FTP "Error: Failed to retrieve directory listing" problem

[Bio Hazzard]

Hey guys, wondering if anyone could help with a little FTP problem

My setup

System Information

Hostname freenas.local
FreeNAS Build FreeNAS-8.0.3-RELEASE-p1-x64 (9591)
Platform Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
Memory 1777MB
System Time Mon Feb 27 22:37:07 2012
Uptime 10:37PM up 23 mins, 0 users
Load Average 0.00, 0.00, 0.00
OS Version FreeBSD 8.2-RELEASE-p6

My Problem

I can't quite connect to my FTP server using my external i.p., my internal i.p. works fine and lists the directories though :\ I originally tried port 21 (default) but when using a port checker tool it said it wasn't open, ISP might be blocking it. So I switched to a higher port 23235 (port checker tool confirmed that port was open).
Seeming I can authenticate into the server but can't list the directories it might be a permissions problem but it quite weird how it only affects my external i.p.


I have three disks (2TB each formatted ZFS) and two volumes one being a datasheet


shared /mnt/shared 102.2 GiB (1%) 5.3 TiB 5.4 TiB HEALTHY

shared /mnt/shared/ftpuser 152.0 KiB (0%) 50.0 GiB 50.0 GiB HEALTHY


I have created the following groups:


1001 Bio-Hazzard

1002 Gunter

1003 Windows

1004 ftpuser


And the following users


1001 Bio-Hazzard Bio-Hazzard /mnt/shared /bin/csh

1002 Gunter Gunter /mnt/shared /bin/csh

1003 ftpuser ftpuser /mnt/shared/ftpuser/USERS /bin/csh


My error while using FileZilla

Status: Connecting to ###.###.###.###:#####...
Status: Connection attempt failed with "ECONNREFUSED - Connection refused by server".
Error: Could not connect to server
Status: Connecting to ###.###.###.###:#####...
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.3e Server (freenas.local FTP Server) [::ffff:192.168.0.188]
Command: USER Bio-Hazzard
Response: 331 Password required for Bio-Hazzard
Command: PASS *********
Response: 230-Welcome to Bio Hazzard's FTP server
Response: 230 User Bio-Hazzard logged in
Command: OPTS UTF8 ON
Response: 200 UTF8 set to on
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/mnt/shared" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (###,###,#,###,###,###).
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing


Any help is greatly appreciated, I've been spending nights on end trying to get the ftp side of things to work!

 

[Bio Hazzard]

Bump bump :/

 

[ProtoSD]

Hi Bio,

It's been *awhile* since I've messed with FTP, but you might want to try looking at the checkbox in the FTP settings that says "Require Reverse DNS for IP", that's just a guess. I think it might be because your FTP server doesn't recognize your IP address (it's not in your hosts file or doesn't match your local IP).

ALSO, Since you've publicly posted your IP address, you probably want to change that port number to something else or you're going to have a bunch of attacks. Hopefully your IP address has changed already, but I'd still change the port. Be careful about posting that info.

 

[Bio Hazzard]

Thanks, changed port of IP, didn't notice that I'd posted that

 

[Bio Hazzard]

Ok still not working! Should "Always Chroot" be disabled / enabled? What are safe settings to use? Also I'm connecting using my external I.P. from within my local network to test if computers were to try and connect externally from my network it would be possible to do so, could this be causing additional problems that I'm unaware of?

 

[ProtoSD]

Also I'm connecting using my external I.P. from within my local network to test if computers were to try and connect externally from my network it would be possible to do so, could this be causing additional problems that I'm unaware of?

I'm not sure about the Chroot setting, but I know that looping in/out of your network like you're trying doesn't always work. This is the reason it's taken me so long to work on my remote sharing tutorial. I don't recall the reason this doesn't work, but I'm sure it could be part of the problem.

 

[Bio Hazzard]

I've tried accessing my ftp from multiple locations external from my house and I get the same error code. Can't wait for your remote sharing guide, also I have a 2nd server running windows home server 2011 should I just try to run the ftp branch off of that? Or will that just drive my router crazy sending the data between the two servers? I could alternativley just use my WHS server as my NAS but I quiet liked the idea of FreeNAS. Thanks again for all the help!

 

[dhirschi]

Re: FTP "Error: Failed to retrieve directory listing" problem

I'm having the same issue. I can FTP just fine into my server locally. However, when attempting to FTP remotely I get an error: "Server sent passive reply with unroutable address". I have a DynDNS Pro account that I can remotely access administration on just fine. Ports are forwarded correctly on my router. I using the correct external IP.. well I guess you'd know that since I've been able to remotely login to the admin page. I have verified my ISP blocks port 21 so I am using port 5000. I have verified Port 5000 is open with open port tool. And yes port 5000 is forwarded correctly on my router.

