• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Cannot connect via FTP

Scheduled Pinned Locked Moved OpenVPN
10 Posts 2 Posters 1.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    gregeeh
    last edited by Oct 4, 2017, 11:21 PM Oct 4, 2017, 11:07 PM

    Hi all,

    I have configured pfSense (2.3.4) on a MiniPC and installed OpenVPN to connect to my VPN provider.  All is working great except I cannot FTP to one FTP Server.  Others are fine.  I'm using CuteFTP Pro as the client and below are the logs of one that connects and one that does not.

    		*** CuteFTP 9.0 - build Nov  9 2012 ***
    
    STATUS:>  	[5/10/2017 10:02:44 AM] Getting listing "downloads"...
    STATUS:>  	[5/10/2017 10:02:44 AM] Connecting to FTP server... 5.79.98.171:21 (ip = 5.79.98.171)...
    STATUS:>  	[5/10/2017 10:02:45 AM] Socket connected. Waiting for welcome message...
    		[5/10/2017 10:02:45 AM] 220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:5.79.98.171]
    STATUS:>  	[5/10/2017 10:02:45 AM] Connected. Authenticating...
    COMMAND:>	[5/10/2017 10:02:45 AM] USER dp
    		[5/10/2017 10:02:45 AM] 331 Password required for dp
    COMMAND:>	[5/10/2017 10:02:45 AM] PASS *****
    		[5/10/2017 10:02:45 AM] 230 User dp logged in
    STATUS:>  	[5/10/2017 10:02:45 AM] Login successful.
    COMMAND:>	[5/10/2017 10:02:45 AM] SYST
    		[5/10/2017 10:02:46 AM] 215 UNIX Type: L8
    STATUS:>  	[5/10/2017 10:02:46 AM] Host type detected: Unix.
    COMMAND:>	[5/10/2017 10:02:46 AM] PWD
    		[5/10/2017 10:02:46 AM] 257 "/" is the current directory
    STATUS:>  	[5/10/2017 10:02:46 AM] Home directory: /
    COMMAND:>	[5/10/2017 10:02:46 AM] FEAT
    		[5/10/2017 10:02:46 AM] Informational Message Only:
    		211-Features:
    		 CCC
    		 SITE MKDIR
    		 PBSZ
    		 AUTH TLS
    		 REST STREAM
    		 UTF8
    		 EPRT
    		 SITE SYMLINK
    		 EPSV
    		 SITE UTIME
    		 MDTM
    		 SITE RMDIR
    		 SITE COPY
    		 SIZE
    		 PROT
    		 LANG en-US.UTF-8;en-US*
    		211 End
    STATUS:>  	[5/10/2017 10:02:46 AM] This site supports features.
    STATUS:>  	[5/10/2017 10:02:46 AM] This site supports SIZE.
    STATUS:>  	[5/10/2017 10:02:46 AM] This site supports UTF-8.
    STATUS:>  	[5/10/2017 10:02:46 AM] This site supports LANG.
    COMMAND:>	[5/10/2017 10:02:46 AM] OPTS UTF8 on
    		[5/10/2017 10:02:47 AM] 200 UTF8 set to on
    STATUS:>  	[5/10/2017 10:02:47 AM] This site can resume broken downloads.
    COMMAND:>	[5/10/2017 10:02:47 AM] REST 0
    		[5/10/2017 10:02:47 AM] 350 Restarting at 0\. Send STORE or RETRIEVE to initiate transfer
    COMMAND:>	[5/10/2017 10:02:47 AM] CWD /downloads
    		[5/10/2017 10:02:47 AM] 250 CWD command successful
    STATUS:>  	[5/10/2017 10:02:47 AM] PWD skipped. Current folder: "/downloads".
    COMMAND:>	[5/10/2017 10:02:47 AM] PASV
    		[5/10/2017 10:02:47 AM] 227 Entering Passive Mode (5,79,98,171,223,237).
    COMMAND:>	[5/10/2017 10:02:47 AM] LIST
    STATUS:>  	[5/10/2017 10:02:47 AM] Connecting FTP data socket... 5.79.98.171:57325...
    		[5/10/2017 10:02:48 AM] 150 Opening ASCII mode data connection for file list
    		[5/10/2017 10:02:49 AM] 226 Transfer complete
    STATUS:>  	[5/10/2017 10:02:49 AM] Directory listing completed.
    
