1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FTP Fails to Display Directory and Disconnects

Discussion in 'Tomato Firmware' started by Bill_S, Jan 31, 2012.

  1. Bill_S

    Bill_S Network Guru Member

    I need help. I am trying to setup the FTP server on my WRTSL54GS that is running Tomato Firmware v1.28.9054 MIPSR1-beta K26 USB Ext. I am not using the WRTSL54GS as a router I have it setup as a Wi-Fi access point and a switch. I have turned off DHCP on the device and I use the WAN port as a LAN port.

    I have my router, a WRT54GS_v1.1 running Tomato Firmware v1.28.7821 MIPSR1-Toastman-ND K26 MiniIPv6, setup to forward the port I am using for FTP to the WRTSL54GS. I can’t use port 21, because my ISP here in Brazil, is blocking that port so I use another port.

    I have my son in the US testing to see if it is working and so far he can connect but the directory won’t display and the connection is dropped.

    I am fairly sure the issue is with my router becasue I can ftp in using the lan ip address and the directory is displayed properly but not when an attempt is made from outside my lan.

    I have included the logs from the WRTSL54GS and from my son’s system. Can anyone tell me what I am doing wrong and how to correct it?
    Thanks

    Log from WRTSL54GS (AP3 192.168.122.3)
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22804]: [user] OK LOGIN: Client "x.xx.xxx.xxx"
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", "230 Login successful."
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP command: Client "x.xx.xxx.xxx", "SYST"
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", "215 UNIX Type: L8"
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP command: Client "x.xx.xxx.xxx", "FEAT"
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", "211-Features:"
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", " EPRT^M "
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", " EPSV^M "
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", " MDTM^M "
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", " PASV^M "
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", " REST STREAM^M "
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", " SIZE^M "
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", " TVFS^M "
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", " UTF8^M "
    Jan 29 18:13:00 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", "211 End"
    Jan 29 18:13:01 AP3 ftp.info vsftpd[22806]: [user] FTP command: Client "x.xx.xxx.xxx", "OPTS UTF8 ON"
    Jan 29 18:13:01 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", "200 Always in UTF8 mode."
    Jan 29 18:13:01 AP3 ftp.info vsftpd[22806]: [user] FTP command: Client "x.xx.xxx.xxx", "PWD"
    Jan 29 18:13:01 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", "257 "/""
    Jan 29 18:13:01 AP3 ftp.info vsftpd[22806]: [user] FTP command: Client "x.xx.xxx.xxx", "TYPE I"
    Jan 29 18:13:01 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", "200 Switching to Binary mode."
    Jan 29 18:13:02 AP3 ftp.info vsftpd[22806]: [user] FTP command: Client "x.xx.xxx.xxx", "PASV"
    Jan 29 18:13:02 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", "227 Entering Passive Mode (192,168,122,3,174,207)."
    Jan 29 18:13:02 AP3 ftp.info vsftpd[22806]: [user] FTP command: Client "x.xx.xxx.xxx", "LIST"
    Jan 29 18:14:02 AP3 ftp.info vsftpd[22806]: [user] FTP response: Client "x.xx.xxx.xxx", "425 Failed to establish connection."

    Log from Client
    Status: Resolving address of ftpsite.com
    Status: Connecting to xxx.xxx.xxx.xxx:xxxx…
    Status: Connection established, waiting for welcome message…
    Response: 220 (vsFTPd 2.3.2)
    Command: USER name
    Response: 331 Please specify the password.
    Command: PASS **
    Response: 230 Login successful.
    Command: SYST
    Response: 215 UNIX Type: L8
    Command: FEAT
    Response: 211-Features:
    Response: EPRT
    Response: EPSV
    Response: MDTM
    Response: PASV
    Response: REST STREAM
    Response: SIZE
    Response: TVFS
    Response: UTF8
    Response: 211 End
    Command: OPTS UTF8 ON
    Response: 200 Always in UTF8 mode.
    Status: Connected
    Status: Retrieving directory listing…
    Command: PWD
    Response: 257 "/"
    Command: TYPE I
    Response: 200 Switching to Binary mode.
    Command: PASV
    Response: 227 Entering Passive Mode (192,168,122,3,174,207).
    Status: Server sent passive reply with unroutable address. Using server address instead.
    Command: LIST
    Error: Connection timed out
    Error: Failed to retrieve directory listing
     
  2. Toink

    Toink Network Guru Member

    Aside from forwarding your FTP server ports, have you also tried forwarding 55536-55663 to your server's IP?

    After a few dozen Tomato builds I've installed, and making sure I've configured everything an FTP should correctly, I've come to a conclusion that I also need to forward these ports for the directory to load.
     