Here is the breakdown in Filezilla:

Status: Connecting to "My external IP":5000...
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.4a Server ("My NAS Info" FTP Server) [::ffff:"My IP Address"]
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER "my username"
Status: TLS/SSL connection established.
Response: 331 Password required for "my username"
Command: PASS *******************
Response: 230-Welcome to "My Server name" Server! Enjoy!
Response: 230 User "My Username" logged in
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: LANG en-US.UTF-8;en-US*;fr-FR.UTF-8;fr-FR;ja-JP.UTF-8;ja-JP;zh-CN.UTF-8;zh-CN;zh-TW.UTF-8;zh-TW;ru-RU.UTF-8;ru-RU;it-IT.UTF-8;it-IT;bg-BG.UTF-8;bg-BG;ko-KR.UTF-8;ko-KR
Response: MDTM
Response: MFMT
Response: TVFS
Response: AUTH TLS
Response: UTF8
Response: MFF modify;UNIX.group;UNIX.mode;
Response: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
Response: PBSZ
Response: PROT
Response: REST STREAM
Response: SIZE
Response: 211 End
Command: OPTS UTF8 ON
Response: 200 UTF8 set to on
Command: PBSZ 0
Response: 200 PBSZ 0 successful
Command: PROT P
Response: 200 Protection set to Private
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/mnt/Raid-Z" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode ("My IP Address",52,113).
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing

- - - Updated - - -

The Econ refused setting usually has to do with your NAS server randomly turning off FTP. Noticed this the other day and do not get that error anymore. Still unable to connect with mine though with other errors.

- - - Updated - - -

The Econ refused setting usually has to do with your NAS server randomly turning off FTP. Noticed this the other day and do not get that error anymore. Still unable to connect with mine though with other errors.

 

[titan_rw]

(This is a long explanation, but I think it explains everything correctly. I've been dealing with ftp and nat problems since about 1995, so I have a bit of experience with it. Please read everything before asking questions.)

FTP is a hard protocol to get working through NAT.

It's because ftp embeds IP information inside the payload of the tcp/ip packet. So the initial connection gets port forwarded through the router ok, but contains information about your internal ip 'inside' the packet. This information isn't changed to match the NAT ip.

PASV (passive) ftp mode is the client connecting to the server. PORT (active) ftp mode is the server connecting to the client. Note these connections are independent of the 'ftp control' connection, which is default to port 21. Changing the control connection does nothing to specify which ports are used for data transfers.

Normally, when the ftp client is behind NAT, you can tell the server to use passive transfers, which means you'll connect to the server for data transfer. If the server is NOT behind a firewall or other NAT router, things should work. The problem is when the server is also behind NAT. The port forward for the control channel doesn't help, as this is a separate connection. Luckly, there's a solution. In addition to the control connection port forward, you need to forward an additional range of IP addresses. How many depends on how busy the ftp server is going to be. For a small ftp server, 10 or so should be fine. More if there's going to be multiple transfers by each user. So lets say you forward port 5001-5010 in addition to port 5000 for the control port. You can set these port ranges in the ftp config in freenas. Now you log into the server and your client wants a directory list (basically a text file transfer). So your client says "passive mode please". The server responds with "connect to me on 192.168.1.1 on port 5001". This IP information is INSIDE the tcp packet, so it is NOT nat'd by the router. Your client knows this IP is bogus, and the transfer fails. Also luckily, you can fix this too. You need to tell the freenas ftp server what IP to advertise to the client for passive mode. I'm not sure if you can set a hostname (dynamic dns) in here, but you might be able to. Set your external internet IP in the web gui, and try it again. This time your client will ask for "PASV", and the server will respond with "connect to me on x.x.x.x on port 5001". Your ftp client will open an outgoing connection through the router you're behind to the router freenas is behind. We've previously forwarded port 5001 - 5010, so the router freenas is behind will forward this to the freenas IP, where you previously told the freenas ftp server to listen for connections. The connection arrives, and the ftp server sends the data down it to the client. All is well with the world.

BUT: what if your ftp server doesn't support all these things freenas's ftp server does? Or what if you don't have control over the ftp server in question, and you still want to conenct to it? We can do that too. Use active mode transfers. Normally, in active transfers, the server connects to the client for any data transfers, upload or download. Since the server is connecting to you, any NAT the server's behind doesn't matter too much. So you try that. You connect in and say "give me a directory listing", and "connect to me on 192.168.2.1 on port 12345". The server receives this and says "IP invalid", or "connection failed" as it can't connect to your internal ip from an external network. In your ftp client, you have to be able to specify an IP to use when doing active transfers. Filezilla supports this. You can tell filezilla which ip to advertise as "connect to me on". You set your external internet ip that your client is hiding behind. So you try again. "hey server, connect to me on x.x.x.x port 12345". The server tries. The connection gets dropped by YOUR router as this is what it's designed to do. The router can't tell it's part of an existing connection. It sees it as an unsolicited incoming connection, so it drops it. Now we need to forward a port range again. So you forward 6001 - 6010 to your internal IP of your FTP CLIENT. Now you tell filezilla "when doing active mode transfers, not only advertise this specific IP as where to connect, tell the server to connect to one of these ports". So you try again. "Hey server, connect to me on x.x.x.x on port 6001". The server makes an outgoing connection which goes through it's router. This connection hits your router, and gets forwarded to your ftp client. All is well with the world.



So basically, if both FTP server, and FTP client are behind routers or firewalls, you have two options:

A: configure the server, and the router the server's behind. Have clients connect in with passive mode. (multiple clients will require a larger range of ports forwarded to the server's IP).

B: configure each client, and the router the client(s) (is/are) behind. Connect in with active mode. (multiple clients behind one router need multiple port ranges, each range forwarded to the different client IP).


If only client OR server is behind a router / firewall, then either passive, OR active should work without any additional configuring on either end. Typically the server is NOT behind NAT, and the client IS. In this case, having the client use passive transfers will work out of the box. In the unlikely scenario where the server is behind NAT, but the client is NOT, then passive will fail, but active will work out of the box. When both sides are nat'd / firewalled, you have the above problem / solution.