    		*** CuteFTP 9.0 - build Nov  9 2012 ***
    
    STATUS:>  	[5/10/2017 10:04:20 AM] Getting listing ""...
    STATUS:>  	[5/10/2017 10:04:20 AM] Resolving host name ftp.thebriars.net.au...
    STATUS:>  	[5/10/2017 10:04:20 AM] Host name ftp.thebriars.net.au resolved: ip = 110.232.140.75.
    STATUS:>  	[5/10/2017 10:04:20 AM] Connecting to FTP server... ftp.thebriars.net.au:21 (ip = 110.232.140.75)...
    STATUS:>  	[5/10/2017 10:04:20 AM] Socket connected. Waiting for welcome message...
    		[5/10/2017 10:04:20 AM] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    		220-You are user number 2 of 50 allowed.
    		220-Local time is now 09:04\. Server port: 21.
    		220-This is a private system - No anonymous login
    		220-IPv6 connections are also welcome on this server.
    		220 You will be disconnected after 15 minutes of inactivity.
    STATUS:>  	[5/10/2017 10:04:20 AM] Connected. Authenticating...
    COMMAND:>	[5/10/2017 10:04:20 AM] USER thebriar
    		[5/10/2017 10:04:20 AM] 331 User thebriar OK. Password required
    COMMAND:>	[5/10/2017 10:04:20 AM] PASS *****
    		[5/10/2017 10:04:20 AM] 230 OK. Current restricted directory is /
    STATUS:>  	[5/10/2017 10:04:20 AM] Login successful.
    COMMAND:>	[5/10/2017 10:04:20 AM] SYST
    		[5/10/2017 10:04:20 AM] 215 UNIX Type: L8
    STATUS:>  	[5/10/2017 10:04:20 AM] Host type detected: Unix.
    COMMAND:>	[5/10/2017 10:04:20 AM] PWD
    		[5/10/2017 10:04:20 AM] 257 "/" is your current location
    STATUS:>  	[5/10/2017 10:04:20 AM] Home directory: /
    COMMAND:>	[5/10/2017 10:04:20 AM] FEAT
    		[5/10/2017 10:04:20 AM] Informational Message Only:
    		211-Extensions supported:
    		 EPRT
    		 IDLE
    		 MDTM
    		 SIZE
    		 MFMT
    		 REST STREAM
    		 MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
    		 MLSD
    		 AUTH TLS
    		 PBSZ
    		 PROT
    		 UTF8
    		 TVFS
    		 ESTA
    		 PASV
    		 EPSV
    		 SPSV
    		 ESTP
    		211 End.
    STATUS:>  	[5/10/2017 10:04:20 AM] This site supports features.
    STATUS:>  	[5/10/2017 10:04:20 AM] This site supports SIZE.
    STATUS:>  	[5/10/2017 10:04:20 AM] This site supports UTF-8.
    STATUS:>  	[5/10/2017 10:04:20 AM] Setting up character encoding.
    COMMAND:>	[5/10/2017 10:04:20 AM] OPTS UTF8 on
    		[5/10/2017 10:04:20 AM] 200 OK, UTF-8 enabled
    STATUS:>  	[5/10/2017 10:04:20 AM] Using UTF-8.
    STATUS:>  	[5/10/2017 10:04:20 AM] This site can resume broken downloads.
    COMMAND:>	[5/10/2017 10:04:20 AM] REST 0
    		[5/10/2017 10:04:20 AM] 350 Restarting at 0
    COMMAND:>	[5/10/2017 10:04:20 AM] PASV
    		[5/10/2017 10:04:20 AM] 227 Entering Passive Mode (110,232,140,75,203,179)
    COMMAND:>	[5/10/2017 10:04:20 AM] LIST
    STATUS:>  	[5/10/2017 10:04:20 AM] Connecting FTP data socket... 110.232.140.75:52147...
    ERROR:>   	[5/10/2017 10:05:21 AM] Timeout (60000 ms) occurred on receiving server response.
    

    Can someone please let me know how I can fix this.