  3. Bill_S

    Bill_S Network Guru Member

    Thanks Toink, I forwarded those ports to the FTP server but the problem continues to remain. Any other suggestions?
     
  4. Toink

    Toink Network Guru Member

    How does your son access your FTP server? FTP client? Browser? Did he try a different client?
     
  5. Bill_S

    Bill_S Network Guru Member

    He has used IE9 ftp://address:port and FireFTP a Firefox add on both give the exact same results.
     
  6. alfred

    alfred Networkin' Nut Member

    This line indicates that the FTP server use the port 174 * 256 + 207 = 44751 for the data transfer while entering Passive Mode.

    Generally FTP server uses a passive port range for the data xfer, you must set a port mapping for it.
    but, don't know what/how is the port range that Tomato set to?
     
  7. Porter

    Porter LI Guru Member

  8. Bill_S

    Bill_S Network Guru Member

    I decided to test to see if I could get another FTP server on one of my PC’s to work using the same settings. I disabled the FTP server in Tomato and setup Cerberus FTP server on a PC using the same port and then had my son try and sign in. It failed the same way (connected but no directory listing, then timed out) but I did see a message in the log that directed me to a Cerberus FAQ. The FAQ had me forward ports 11000 to 12000 to the PC’s internal IP address. It referred to it as the PASV port range. Once I did that my son tried again and it worked like a charm, it connected and displayed the directory.
    I shut down the Cerberus server, reset the port forwards (default ftp and PASV) to the Tomato FTP servers IP and restarted it. Failure, my son could log in but the directory would not display and it timed out.
    I think the problem relates to the PASV port range but I can’t find anyplace to set those ports in the Tomato FTP settings and I can’t find any reference to which PASV ports it uses by default.
    Stumped for now.
     
  9. alfred

    alfred Networkin' Nut Member

    Refer to: http://vsftpd.beasts.org/vsftpd_conf.html

    pasv_max_port
    The maximum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.
    Default: 0 (use any port)

    pasv_min_port
    The minimum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.
    Default: 0 (use any port)

    you can set it to Custom Configuration in the USB and NAS/ FTP Server page, then set the port mapping for it.
     
  10. Bill_S

    Bill_S Network Guru Member

    I would like to setup pasv port range starting at port 11000 and ending at port 12000. So would I enter the following into Vsftd Custom Configuration?
    pasv_enable=yes
    pasv_max_port=11000
    pasv_min_port=12000

    Is this the correct way?
     
  11. alfred

    alfred Networkin' Nut Member

    You only need the last max/min lines. pasv_enable is default set to yes.
    you have set the value incorrectly, the max should > min.
     
  12. Bill_S

    Bill_S Network Guru Member

    Doing some more research and found these settings in a Linux forum. I used them, substituting my ports and my FTP server’s internal address and it worked. Now, when my son logged in from the US, the directory displays correctly. Thanks to Alfred and Toink for your help and guidance, you guys are really great.

    pasv_enable=YES
    pasv_promiscuous=YES
    pasv_min_port=11000
    pasv_max_port=12000
    pasv_address=192.168.122.3
     
  13. Porter

    Porter LI Guru Member

    You've only solved one half of your problem. You did solve the problem with the portforwarding. Although it seems a bit excessive to forward 1000 ports for only one user. I don't know what vsftp does when there is an unsolicited connection request on one of those 1000 ports. Depending on that this could pose a security risk, because vsftp will get detected more easily.

    The other part of your problem and to me the more obvious one is that your vsftp still sends out the wrong IP address. Unfortunately nobody took the time to read the log with attention to detail!

    What does this part of the client's log tell us?
    In the first line the client asks to establish a passive ftp connection.
    In the second line the server tells the client to contact him under 192.168.122.3 and the specific port (last two numbers). Hmm, this can't be right, can it? An IP from the local address space?!
    And indeed in the second line the client notes that this is an "unroutable address", and that the client will be using the IP address of the WAN interface of the router instead!

    Why is that important?

    Taken from the vsftpd man-page:

    What we have learned while looking at the logs is that 192.168.122.3 is the wrong address. What you have done is to explicitly tell vsftpd to use this address. The interesting part is why this doesn't matter any more.

    At the same time you set

    Again, taken from the vsftpd man-page:

    I think this option does at least another security check that isn't mentioned here: The condition in the first sentence is probably always true, unless something fishy is going on. The client's source IP address will always be the same.
    Now to the undocumented part:
    I think that if this is set to NO, this ensures that the client _has_ to contact the server under the given IP address which is 192.168.122.3. So if set to YES, any IP address coming in over the given port can establish a passive ftp connection. From a security standpoint this doesn't seem right.

