110.232.140.75)...
    STATUS:>  	[5/10/2017 10:04:20 AM] Socket connected. Waiting for welcome message...
    		[5/10/2017 10:04:20 AM] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    		220-You are user number 2 of 50 allowed.
    		220-Local time is now 09:04\. Server port: 21.
    		220-This is a private system - No anonymous login
    		220-IPv6 connections are also welcome on this server.
    		220 You will be disconnected after 15 minutes of inactivity.
    STATUS:>  	[5/10/2017 10:04:20 AM] Connected. Authenticating...
    COMMAND:>	[5/10/2017 10:04:20 AM] USER thebriar
    		[5/10/2017 10:04:20 AM] 331 User thebriar OK. Password required
    COMMAND:>	[5/10/2017 10:04:20 AM] PASS *****
    		[5/10/2017 10:04:20 AM] 230 OK. Current restricted directory is /
    STATUS:>  	[5/10/2017 10:04:20 AM] Login successful.
    COMMAND:>	[5/10/2017 10:04:20 AM] SYST
    		[5/10/2017 10:04:20 AM] 215 UNIX Type: L8
    STATUS:>  	[5/10/2017 10:04:20 AM] Host type detected: Unix.
    COMMAND:>	[5/10/2017 10:04:20 AM] PWD
    		[5/10/2017 10:04:20 AM] 257 "/" is your current location
    STATUS:>  	[5/10/2017 10:04:20 AM] Home directory: /
    COMMAND:>	[5/10/2017 10:04:20 AM] FEAT
    		[5/10/2017 10:04:20 AM] Informational Message Only:
    		211-Extensions supported:
    		 EPRT
    		 IDLE
    		 MDTM
    		 SIZE
    		 MFMT
    		 REST STREAM
    		 MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
    		 MLSD
    		 AUTH TLS
    		 PBSZ
    		 PROT
    		 UTF8
    		 TVFS
    		 ESTA
    		 PASV
    		 EPSV
    		 SPSV
    		 ESTP
    		211 End.
    STATUS:>  	[5/10/2017 10:04:20 AM] This site supports features.
    STATUS:>  	[5/10/2017 10:04:20 AM] This site supports SIZE.
    STATUS:>  	[5/10/2017 10:04:20 AM] This site supports UTF-8.
    STATUS:>  	[5/10/2017 10:04:20 AM] Setting up character encoding.
    COMMAND:>	[5/10/2017 10:04:20 AM] OPTS UTF8 on
    		[5/10/2017 10:04:20 AM] 200 OK, UTF-8 enabled
    STATUS:>  	[5/10/2017 10:04:20 AM] Using UTF-8.
    STATUS:>  	[5/10/2017 10:04:20 AM] This site can resume broken downloads.
    COMMAND:>	[5/10/2017 10:04:20 AM] REST 0
    		[5/10/2017 10:04:20 AM] 350 Restarting at 0
    COMMAND:>	[5/10/2017 10:04:20 AM] PASV
    		[5/10/2017 10:04:20 AM] 227 Entering Passive Mode (110,232,140,75,203,179)
    COMMAND:>	[5/10/2017 10:04:20 AM] LIST
    STATUS:>  	[5/10/2017 10:04:20 AM] Connecting FTP data socket... 110.232.140.75:52147...
    ERROR:>   	[5/10/2017 10:05:21 AM] Timeout (60000 ms) occurred on receiving server response.
    

    Can someone please let me know how I can fix this.

    TIA

    Greg


  • LAYER 8 Netgate

    STATUS:>  [5/10/2017 10:04:20 AM] Connecting FTP data socket… 110.232.140.75:52147...

    Nothing much for your firewall to do there. Looks like they are not responding to the PASV request.

    The connection is being made exactly where instructed to:

    [5/10/2017 10:04:20 AM] 227 Entering Passive Mode (110,232,140,75,203,179)

    110.232.140.75:52147 (203*256+179=52147)

    They are not responding. Perhaps that passive FTP server is misconfigured as to what ports are forwarded to it.



  • Oh, one thing I should of mentioned, sorry.

    I can connect the this problem site via FTP in Passive Mode if I disable OpenVPN.


  • LAYER 8 Netgate

    Don't know what to tell you. Maybe they are blocking those connections from your OpenVPN provider? Maybe your routing the FTP connection out the VPN provider but not the passive connection? Maybe your VPN provider is filtering it?
    Connect, start a transfer, start a LIST, then quickly look at Diagnostics > States and filter on the server IP address and see what's there.



  • Tired your suggestion and got this:-

    https://i.imgur.com/qa6gTkW.jpg

    110.232.140.75:21 is the destination
    192.168.10.13 is my PC LAN IP
    10.10.127.34 is the OvenVPN IP.

    Thanks for your assistance it is greatly appreciated.


  • LAYER 8 Netgate

    You have a bunch of NAT that shouldn't be happening. Did you enable the ftp client proxy or something?

    That won't help with passive - only active. And active data is never, ever going to be forwarded back from your VPN provider anyway.

    If you enabled the proxy, disable it and try again and post the same thing.



  • @Derelict:

    You have a bunch of NAT that shouldn't be happening. Did you enable the ftp client proxy or something?

    That won't help with passive - only active. And active data is never, ever going to be forwarded back from your VPN provider anyway.

    If you enabled the proxy, disable it and try again and post the same thing.

    Sorry, FTP Client Proxy was enabled.  Have disabled it and repeated the test.

    https://i.imgur.com/DG1x32T.jpg


  • LAYER 8 Netgate

    Looks perfect. There is no reason there it should not be working. It looks to be something at or upstream of the OpenVPN provider.



  • @Derelict:

    Looks perfect. There is no reason there it should not be working. It looks to be something at or upstream of the OpenVPN provider.

    Thanks, I imagine you mean VPN Provider and not OpenVPN Provider.  Looks like it's off to my VPN Provider.  It is strange that I can connect with some FTP Servers and not others.  Makes me think it's not the VPN Provider.

    Thanks again.


  • LAYER 8 Netgate

    I have no idea what VPN you have. The one on OPT1.


Log in to reply