1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

"500 Illegal PORT Command" when running FTP on alternative port (Victek)

Discussion in 'Tomato Firmware' started by premudriy, Jul 6, 2011.

  1. premudriy

    premudriy LI Guru Member

    Hello everyone,

    I have RT-N16 with Victek's RAF on it (RAF1.28.9004 MIPSR2RAF K26 USB VPN-NOCAT).

    I am trying to run FTP server on some alternative port other than 21. With default port 21 it works perfectly, no errors.

    When I change the FTP Port to some other port (say 30021) I get "500 Illegal PORT command in all my clients (Total Commander, Filezilla).

    I even manually forwarded ports 30010-30030 to router itself (192.168.1.1), but still getting "Illegal PORT Command".


    Is there any special VSFTPD configuration that I have to use? I remember a few versions back I already tried alternative port with Victek's mod and it worked, but now it doesn't.


    Can someone give any hints?
     
  2. Toink

    Toink Network Guru Member

    This has been an issue even with non-Victec's build for some time now... The trick is to forward ports 55536-55663 (default FTP port range) to your server as well.
     
  3. premudriy

    premudriy LI Guru Member

    Hi, Toink, and thank you for your response. I finally got back home and had a chance to try your advice.

    For some reason I'm still getting "500 Illegal PORT command" in both active and passive ftp mode.

    I even forwarded ports 55000-56000, along with a non-standard port that I'm using (tried 5050, 55500).

    If you, Toink, or someone else has some more tips, please share. I'll do some more experimentation and post back if I get a success.
     
  4. premudriy

    premudriy LI Guru Member

    Some more info from experiments:

    1) As per instructions from some other forum, I've set pasv_address=my_external_ip, pasv_min_port=5600, pasv_max_port=5700. Then forwarded 5600-5700 to the router and tried connecting directly by my external IP instead of dyndns hostname. It still didn't work.

    2) Also, as I've said earlier it works if on my local LAN I connect to FTP by my dyndns hostname (with default configuration, no extra settings for SFTPD). So, I've used TCPView to see what ports connections were maid. It seems that it is 50000-52000. I went ahead and forwarded a wide range of ports (30000-60000) to 192.168.1.1. Still no success connecting from outside and same "illegal port" error.
     
  5. premudriy

    premudriy LI Guru Member

    Ok, I think I see the main problem. It seems that PORT command is always set to be local, i.e. 192.168.1.1, even if I connect directly by my external IP or set "pasv_addr_resolve".

    Here's a log excerpt:
    Code:
    response: Client "XX.XX.XX.XX", "230 Login successful."
    command: Client "XX.XX.XX.XX", "SYST"
    response: Client "XX.XX.XX.XX", "215 UNIX Type: L8"
    command: Client "XX.XX.XX.XX", "PWD"
    response: Client "XX.XX.XX.XX", "257 "/""
    command: Client "XX.XX.XX.XX", "TYPE A"
    response: Client "XX.XX.XX.XX", "200 Switching to ASCII mode."
    command: Client "XX.XX.XX.XX", "PASV"
    response: Client "XX.XX.XX.XX", "227 Entering Passive Mode (MY,EXTERNAL,IP,HERE,78,105)."
    command: Client "XX.XX.XX.XX", "[COLOR="Red"][B]PORT 192,168,1,77,12,48[/B][/COLOR]"
    response: Client "XX.XX.XX.XX", "500 Illegal PORT command."
    command: Client "XX.XX.XX.XX", "QUIT"
    response: Client "XX.XX.XX.XX", "221 Goodbye."
    
    It seems like client is actually sending this PORT command. Hmm, I'll try to use some more FTP clients to see if any of them send PORT with external IP instead of what router tells it to use (192.168.1.1).
     
  6. premudriy

    premudriy LI Guru Member

    Tried a couple of other FTP clients and they all behave the same way. So, it must still be something with VSFTPD. I don't know what else to try...
     
  7. Manoj Kumar

    Manoj Kumar Network Newbie Member

    mmosoll likes this.

Share This Page