Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
FTP-server: can only connect with public IP from ouside
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
AndrewAmmerlaan
Apprentice
Apprentice


Joined: 25 Jun 2014
Posts: 175
Location: Lent

PostPosted: Wed Oct 14, 2020 2:39 pm    Post subject: FTP-server: can only connect with public IP from ouside Reply with quote

Hi,

I've been trying to setup a vsftpd server, and I sort of got it working. I can access it from my PC with the internal ip address 192.168.etc, and I can access it from outside of the local network with the public ip address. However when I try to access it with the public ip address from within the local network it logs in succesfuly but fails to load the directory. I would like to have one configuration work both inside and outside of the local network, how can I accomplish this?
_________________
OS: Gentoo KDE x86_64 (~amd64, 5.3.9-gentoo)
MB: MSI Z370-A PRO
CPU: Intel Core i7-8700K
GPU: AMD RX 590 8GB & Intel UHD Graphics 630
SSD: Samsung 970 Pro 512GB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 2484
Location: Frankfurt, Germany

PostPosted: Wed Oct 14, 2020 4:32 pm    Post subject: Reply with quote

Quote:
it logs in succesfuly but fails to load the directory.

Sounds like a firewall issue. Remember that FTP opens a second connection for the data channel.

Does it work if you switch to passive (or active) before you load (list?) the directory?
Back to top
View user's profile Send private message
AndrewAmmerlaan
Apprentice
Apprentice


Joined: 25 Jun 2014
Posts: 175
Location: Lent

PostPosted: Wed Oct 14, 2020 5:18 pm    Post subject: Reply with quote

mike155 wrote:
Quote:
it logs in succesfuly but fails to load the directory.

Sounds like a firewall issue. Remember that FTP opens a second connection for the data channel.

Does it work if you switch to passive (or active) before you load (list?) the directory?


I don't run a firewall, the router does though, I have forwarded the data port 20, the access port, and a port range for passive mode (and set the appropriate variables in the vsftpd.conf file).

I can connect from e.g. my phone on 3g to the server, I however cannot connect from my phone when it is connected to the same wifi as the server (unless I change to the local ip)
_________________
OS: Gentoo KDE x86_64 (~amd64, 5.3.9-gentoo)
MB: MSI Z370-A PRO
CPU: Intel Core i7-8700K
GPU: AMD RX 590 8GB & Intel UHD Graphics 630
SSD: Samsung 970 Pro 512GB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
Banana
l33t
l33t


Joined: 21 May 2004
Posts: 680
Location: Germany

PostPosted: Thu Oct 15, 2020 8:03 am    Post subject: Reply with quote

what about port 21?

http://slacksite.com/other/ftp.html#active
_________________
My personal space
Back to top
View user's profile Send private message
Marcih
Apprentice
Apprentice


Joined: 19 Feb 2018
Posts: 208

PostPosted: Thu Oct 15, 2020 8:42 am    Post subject: Reply with quote

Maybe vsftpd doesn't play nice with hairpin NAT?
_________________
Bones McCracker wrote:
It wouldn't be so bad, if it didn't suck.

NeddySeagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.
Back to top
View user's profile Send private message
AndrewAmmerlaan
Apprentice
Apprentice


Joined: 25 Jun 2014
Posts: 175
Location: Lent

PostPosted: Thu Oct 15, 2020 9:20 am    Post subject: Reply with quote

Banana wrote:
what about port 21?

http://slacksite.com/other/ftp.html#active


I changed it from the default (for security through obscurity reasons) but I did forward it, nmap shows it is open (and it works just fine on my phone on 3g)

I did not change the data port, because the manual says some clients insist on it being 20 and no other.

Marcih wrote:
Maybe vsftpd doesn't play nice with hairpin NAT?


That is what I'm thinking as well, but I cannot find any documentation on this, or anyone else with the same problem. If I configure a firewall on the pc that is running the server to hairpin the ftp requests to the public ip to the internal ip it works just fine. Perhaps it is just my router? Or maybe a security feature of vsftpd?

