no luck following ftp setup instructions

[Ptera]

Freenas version FreeNAS-9.2.1.8-RELEASE-x64 (e625626)

When attempting to connect via ftp
>Status: Connecting to xx.xx.xx.xx:21...
>Status: Connection established, waiting for welcome message...
>Response: 220 ProFTPD 1.3.4d Server (nas.xxx.xxx FTP Server) [::ffff:xx.xx.xx.xx]
>Command: USER ftpbackup
>Error: Connection timed out
>Error: Could not connect to server

User ftpbackup
ftpbackups home directory /mnt/PteraNas1/ftpbackup
Auxiliary group ftp

ftp server settings
path /mnt/PteraNas1
allow root no
allow anon no
allow local user yes
always chroot yes

The connection is made to the server but no user authentication happens, just hangs until time out is reached.

moderator note: edited

 

[DrKK]

Sir:

1) Are you able to log into ftp as "root"? (just for testing)
and
2) Did you click the box in Services->FTP->Settings for "Allow Local User Login"? Make sure "require IDENT Authentication" is not checked.

 

[Ptera]

Allow Local User Login box is clicked enabled.
Require IDENT Authentication box is not clicked disabled.

I clicked the box for Allow Root Login and then tried to log in using filezilla

Here are the results...
Status: Connecting to xx.xx.xx.xx:21...
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.4d Server (nas.xxx.xxx FTP Server) [::ffff:xx.xx.xx.xx]
Command: USER root
Error: Connection timed out
Error: Could not connect to server
Status: Waiting to retry...
Status: Connecting to xx.xx.xx.xx:21...
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.4d Server (nas.xxx.xxx FTP Server) [::ffff:xx.xx.xx.xx]
Command: USER root
Error: Connection timed out
Error: Could not connect to server

 

[jgreco]

1) it does no good to "xx" out the last quad of the IP when it's repeated later along with a resolvable DNS name

2) this looks very much like some sort of firewall thing, since FTP tries to open secondary connections. does it work if you specify passive mode?

 

[Ptera]

duh...

So I do not see any option for setting passive mode.
Min and Max passive ports are both set to '0' use any port.

 

[jgreco]

That's a client side option.

 

[Ptera]

ws_ftp was set for passive transfers and I think filezilla is using passive.
ws-ftp says... ! Receive error: Blocking call cancelled

 

[DrKK]

Definitely some kind of network firewall issue, I think.

 

[Ptera]

OK I have a mikrotik router here at our office

[admin@PteraOffice] /ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
[admin@PteraOffice] /ip firewall filter>

I can ftp to a different basic linux server successfully.

firewall on the FreeNAS?

 

[jgreco]

No, there's no firewall on the FreeNAS. Try turning OFF passive mode...? Or better yet see if you can FTP from something that you know for sure doesn't have a local software firewall (Windows, OS X, etc., boxes all do).

 

[Noctris]

Could you give a simple rundown of network ? Is this:


"my desktop" -> "microtek router" <-> "web" <-> "firewall before freenas (which one is this ?)" <-> freenas ?

Cause in passive mode using nat/firewall, you have to allow the passive ports to traverse the firewall towards freenas aswell.

You could set the ports in in freenas as "passive min 5000", "passive max 5010" ( these are test values, this depends on the amount of connections you need) and then need to allow ports 5000 - 5010 to the freenas box from the firewall in front of freenas

 

[Noctris]

Ok, so just for kicks i tryed to connect to the adress you have in your first message. from my windows desktop:

<image showing successful connect across the internet>

From a my freenas box:

<another image>

You sir, have a firewall issue.

moderator note: edited to omit images, see below

 

[jgreco]

Apologies to @Noctris who actually went and did something I was vaguely tempted to try. I deleted the pictures he had posted of connecting to your NAS across the public Internet, showing that your FTP connect issue was probably a local firewall thing of some sort.

FreeNAS is not intended to be exposed directly to the Internet in such a fashion, and you introduce certain risks when doing this. We don't wish to be responsible for publicizing your server's IP and your failure to adopt best practices, so I've sanitized the above posts.

 

[Noctris]

No apologies required.It was indeed a dodgy thing to do. So sorry if i crossed a line there. It was just the quickest way of reproducing ( or not) the issue :s

I do think some sort of firewall is in front but i believe it's the local firewall in his office ( or on his machine) is causing the issue

 

[jgreco]

No apologies required.It was indeed a dodgy thing to do. So sorry if i crossed a line there. It was just the quickest way of reproducing ( or not) the issue :s

Any line you crossed wasn't here. There's some question about legalities and all of that, but as an Internet network operator I tend towards believing that services operated on well known ports are basically invitational in nature. Not because anyone's actually been invited, but because that's the nature of the beast. Sooner or later someone's going to probe your :21, :80, :22, :23, :25, etc.

It used to be that people would do this kind of thing all the time on a friendly basis to help other people. The Internet was nicer that way 20 years ago.

 

[Noctris]

Any line you crossed wasn't here. There's some question about legalities and all of that, but as an Internet network operator I tend towards believing that services operated on well known ports are basically invitational in nature. Not because anyone's actually been invited, but because that's the nature of the beast. Sooner or later someone's going to probe your :21, :80, :22, :23, :25, etc.

It used to be that people would do this kind of thing all the time on a friendly basis to help other people. The Internet was nicer that way 20 years ago.

back in the days that everybody was fingering everybody ? ( sorry.. that was just too easy :p

 

[jgreco]

Ahahaaha.

 

[Ptera]

OK well since my windows firewall is off and there are no firewall rules on the office mikrotik and there is no firewall in between the office router and the NAS server which are both on the same subnet then I guess I will have to abandon using ftp for file backs. Bummer cuz the software I was trying to back up does not support the other methods of connecting to the nas server.
I will have to create a virtual linux box at our remote NOC and send the ftp backups to it there.

PC <-> Mikrotik <-> switch <-> freeNAS

And I can see I also can not limit who can connect to ftp so you are right that is not very secure way to backup files.
Although it is one of the ways to retrieve files if it was working.

 

[depasseg]

So if the FreeNAS and your windows machine are on the same subnet, why is there a Mikrotik in between them? Can you connect the 2 devices to the same switch and test? What are the ipaddresses and Subnet masks for both your windows machine and FreeNAS (IOW are they really part of the same subnet)?

It sounds like your issue is with a router/firewall or NAT.

You might need to configure a pasv helper (pasv_address=external IP) in your ftp server configuration if you are nat'ing.

 

[Noctris]

It sounds pretty strange that while you cannot ftp into it, i can from the outside... I know in pfsense some config's require an ftp proxy helper for routing the nat request out and back in.

Could you try the following:

A) try to ftp to the internal IP of the freenas, not the public one. This should skip the nat table
B) put your pc past the mikrotik ( plug in directly on the switch together with freenas and get ip in same subnet)