    TIA

    Greg

    PfSense running on Qotom mini PC
    CPU N3150, 2 GB memory, 32 GB SSD & 2 Realtek Gb Ethernet ports.
    UniFi AC-Lite access point

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Oct 5, 2017, 1:34 AM

      STATUS:>  [5/10/2017 10:04:20 AM] Connecting FTP data socket… 110.232.140.75:52147...

      Nothing much for your firewall to do there. Looks like they are not responding to the PASV request.

      The connection is being made exactly where instructed to:

      [5/10/2017 10:04:20 AM] 227 Entering Passive Mode (110,232,140,75,203,179)

      110.232.140.75:52147 (203*256+179=52147)

      They are not responding. Perhaps that passive FTP server is misconfigured as to what ports are forwarded to it.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • G
        gregeeh
        last edited by Oct 5, 2017, 1:47 AM

        Oh, one thing I should of mentioned, sorry.

        I can connect the this problem site via FTP in Passive Mode if I disable OpenVPN.

        PfSense running on Qotom mini PC
        CPU N3150, 2 GB memory, 32 GB SSD & 2 Realtek Gb Ethernet ports.
        UniFi AC-Lite access point

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Oct 5, 2017, 2:13 AM

          Don't know what to tell you. Maybe they are blocking those connections from your OpenVPN provider? Maybe your routing the FTP connection out the VPN provider but not the passive connection? Maybe your VPN provider is filtering it?
          Connect, start a transfer, start a LIST, then quickly look at Diagnostics > States and filter on the server IP address and see what's there.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • G
            gregeeh
            last edited by Oct 5, 2017, 2:30 AM

            Tired your suggestion and got this:-

            https://i.imgur.com/qa6gTkW.jpg

            110.232.140.75:21 is the destination
            192.168.10.13 is my PC LAN IP
            10.10.127.34 is the OvenVPN IP.

            Thanks for your assistance it is greatly appreciated.

            PfSense running on Qotom mini PC
            CPU N3150, 2 GB memory, 32 GB SSD & 2 Realtek Gb Ethernet ports.
            UniFi AC-Lite access point

            1 Reply Last reply Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Oct 5, 2017, 2:44 AM

              You have a bunch of NAT that shouldn't be happening. Did you enable the ftp client proxy or something?

              That won't help with passive - only active. And active data is never, ever going to be forwarded back from your VPN provider anyway.

              If you enabled the proxy, disable it and try again and post the same thing.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • G
                gregeeh
                last edited by Oct 5, 2017, 3:03 AM

                @Derelict:

                You have a bunch of NAT that shouldn't be happening. Did you enable the ftp client proxy or something?

                That won't help with passive - only active. And active data is never, ever going to be forwarded back from your VPN provider anyway.

                If you enabled the proxy, disable it and try again and post the same thing.

                Sorry, FTP Client Proxy was enabled.  Have disabled it and repeated the test.

                https://i.imgur.com/DG1x32T.jpg

                PfSense running on Qotom mini PC
                CPU N3150, 2 GB memory, 32 GB SSD & 2 Realtek Gb Ethernet ports.
                UniFi AC-Lite access point

                1 Reply Last reply Reply Quote 0
                • D
                  Derelict LAYER 8 Netgate
                  last edited by Oct 5, 2017, 4:15 AM

                  Looks perfect. There is no reason there it should not be working. It looks to be something at or upstream of the OpenVPN provider.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • G
                    gregeeh
                    last edited by Oct 5, 2017, 4:22 AM

                    @Derelict:

                    Looks perfect. There is no reason there it should not be working. It looks to be something at or upstream of the OpenVPN provider.

                    Thanks, I imagine you mean VPN Provider and not OpenVPN Provider.  Looks like it's off to my VPN Provider.  It is strange that I can connect with some FTP Servers and not others.  Makes me think it's not the VPN Provider.

                    Thanks again.

                    PfSense running on Qotom mini PC
                    CPU N3150, 2 GB memory, 32 GB SSD & 2 Realtek Gb Ethernet ports.
                    UniFi AC-Lite access point

                    1 Reply Last reply Reply Quote 0
                    • D
                      Derelict LAYER 8 Netgate
                      last edited by Oct 5, 2017, 4:43 AM

                      I have no idea what VPN you have. The one on OPT1.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received