    But how can you contact a ftp server behind NAT securely?

    Again taken from the vfstpd man-page:

    So you could set this to YES and then put a hostname like "my-ftp-server.dyndns.org" in pasv_address, if you don't have a static IP for your WAN interface. The only problem that I see there is that the dyndns-servers probably need a few minutes to refresh their DNS cache. Put a script under "WAN Up". This script should shutdown vsftpd when there is a reconnect and then wait for a few minutes so the DNS request will resolve to your new WAN IP. Alternatively you could write a script that rewrites the pasv_address variable in the config file each time there is a reconnect by querying a what-is-my-ip service and then restart vsftpd. When your reconnect is only once a day and preferably somewhere at night when nobody wants to contact you this shouldn't be a big deal.
     
  14. Bill_S

    Bill_S Network Guru Member

    Porter, thank you for taking the time to examin the logs and explain the issues. Much of what I have done is based on guess work, and I am not sure about some of what you have pointed out.
    I have a domain and have several services that update the domains dynamic IP address. I am not sure about the explanation regarding pointing to the FTP server. The FTP server is 192.168.122.3 on my LAN, does the port forwarding take care of the client connection to the FTP server? If I point to the domain then how does the FTP client find the FTP server?
    The reason I used the ports I did was simply based on the default settings that were used by Cerberus FTP server. When I ran a test using Cerberus my son in the USA was able to see it so I used the same ports. Could I set it to pasv_min_port=11000 and pasv_max_port=11001?

    Does this look right?
    pasv_enable=YES
    pasv_min_port=11000
    pasv_max_port=11001
    pasv_addr_resolve=YES
    pasv_address= my-ftp-server.dyndns.org

    Thanks again.
     
  15. Porter

    Porter LI Guru Member

    As far as I did unterstand you vsftpd is listening on another port than 21 so you probably have an iptables rule to forward that secret port to your internal server. This shouldn't be a problem and seems to have worked so far (as demonstrated by your logs).

    Just two ports for the PASV mode might be a bit tight but then again this should be enough, since one port should suffice (just to be clear: FTP needs your secret port and _one_ other port between 1024-65535).

    The problem wirh pasv_address seems to be that this hostname will only be resolved once and that is when vsftpd is being started. So whenever there is a reconnect and the IP of the WAN interface changes, pasv_address will have to be refreshed, too. This is why you need a script under WAN Up to tell vsftpd to restart, preferably with a few minutes of waiting time.
     
  16. Bill_S

    Bill_S Network Guru Member

    Maybe 20 ports, say 11000 - 11020. Yes I did change the default port from 21 to one specific port because my ISP blocks port 21 and I forward that port to the FTP server and have that port specified by the client. Do the rest of the changes look ok?
    To be honest, I have no idea how to write a script, could you provide pointers or the wording for the script?
     
  17. Porter

    Porter LI Guru Member

    I haven't looked up how vsftpd is being started, but these three lines could be sufficient:

    Put this under Administration/Scripts/WAN Up.

    You need to modify the last line to where the vsftpd binary is.

    If there is a start/stop-script for this, then this should be used.
     
  18. Bill_S

    Bill_S Network Guru Member

    As you may recall, the FTP server and all of its settings reside on a WRTSL54GS that has an IP address of 192.168.122.3. It is on this device that I am making all of the setting changes with the ONLY exception being the port forwarding which is done on the router. All of the settings we have discussed are done on the device running the FTP server.
    With that said, should I put the WAN Up script in the routers script or the FTP servers script?
     
  19. Porter

    Porter LI Guru Member

    Funny, that tiny logical error never occured to me... ;)

    Ok, then you need another solution. But at the moment I have no exact idea as to how check for an ip change, although I have seen people do it. One thing I can tell you: the new script on 192.168.122.3 has to be put on a jffs partition and being executed via Administration/Scheduler.

    I don't know how well you know your way around the shell..., but google probably has some examples.

    Maybe I'll have a look at this myself.
     
  20. Porter

    Porter LI Guru Member

    Ok, I seem to have firgured out how to do this by googleing. That's the script:

    Code:
    #!/bin/sh
    
    IP=$(wget -O - http://whatismyip.org/)
    OLDIP=$(cat /tmp/ip.txt)
    
    if [ "$IP" != "$OLDIP" ]; then
            `echo $IP > /tmp/ip.txt`
            ### put the restart command here
    fi
    
    Put this script under /jffs (enable it first if you have to). Do a chmod 744 to the file (i.e. chmod 744 ip-change-script). And then put the script in the scheduler (/jffs/ip-change-script) and let it run every few minutes.
     

Share This Page