FTP TLS Problems

TristanM

Dabbler
Joined
Sep 16, 2017
Messages
20
Hi,

I have searched for an answer high and low, this forum and Google but still no luck solving it but I think I have got close. For the record, I also have an aging Dlink DNS NAS with a FTP service running perfectly with TLS.

For my FreeNAS I have enabled TLS, configured my router port forwarding and every time I connect from outside the network I get a directory listing (MLSD) timeout. I am using the Dlink DNS service. Understandably, if I don't enter my external IP address as a Masquerade Address I can connect from within the network with no problems, otherwise not. Another strange thing is my FTP service stops and can't be started if I enter my Dlink DNS instead of an IP address.

The error I receive connecting internally with Masquerade Address detail populated is the same as my external attempt.


NAS Internal IP: 192.168.0.4
Router port forward configurations:
192.168.0.4 - 54000-55000 | 54000-55000 | TCP
192.168.0.4 - 1112-1112 | 1112-1112 | BOTH

Internal connection with Masquerade detail:

Status: Connecting to 192.168.0.4:1112...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/mnt/Vault/Backup/XXXXXX" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (xx,xx,xx,xx,214,197). << EXTERNAL IP
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

External connection with Masquerade detail:

Status: Connecting to xx.xx.xxx.xxx:1112... << EXTERNAL IP & TRIGGER PORT
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/mnt/Vault/Backup/pookypetsbackup" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (xx,xx,xx,xx,214,103). << EXTERNAL IP
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing


From calculations last detail 227 response, 214*256+103 = 54887 which should be forwarded?

Please any help would be much appreciated. Thank you
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hi Tristan,

FTP is and has always been a nightmare for firewalling and NAT. I recommend you switch from FTPS to SFTP instead. It is a million time more firewall friendly and is also more secure if you use crypto key to authenticate instead of passwords.

Other than that, I would switch the FTP service from Passive to Active. That way, you should go through your router without the need to forward a second socket.

Have fun with your setup,
 

TristanM

Dabbler
Joined
Sep 16, 2017
Messages
20
Hi Tristan,

FTP is and has always been a nightmare for firewalling and NAT. I recommend you switch from FTPS to SFTP instead. It is a million time more firewall friendly and is also more secure if you use crypto key to authenticate instead of passwords.

Other than that, I would switch the FTP service from Passive to Active. That way, you should go through your router without the need to forward a second socket.

Have fun with your setup,

Thanks for the reply. As a test I enabled SSH but it appears my user I have setup can navigate to all the folders when connecting with Filezilla. I have tried to find an answer but have not been able to find a solution.

Regarding switching the FTP service from Passive to Active, how is this achieved in the FreeNAS FTP configuration?
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hi again Tristan,


To chroot your users when they do SFTP, you need to inject extra config settings in the SSH service. You can do so in the GUI. As for switching the FTP to Active, I did not found any direct answer to that one. FTP is so outdated and FTPS is so extremely rare, there is not much info about it.

Good luck setting you SSH deamon,
 
Top