Here's a log from a successful connection on 3g:

Code:

Thu Oct 15 11:08:09 2020 [pid 2] CONNECT: Client "<phone's_ip_on_3g>"
Thu Oct 15 11:08:09 2020 [pid 2] FTP response: Client "<phone's_ip_on_3g>", "220 (vsFTPd 3.0.3)"
Thu Oct 15 11:08:09 2020 [pid 2] FTP command: Client "<phone's_ip_on_3g>", "USER anonymous"
Thu Oct 15 11:08:10 2020 [pid 2] [anonymous] FTP response: Client "<phone's_ip_on_3g>", "530 Permission denied."
Thu Oct 15 11:08:11 2020 [pid 2] CONNECT: Client "<phone's_ip_on_3g>"
Thu Oct 15 11:08:11 2020 [pid 2] FTP response: Client "<phone's_ip_on_3g>", "220 (vsFTPd 3.0.3)"
Thu Oct 15 11:08:29 2020 [pid 2] FTP command: Client "<phone's_ip_on_3g>", "USER <USER>"
Thu Oct 15 11:08:29 2020 [pid 2] [<USER>] FTP response: Client "<phone's_ip_on_3g>", "331 Please specify the password."
Thu Oct 15 11:08:29 2020 [pid 2] [<USER>] FTP command: Client "<phone's_ip_on_3g>", "PASS <password>"
Thu Oct 15 11:08:29 2020 [pid 1] [<USER>] OK LOGIN: Client "<phone's_ip_on_3g>"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", "230 Login successful."
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP command: Client "<phone's_ip_on_3g>", "SYST"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", "215 UNIX Type: L8"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP command: Client "<phone's_ip_on_3g>", "FEAT"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", "211-Features:"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", " EPRT??"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", " EPSV??"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", " MDTM??"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", " PASV??"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", " REST STREAM??"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", " SIZE??"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", " TVFS??"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", " UTF8??"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", "211 End"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP command: Client "<phone's_ip_on_3g>", "OPTS UTF8 ON"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", "200 Always in UTF8 mode."
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP command: Client "<phone's_ip_on_3g>", "PWD"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", "257 "/" is the current directory"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP command: Client "<phone's_ip_on_3g>", "TYPE I"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", "200 Switching to Binary mode."
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP command: Client "<phone's_ip_on_3g>", "PASV"
Thu Oct 15 11:08:29 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", "227 Entering Passive Mode (<server's_internal_ip>,193,43)."
Thu Oct 15 11:08:30 2020 [pid 3] [<USER>] FTP command: Client "<phone's_ip_on_3g>", "CWD /"
Thu Oct 15 11:08:30 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", "250 Directory successfully changed."
Thu Oct 15 11:08:30 2020 [pid 3] [<USER>] FTP command: Client "<phone's_ip_on_3g>", "LIST"
Thu Oct 15 11:08:30 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", "150 Here comes the directory listing."
Thu Oct 15 11:08:30 2020 [pid 3] [<USER>] FTP response: Client "<phone's_ip_on_3g>", "226 Directory send OK."


And here is the same phone on wifi:

Code:

