Issue with FTP Passive?



  • Hi,
    I was wondering if someone could shed some light on the issue im having, I currently have pfSense 2.3.5 working and behind an FTP server. I have ports open 21, 50000-51000 but when i FTP using the external IP i connect to the server but getting this error

                Server sent passive reply with unroutable address 192.168.1.208, using host address instead.
                Transfer channel can't be opened. Reason: No connection could be made because the target machine actively refused it.
                Could not retrieve directory listing
    

    i check on states on pfSense

    LAN 	udp 	192.168.1.208:55162 -> 192.168.1.255:5002 	NO_TRAFFIC:SINGLE 	24 / 0 	8 KiB / 0 B 	
    LAN 	tcp 	192.168.1.208:61409 -> 217.146.21.135:5938 	ESTABLISHED:ESTABLISHED 	12 / 8 	644 B / 456 B 	
    WAN 	tcp 	181.xx.xx.5:51675 (192.168.1.208:61409) -> 217.146.21.135:5938 	ESTABLISHED:ESTABLISHED 	12 / 8 	644 B / 456 B 	
    LAN 	tcp 	192.168.1.208:61410 -> 18.210.135.81:443 	ESTABLISHED:ESTABLISHED 	11 / 11 	2 KiB / 4 KiB 	
    WAN 	tcp 	181.xx.xx.5:52125 (192.168.1.208:61410) -> 18.210.135.81:443 	ESTABLISHED:ESTABLISHED 	11 / 11 	2 KiB / 4 KiB 	
    WAN 	tcp 	181.33.164.130:50856 -> 192.168.1.208:21 (181.xx.xx.5:21) 	ESTABLISHED:ESTABLISHED 	31 / 16 	1 KiB / 1 KiB 	
    LAN 	tcp 	181.33.164.130:50856 -> 192.168.1.208:21 	ESTABLISHED:ESTABLISHED 	31 / 16 	1 KiB / 1 KiB 	
    WAN 	tcp 	181.33.164.130:51566 -> 192.168.1.208:5760 (181.xx.xx.5:50760) 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
    LAN 	tcp 	181.33.164.130:51566 -> 192.168.1.208:5760 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
    WAN 	tcp 	181.33.164.130:52495 -> 192.168.1.208:5730 (181.xx.xx.5:50730) 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
    LAN 	tcp 	181.33.164.130:52495 -> 192.168.1.208:5730 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
    LAN 	tcp 	192.168.1.167:49330 -> 192.168.1.208:21 (181.xx.xx.5:21) 	FIN_WAIT_2:FIN_WAIT_2 	19 / 19 	908 B / 1 KiB 	
    LAN 	tcp 	192.168.1.254:1397 (192.168.1.167:49330) -> 192.168.1.208:21 	FIN_WAIT_2:FIN_WAIT_2 	19 / 19 	908 B / 1 KiB 	
    LAN 	tcp 	192.168.1.167:49395 -> 192.168.1.208:21 (181.xx.xx.5:21) 	ESTABLISHED:ESTABLISHED 	17 / 16 	828 B / 1 KiB 	
    LAN 	tcp 	192.168.1.254:51942 (192.168.1.167:49395) -> 192.168.1.208:21 	ESTABLISHED:ESTABLISHED 	17 / 16 	828 B / 1 KiB 	
    LAN 	tcp 	192.168.1.167:49396 -> 192.168.1.208:5794 (181.xx.xx.5:50794) 	TIME_WAIT:TIME_WAIT 	1 / 1 	52 B / 40 B 	
    LAN 	tcp 	192.168.1.254:38121 (192.168.1.167:49396) -> 192.168.1.208:5794 	TIME_WAIT:TIME_WAIT 	1 / 1 	52 B / 40 B 	
    LAN 	udp 	192.168.1.208:63703 -> 192.168.1.255:1947 	NO_TRAFFIC:SINGLE 	1 / 0 	68 B / 0 B 	
    

    any ideas?

    Thank you

    0_1542130964426_Clipboarder.2018.11.13-002.png


  • Netgate

    The server also tells the client which port to connect to. It looks like you have the server set to 5000-6000 so that is what the client will try to connect to. You can't translate the ports like that unless you can tell the server to listen on 5000-6000 but instruct the clients to connect to 50000-51000.

    While you're in there, tell your server to send the WAN address instead of its inside address. Some clients will not make that change to the host address and will dutifully do exactly what the server tells them to do - connect to the RFC1918 address which will be, of course, impossible.



  • Thanks for the reply, sorry i made a mistake on the port i fixed it but still no luck
    when you say send your WAN address instead of its inside you mean on the FTP server? currently using filezilla and using passive ports 50000-51000 and using the WAN ip instead of the LAN
    0_1542136671184_Clipboarder.2018.11.13-003.png

    LAN 	tcp 	192.168.1.208:61409 -> 217.146.21.135:5938 	ESTABLISHED:ESTABLISHED 	370 / 249 	21 KiB / 13 KiB 	
    WAN 	tcp 	181.xx.xx.5:51675 (192.168.1.208:61409) -> 217.146.21.135:5938 	ESTABLISHED:ESTABLISHED 	370 / 249 	21 KiB / 13 KiB 	
    LAN 	tcp 	192.168.1.208:61410 -> 18.210.135.81:443 	ESTABLISHED:ESTABLISHED 	153 / 153 	7 KiB / 22 KiB 	
    WAN 	tcp 	181.xx.xx.5:52125 (192.168.1.208:61410) -> 18.210.135.81:443 	ESTABLISHED:ESTABLISHED 	153 / 153 	7 KiB / 22 KiB 	
    WAN 	tcp 	181.143.42.187:11959 -> 192.168.1.208:21 (181.xx.xx.5:21) 	ESTABLISHED:ESTABLISHED 	13 / 11 	770 B / 1 KiB 	
    LAN 	tcp 	181.143.42.187:11959 -> 192.168.1.208:21 	ESTABLISHED:ESTABLISHED 	13 / 11 	770 B / 1 KiB 	
    WAN 	tcp 	181.143.42.187:43024 -> 192.168.1.208:5397 (181.xx.xx.5:50397) 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
    LAN 	tcp 	181.143.42.187:43024 -> 192.168.1.208:5397 	TIME_WAIT:TIME_WAIT 	1 / 1 	60 B / 40 B 	
    LAN 	udp 	192.168.1.208:56741 -> 192.168.1.255:5002 	NO_TRAFFIC:SINGLE 	30 / 0 	10 KiB / 0 B 	
    LAN 	udp 	192.168.1.208:63703 -> 192.168.1.255:1947 	NO_TRAFFIC:SINGLE 	1 / 0 	68 B / 0 B 	
    LAN 	udp 	192.168.1.208:56742 -> 192.168.1.255:5002 	NO_TRAFFIC:SINGLE 	2 / 0 	668 B / 0 B
    

    0_1542137106040_Clipboarder.2018.11.13-004.png


  • Netgate

    @killmasta93 said in Issue with FTP Passive?:

    Server sent passive reply with unroutable address 192.168.1.208, using host address instead.

    With those settings you would not be getting that error.

    Everything looks fine on the rules based on that last screen shot.

    Packet capture the port 21 traffic on WAN or, better yet, capture all traffic from the IP address you are testing from on the WAN. I'll PM you a link you can upload it to so I can look at it.



  • Thanks i send you the upload