Thu Oct 15 11:09:45 2020 [pid 2] CONNECT: Client "<my_public_ip>"
Thu Oct 15 11:09:45 2020 [pid 2] FTP response: Client "<my_public_ip>", "220 (vsFTPd 3.0.3)"
Thu Oct 15 11:09:45 2020 [pid 2] FTP command: Client "<my_public_ip>", "USER anonymous"
Thu Oct 15 11:09:46 2020 [pid 2] [anonymous] FTP response: Client "<my_public_ip>", "530 Permission denied."
Thu Oct 15 11:09:47 2020 [pid 2] CONNECT: Client "<my_public_ip>"
Thu Oct 15 11:09:47 2020 [pid 2] FTP response: Client "<my_public_ip>", "220 (vsFTPd 3.0.3)"
Thu Oct 15 11:10:04 2020 [pid 2] FTP command: Client "<my_public_ip>", "USER <USER>"
Thu Oct 15 11:10:04 2020 [pid 2] [<USER>] FTP response: Client "<my_public_ip>", "331 Please specify the password."
Thu Oct 15 11:10:04 2020 [pid 2] [<USER>] FTP command: Client "<my_public_ip>", "PASS <password>"
Thu Oct 15 11:10:04 2020 [pid 1] [<USER>] OK LOGIN: Client "<my_public_ip>"
Thu Oct 15 11:10:04 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", "230 Login successful."
Thu Oct 15 11:10:04 2020 [pid 3] [<USER>] FTP command: Client "<my_public_ip>", "SYST"
Thu Oct 15 11:10:04 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", "215 UNIX Type: L8"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP command: Client "<my_public_ip>", "FEAT"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", "211-Features:"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", " EPRT??"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", " EPSV??"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", " MDTM??"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", " PASV??"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", " REST STREAM??"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", " SIZE??"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", " TVFS??"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", " UTF8??"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", "211 End"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP command: Client "<my_public_ip>", "OPTS UTF8 ON"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", "200 Always in UTF8 mode."
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP command: Client "<my_public_ip>", "PWD"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", "257 "/" is the current directory"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP command: Client "<my_public_ip>", "TYPE I"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", "200 Switching to Binary mode."
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP command: Client "<my_public_ip>", "PASV"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", "227 Entering Passive Mode (<server's_internal_ip>,193,133)."
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP command: Client "<my_public_ip>", "CWD /"
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", "250 Directory successfully changed."
Thu Oct 15 11:10:05 2020 [pid 3] [<USER>] FTP command: Client "<my_public_ip>", "LIST"
Thu Oct 15 11:11:05 2020 [pid 3] [<USER>] FTP response: Client "<my_public_ip>", "425 Failed to establish connection."
Thu Oct 15 11:11:49 2020 [pid 3] [<USER>] FTP response: Client "<server's_internal_ip>", "421 Timeout."
Thu Oct 15 11:12:26 2020 [pid 3] [<USER>] FTP response: Client "<server's_internal_ip>", "421 Timeout."

_________________
OS: Gentoo KDE x86_64 (~amd64, 5.3.9-gentoo)
MB: MSI Z370-A PRO
CPU: Intel Core i7-8700K
GPU: AMD RX 590 8GB & Intel UHD Graphics 630
SSD: Samsung 970 Pro 512GB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46727
Location: 56N 3W

PostPosted: Thu Oct 15, 2020 9:29 am    Post subject: Reply with quote

AndrewAmmerlaan,

Its your router firewall missing a rule to make hairpin NAT work.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
AndrewAmmerlaan
Apprentice
Apprentice


Joined: 25 Jun 2014
Posts: 175
Location: Lent

PostPosted: Thu Oct 15, 2020 9:57 am    Post subject: Reply with quote

NeddySeagoon wrote:
AndrewAmmerlaan,

Its your router firewall missing a rule to make hairpin NAT work.


Hmm, I went through the specs of my router/modem, and it does indeed seem that there is no support for hairpin NAT. That's annoying :(

I guess I'll have to get a different router, and put the modem in bridge mode.
_________________
OS: Gentoo KDE x86_64 (~amd64, 5.3.9-gentoo)
MB: MSI Z370-A PRO
CPU: Intel Core i7-8700K
GPU: AMD RX 590 8GB & Intel UHD Graphics 630
SSD: Samsung 970 Pro 512GB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46727
Location: 56N 3W

PostPosted: Thu Oct 15, 2020 12:41 pm    Post subject: Reply with quote

AndrewAmmerlaan,

Can you add your own firewall rules, without using the shiny web GUI?

Your router may let you poke about with ssh or horror of horrors, telnet.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
AndrewAmmerlaan
Apprentice
Apprentice


Joined: 25 Jun 2014
Posts: 175
Location: Lent

PostPosted: Thu Oct 15, 2020 1:13 pm    Post subject: Reply with quote

NeddySeagoon wrote:
AndrewAmmerlaan,

Can you add your own firewall rules, without using the shiny web GUI?

Your router may let you poke about with ssh or horror of horrors, telnet.


From what I'm reading on the ISP's forum the only way into their router/modem is via the web interface, it does not allow ssh access. (And the GUI only has a simple on/off switch for the firewall).
_________________
OS: Gentoo KDE x86_64 (~amd64, 5.3.9-gentoo)
MB: MSI Z370-A PRO
CPU: Intel Core i7-8700K
GPU: AMD RX 590 8GB & Intel UHD Graphics 630
SSD: Samsung 970 Pro 512GB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46727
Location: 56N 3W

PostPosted: Thu Oct 15, 2020 1:29 pm    Post subject: Reply with quote

AndrewAmmerlaan,

What router?
I'm just curious. It will be a MIPS or ARM based Linux system of some sort.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
AndrewAmmerlaan
Apprentice
Apprentice


Joined: 25 Jun 2014
Posts: 175
Location: Lent

PostPosted: Thu Oct 15, 2020 2:42 pm    Post subject: Reply with quote

NeddySeagoon wrote:
AndrewAmmerlaan,

What router?
I'm just curious. It will be a MIPS or ARM based Linux system of some sort.


I can't find an English page, I'm afraid all info is in Dutch:
This is the ISP's page: https://www.ziggo.nl/klantenservice/wifi/modem/connect-box
And this lists the specs: https://tweakers.net/pricewatch/789051/ziggo-connect-box/specificaties/

Digging a bit deeper I found that under the hood it is a Compal CH7465-LG

I also found these neat python wrappers for it: https://pypi.org/project/compal/ https://pypi.org/project/connect_box/

The former one says this about the router:

Quote:
Compal does not provide information about the hardware. The modem has no FCC registration. However, the related Arris TG2492 modem was submitted to the FCC. The FCC documents for this modem are available. Some interesting documents (internal photos) have been mirrored to docs/fcc.

The modem seems to be based on the Intel Puma 6 chipset. There is a long thead on (perceived) performance problems caused by jitter on DSLReports. See [ALL] SB6190 is a terrible modem - Intel Puma 6 / MaxLinear mistake

The modem most likely contains open source components. Requests to Compal requesting source code of these components, to an e-mail address on the Compal site, have not been answered yet.

_________________
OS: Gentoo KDE x86_64 (~amd64, 5.3.9-gentoo)
MB: MSI Z370-A PRO
CPU: Intel Core i7-8700K
GPU: AMD RX 590 8GB & Intel UHD Graphics 630
SSD: Samsung 970 Pro 512GB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46727
Location: 56N 3W

PostPosted: Thu Oct 15, 2020 3:07 pm    Post subject: Reply with quote

AndrewAmmerlaan,

There's not a lot to go on.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Marcih
Apprentice
Apprentice


Joined: 19 Feb 2018
Posts: 208

PostPosted: Thu Oct 15, 2020 4:17 pm    Post subject: Reply with quote

AndrewAmmerlaan wrote:
This is the ISP's page: https://www.ziggo.nl/klantenservice/wifi/modem/connect-box
And this lists the specs: https://tweakers.net/pricewatch/789051/ziggo-connect-box/specificaties/

Oh, at least you don't have to deal with KPN's ExperiaBox... From my experience, all the Dutch ISP's routers are awful. Try getting in touch with Ziggo's customers service about switching your router into L2 bridge mode, plop your own device behind it (a Gentoo box, of course ;)) and work from there.
_________________
Bones McCracker wrote:
It wouldn't be so bad, if it didn't suck.

NeddySeagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum