Passive mode FTP works over WAN but not LAN
up vote
-2
down vote
favorite
I'm using pure-ftpd 1.0.46 on Ubuntu 18.04 as the server, with TLS and certificates signed by Let's Encrypt. I have no issues connecting and transferring over WAN. I'm using passive mode, the ports are properly forwarded, and I've configured pure-ftpd to respond with its WAN IP.
However, I can not make a connection over LAN, as it complains about TLS connection termination. I've tried several clients and they all have some kind of timeout error. I suspect part of the problem may be my DNS setup. I have a domain name that points to my WAN, and that is what I usually use to connect to the server. But I have my local DNS server respond with the LAN IP for the ftp machine. So when I'm at home, my laptop makes the ftp connection to 192.168.1.2, but the PASV response is my WAN IP 74.x.x.x. In theory, my router should support NAT loopback, which sends traffic originating in the LAN and destined for the WAN IP back to the local IP to which its forwarded. This seems to work fine for http, and I assumed since the client initiates the passive mode data tcp connection, it should work for that as well. But maybe there's some routing detail I'm missing. Could this be the problem?
Client log:
Status: Connecting to 192.168.1.2:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 9 of 50 allowed.
Response: 220-Local time is now 16:01. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Trace: CFtpLogonOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 2
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 AUTH TLS OK.
Trace: CFtpLogonOpData::ParseResponse() in state 2
Status: Initializing TLS...
Trace: CTlsSocketImpl::Handshake()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received SERVER HELLO
Trace: TLS handshake: Processed SERVER HELLO
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received CERTIFICATE
Trace: TLS handshake: Processed CERTIFICATE
Trace: TLS handshake: Received SERVER KEY EXCHANGE
Trace: TLS handshake: Processed SERVER KEY EXCHANGE
Trace: TLS handshake: Received SERVER HELLO DONE
Trace: TLS handshake: Processed SERVER HELLO DONE
Trace: TLS handshake: About to send CLIENT KEY EXCHANGE
Trace: TLS handshake: Sent CLIENT KEY EXCHANGE
Trace: TLS handshake: About to send FINISHED
Trace: TLS handshake: Sent FINISHED
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received NEW SESSION TICKET
Trace: TLS handshake: Processed NEW SESSION TICKET
Trace: TLS handshake: Received FINISHED
Trace: TLS handshake: Processed FINISHED
Trace: TLS Handshake successful
Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
Status: Verifying certificate...
Status: TLS connection established.
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 5
Command: USER *****
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 331 User ******* OK. Password required
Trace: CFtpLogonOpData::ParseResponse() in state 5
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 5
Command: PASS **********
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 230 OK. Current directory is /
Trace: CFtpLogonOpData::ParseResponse() in state 5
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 9
Command: OPTS UTF8 ON
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 OK, UTF-8 enabled
Trace: CFtpLogonOpData::ParseResponse() in state 9
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 10
Command: PBSZ 0
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 PBSZ=0
Trace: CFtpLogonOpData::ParseResponse() in state 10
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 11
Command: PROT P
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 Data protection level set to "private"
Trace: CFtpLogonOpData::ParseResponse() in state 11
Status: Logged in
Trace: Measured latency of 3 ms
Trace: CFtpControlSocket::ResetOperation(0)
Trace: CControlSocket::ResetOperation(0)
Trace: CFtpLogonOpData::Reset(0) in state 14
Trace: CFileZillaEnginePrivate::ResetOperation(0)
Status: Retrieving directory listing...
Trace: CControlSocket::SendNextCommand()
Trace: CFtpListOpData::Send() in state 0
Trace: CFtpChangeDirOpData::Send() in state 0
Trace: CFtpChangeDirOpData::Send() in state 1
Command: PWD
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 257 "/" is your current location
Trace: CFtpChangeDirOpData::ParseResponse() in state 1
Trace: CFtpControlSocket::ResetOperation(0)
Trace: CControlSocket::ResetOperation(0)
Trace: CFtpChangeDirOpData::Reset(0) in state 1
Trace: CFtpListOpData::SubcommandResult(0) in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpListOpData::Send() in state 2
Trace: CFtpRawTransferOpData::Send() in state 1
Command: TYPE I
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 TYPE is now 8-bit binary
Trace: CFtpRawTransferOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpRawTransferOpData::Send() in state 2
Command: PASV
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 227 Entering Passive Mode (75,85,*,*,46,161)
Trace: CFtpRawTransferOpData::ParseResponse() in state 2
Trace: CControlSocket::SendNextCommand()
Trace: CFtpRawTransferOpData::Send() in state 4
Trace: Destination IP of data connection does not match peer IP of control connection. Not binding source address of data connection.
Command: MLSD
Trace: CTransferSocket::OnConnect
Trace: CTlsSocketImpl::Handshake()
Trace: Trying to resume existing TLS session.
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::Failure(-110)
Error: GnuTLS error -110: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Trace: CTlsSocketImpl::OnSocketEvent(): close event received
Trace: CTransferSocket::OnClose(106)
Error: Transfer connection interrupted: ECONNABORTED - Connection aborted
Trace: CTransferSocket::TransferEnd(3)
Trace: CFtpControlSocket::TransferEnd()
Trace: CFtpControlSocket::ResetOperation(10)
Trace: CControlSocket::ResetOperation(10)
Trace: CFtpRawTransferOpData::Reset(10) in state 6
Trace: CFtpControlSocket::ResetOperation(10)
Trace: CControlSocket::ResetOperation(10)
Trace: CFtpListOpData::Reset(10) in state 3
Error: Directory listing aborted by user
Trace: CFileZillaEnginePrivate::ResetOperation(10)
Status: Disconnected from server
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFileZillaEnginePrivate::ResetOperation(0)
networking ubuntu router ftp ftps
add a comment |
up vote
-2
down vote
favorite
I'm using pure-ftpd 1.0.46 on Ubuntu 18.04 as the server, with TLS and certificates signed by Let's Encrypt. I have no issues connecting and transferring over WAN. I'm using passive mode, the ports are properly forwarded, and I've configured pure-ftpd to respond with its WAN IP.
However, I can not make a connection over LAN, as it complains about TLS connection termination. I've tried several clients and they all have some kind of timeout error. I suspect part of the problem may be my DNS setup. I have a domain name that points to my WAN, and that is what I usually use to connect to the server. But I have my local DNS server respond with the LAN IP for the ftp machine. So when I'm at home, my laptop makes the ftp connection to 192.168.1.2, but the PASV response is my WAN IP 74.x.x.x. In theory, my router should support NAT loopback, which sends traffic originating in the LAN and destined for the WAN IP back to the local IP to which its forwarded. This seems to work fine for http, and I assumed since the client initiates the passive mode data tcp connection, it should work for that as well. But maybe there's some routing detail I'm missing. Could this be the problem?
Client log:
Status: Connecting to 192.168.1.2:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 9 of 50 allowed.
Response: 220-Local time is now 16:01. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Trace: CFtpLogonOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 2
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 AUTH TLS OK.
Trace: CFtpLogonOpData::ParseResponse() in state 2
Status: Initializing TLS...
Trace: CTlsSocketImpl::Handshake()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received SERVER HELLO
Trace: TLS handshake: Processed SERVER HELLO
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received CERTIFICATE
Trace: TLS handshake: Processed CERTIFICATE
Trace: TLS handshake: Received SERVER KEY EXCHANGE
Trace: TLS handshake: Processed SERVER KEY EXCHANGE
Trace: TLS handshake: Received SERVER HELLO DONE
Trace: TLS handshake: Processed SERVER HELLO DONE
Trace: TLS handshake: About to send CLIENT KEY EXCHANGE
Trace: TLS handshake: Sent CLIENT KEY EXCHANGE
Trace: TLS handshake: About to send FINISHED
Trace: TLS handshake: Sent FINISHED
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received NEW SESSION TICKET
Trace: TLS handshake: Processed NEW SESSION TICKET
Trace: TLS handshake: Received FINISHED
Trace: TLS handshake: Processed FINISHED
Trace: TLS Handshake successful
Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
Status: Verifying certificate...
Status: TLS connection established.
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 5
Command: USER *****
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 331 User ******* OK. Password required
Trace: CFtpLogonOpData::ParseResponse() in state 5
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 5
Command: PASS **********
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 230 OK. Current directory is /
Trace: CFtpLogonOpData::ParseResponse() in state 5
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 9
Command: OPTS UTF8 ON
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 OK, UTF-8 enabled
Trace: CFtpLogonOpData::ParseResponse() in state 9
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 10
Command: PBSZ 0
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 PBSZ=0
Trace: CFtpLogonOpData::ParseResponse() in state 10
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 11
Command: PROT P
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 Data protection level set to "private"
Trace: CFtpLogonOpData::ParseResponse() in state 11
Status: Logged in
Trace: Measured latency of 3 ms
Trace: CFtpControlSocket::ResetOperation(0)
Trace: CControlSocket::ResetOperation(0)
Trace: CFtpLogonOpData::Reset(0) in state 14
Trace: CFileZillaEnginePrivate::ResetOperation(0)
Status: Retrieving directory listing...
Trace: CControlSocket::SendNextCommand()
Trace: CFtpListOpData::Send() in state 0
Trace: CFtpChangeDirOpData::Send() in state 0
Trace: CFtpChangeDirOpData::Send() in state 1
Command: PWD
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 257 "/" is your current location
Trace: CFtpChangeDirOpData::ParseResponse() in state 1
Trace: CFtpControlSocket::ResetOperation(0)
Trace: CControlSocket::ResetOperation(0)
Trace: CFtpChangeDirOpData::Reset(0) in state 1
Trace: CFtpListOpData::SubcommandResult(0) in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpListOpData::Send() in state 2
Trace: CFtpRawTransferOpData::Send() in state 1
Command: TYPE I
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 TYPE is now 8-bit binary
Trace: CFtpRawTransferOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpRawTransferOpData::Send() in state 2
Command: PASV
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 227 Entering Passive Mode (75,85,*,*,46,161)
Trace: CFtpRawTransferOpData::ParseResponse() in state 2
Trace: CControlSocket::SendNextCommand()
Trace: CFtpRawTransferOpData::Send() in state 4
Trace: Destination IP of data connection does not match peer IP of control connection. Not binding source address of data connection.
Command: MLSD
Trace: CTransferSocket::OnConnect
Trace: CTlsSocketImpl::Handshake()
Trace: Trying to resume existing TLS session.
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::Failure(-110)
Error: GnuTLS error -110: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Trace: CTlsSocketImpl::OnSocketEvent(): close event received
Trace: CTransferSocket::OnClose(106)
Error: Transfer connection interrupted: ECONNABORTED - Connection aborted
Trace: CTransferSocket::TransferEnd(3)
Trace: CFtpControlSocket::TransferEnd()
Trace: CFtpControlSocket::ResetOperation(10)
Trace: CControlSocket::ResetOperation(10)
Trace: CFtpRawTransferOpData::Reset(10) in state 6
Trace: CFtpControlSocket::ResetOperation(10)
Trace: CControlSocket::ResetOperation(10)
Trace: CFtpListOpData::Reset(10) in state 3
Error: Directory listing aborted by user
Trace: CFileZillaEnginePrivate::ResetOperation(10)
Status: Disconnected from server
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFileZillaEnginePrivate::ResetOperation(0)
networking ubuntu router ftp ftps
add a comment |
up vote
-2
down vote
favorite
up vote
-2
down vote
favorite
I'm using pure-ftpd 1.0.46 on Ubuntu 18.04 as the server, with TLS and certificates signed by Let's Encrypt. I have no issues connecting and transferring over WAN. I'm using passive mode, the ports are properly forwarded, and I've configured pure-ftpd to respond with its WAN IP.
However, I can not make a connection over LAN, as it complains about TLS connection termination. I've tried several clients and they all have some kind of timeout error. I suspect part of the problem may be my DNS setup. I have a domain name that points to my WAN, and that is what I usually use to connect to the server. But I have my local DNS server respond with the LAN IP for the ftp machine. So when I'm at home, my laptop makes the ftp connection to 192.168.1.2, but the PASV response is my WAN IP 74.x.x.x. In theory, my router should support NAT loopback, which sends traffic originating in the LAN and destined for the WAN IP back to the local IP to which its forwarded. This seems to work fine for http, and I assumed since the client initiates the passive mode data tcp connection, it should work for that as well. But maybe there's some routing detail I'm missing. Could this be the problem?
Client log:
Status: Connecting to 192.168.1.2:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 9 of 50 allowed.
Response: 220-Local time is now 16:01. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Trace: CFtpLogonOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 2
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 AUTH TLS OK.
Trace: CFtpLogonOpData::ParseResponse() in state 2
Status: Initializing TLS...
Trace: CTlsSocketImpl::Handshake()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received SERVER HELLO
Trace: TLS handshake: Processed SERVER HELLO
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received CERTIFICATE
Trace: TLS handshake: Processed CERTIFICATE
Trace: TLS handshake: Received SERVER KEY EXCHANGE
Trace: TLS handshake: Processed SERVER KEY EXCHANGE
Trace: TLS handshake: Received SERVER HELLO DONE
Trace: TLS handshake: Processed SERVER HELLO DONE
Trace: TLS handshake: About to send CLIENT KEY EXCHANGE
Trace: TLS handshake: Sent CLIENT KEY EXCHANGE
Trace: TLS handshake: About to send FINISHED
Trace: TLS handshake: Sent FINISHED
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received NEW SESSION TICKET
Trace: TLS handshake: Processed NEW SESSION TICKET
Trace: TLS handshake: Received FINISHED
Trace: TLS handshake: Processed FINISHED
Trace: TLS Handshake successful
Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
Status: Verifying certificate...
Status: TLS connection established.
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 5
Command: USER *****
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 331 User ******* OK. Password required
Trace: CFtpLogonOpData::ParseResponse() in state 5
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 5
Command: PASS **********
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 230 OK. Current directory is /
Trace: CFtpLogonOpData::ParseResponse() in state 5
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 9
Command: OPTS UTF8 ON
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 OK, UTF-8 enabled
Trace: CFtpLogonOpData::ParseResponse() in state 9
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 10
Command: PBSZ 0
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 PBSZ=0
Trace: CFtpLogonOpData::ParseResponse() in state 10
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 11
Command: PROT P
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 Data protection level set to "private"
Trace: CFtpLogonOpData::ParseResponse() in state 11
Status: Logged in
Trace: Measured latency of 3 ms
Trace: CFtpControlSocket::ResetOperation(0)
Trace: CControlSocket::ResetOperation(0)
Trace: CFtpLogonOpData::Reset(0) in state 14
Trace: CFileZillaEnginePrivate::ResetOperation(0)
Status: Retrieving directory listing...
Trace: CControlSocket::SendNextCommand()
Trace: CFtpListOpData::Send() in state 0
Trace: CFtpChangeDirOpData::Send() in state 0
Trace: CFtpChangeDirOpData::Send() in state 1
Command: PWD
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 257 "/" is your current location
Trace: CFtpChangeDirOpData::ParseResponse() in state 1
Trace: CFtpControlSocket::ResetOperation(0)
Trace: CControlSocket::ResetOperation(0)
Trace: CFtpChangeDirOpData::Reset(0) in state 1
Trace: CFtpListOpData::SubcommandResult(0) in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpListOpData::Send() in state 2
Trace: CFtpRawTransferOpData::Send() in state 1
Command: TYPE I
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 TYPE is now 8-bit binary
Trace: CFtpRawTransferOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpRawTransferOpData::Send() in state 2
Command: PASV
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 227 Entering Passive Mode (75,85,*,*,46,161)
Trace: CFtpRawTransferOpData::ParseResponse() in state 2
Trace: CControlSocket::SendNextCommand()
Trace: CFtpRawTransferOpData::Send() in state 4
Trace: Destination IP of data connection does not match peer IP of control connection. Not binding source address of data connection.
Command: MLSD
Trace: CTransferSocket::OnConnect
Trace: CTlsSocketImpl::Handshake()
Trace: Trying to resume existing TLS session.
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::Failure(-110)
Error: GnuTLS error -110: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Trace: CTlsSocketImpl::OnSocketEvent(): close event received
Trace: CTransferSocket::OnClose(106)
Error: Transfer connection interrupted: ECONNABORTED - Connection aborted
Trace: CTransferSocket::TransferEnd(3)
Trace: CFtpControlSocket::TransferEnd()
Trace: CFtpControlSocket::ResetOperation(10)
Trace: CControlSocket::ResetOperation(10)
Trace: CFtpRawTransferOpData::Reset(10) in state 6
Trace: CFtpControlSocket::ResetOperation(10)
Trace: CControlSocket::ResetOperation(10)
Trace: CFtpListOpData::Reset(10) in state 3
Error: Directory listing aborted by user
Trace: CFileZillaEnginePrivate::ResetOperation(10)
Status: Disconnected from server
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFileZillaEnginePrivate::ResetOperation(0)
networking ubuntu router ftp ftps
I'm using pure-ftpd 1.0.46 on Ubuntu 18.04 as the server, with TLS and certificates signed by Let's Encrypt. I have no issues connecting and transferring over WAN. I'm using passive mode, the ports are properly forwarded, and I've configured pure-ftpd to respond with its WAN IP.
However, I can not make a connection over LAN, as it complains about TLS connection termination. I've tried several clients and they all have some kind of timeout error. I suspect part of the problem may be my DNS setup. I have a domain name that points to my WAN, and that is what I usually use to connect to the server. But I have my local DNS server respond with the LAN IP for the ftp machine. So when I'm at home, my laptop makes the ftp connection to 192.168.1.2, but the PASV response is my WAN IP 74.x.x.x. In theory, my router should support NAT loopback, which sends traffic originating in the LAN and destined for the WAN IP back to the local IP to which its forwarded. This seems to work fine for http, and I assumed since the client initiates the passive mode data tcp connection, it should work for that as well. But maybe there's some routing detail I'm missing. Could this be the problem?
Client log:
Status: Connecting to 192.168.1.2:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 9 of 50 allowed.
Response: 220-Local time is now 16:01. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Trace: CFtpLogonOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 2
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 AUTH TLS OK.
Trace: CFtpLogonOpData::ParseResponse() in state 2
Status: Initializing TLS...
Trace: CTlsSocketImpl::Handshake()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received SERVER HELLO
Trace: TLS handshake: Processed SERVER HELLO
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received CERTIFICATE
Trace: TLS handshake: Processed CERTIFICATE
Trace: TLS handshake: Received SERVER KEY EXCHANGE
Trace: TLS handshake: Processed SERVER KEY EXCHANGE
Trace: TLS handshake: Received SERVER HELLO DONE
Trace: TLS handshake: Processed SERVER HELLO DONE
Trace: TLS handshake: About to send CLIENT KEY EXCHANGE
Trace: TLS handshake: Sent CLIENT KEY EXCHANGE
Trace: TLS handshake: About to send FINISHED
Trace: TLS handshake: Sent FINISHED
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: Received NEW SESSION TICKET
Trace: TLS handshake: Processed NEW SESSION TICKET
Trace: TLS handshake: Received FINISHED
Trace: TLS handshake: Processed FINISHED
Trace: TLS Handshake successful
Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
Status: Verifying certificate...
Status: TLS connection established.
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 5
Command: USER *****
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 331 User ******* OK. Password required
Trace: CFtpLogonOpData::ParseResponse() in state 5
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 5
Command: PASS **********
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 230 OK. Current directory is /
Trace: CFtpLogonOpData::ParseResponse() in state 5
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 9
Command: OPTS UTF8 ON
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 OK, UTF-8 enabled
Trace: CFtpLogonOpData::ParseResponse() in state 9
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 10
Command: PBSZ 0
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 PBSZ=0
Trace: CFtpLogonOpData::ParseResponse() in state 10
Trace: CControlSocket::SendNextCommand()
Trace: CFtpLogonOpData::Send() in state 11
Command: PROT P
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 Data protection level set to "private"
Trace: CFtpLogonOpData::ParseResponse() in state 11
Status: Logged in
Trace: Measured latency of 3 ms
Trace: CFtpControlSocket::ResetOperation(0)
Trace: CControlSocket::ResetOperation(0)
Trace: CFtpLogonOpData::Reset(0) in state 14
Trace: CFileZillaEnginePrivate::ResetOperation(0)
Status: Retrieving directory listing...
Trace: CControlSocket::SendNextCommand()
Trace: CFtpListOpData::Send() in state 0
Trace: CFtpChangeDirOpData::Send() in state 0
Trace: CFtpChangeDirOpData::Send() in state 1
Command: PWD
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 257 "/" is your current location
Trace: CFtpChangeDirOpData::ParseResponse() in state 1
Trace: CFtpControlSocket::ResetOperation(0)
Trace: CControlSocket::ResetOperation(0)
Trace: CFtpChangeDirOpData::Reset(0) in state 1
Trace: CFtpListOpData::SubcommandResult(0) in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpListOpData::Send() in state 2
Trace: CFtpRawTransferOpData::Send() in state 1
Command: TYPE I
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 200 TYPE is now 8-bit binary
Trace: CFtpRawTransferOpData::ParseResponse() in state 1
Trace: CControlSocket::SendNextCommand()
Trace: CFtpRawTransferOpData::Send() in state 2
Command: PASV
Trace: CTlsSocketImpl::OnRead()
Trace: CFtpControlSocket::OnReceive()
Response: 227 Entering Passive Mode (75,85,*,*,46,161)
Trace: CFtpRawTransferOpData::ParseResponse() in state 2
Trace: CControlSocket::SendNextCommand()
Trace: CFtpRawTransferOpData::Send() in state 4
Trace: Destination IP of data connection does not match peer IP of control connection. Not binding source address of data connection.
Command: MLSD
Trace: CTransferSocket::OnConnect
Trace: CTlsSocketImpl::Handshake()
Trace: Trying to resume existing TLS session.
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: TLS handshake: About to send CLIENT HELLO
Trace: TLS handshake: Sent CLIENT HELLO
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnSend()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::OnRead()
Trace: CTlsSocketImpl::ContinueHandshake()
Trace: CTlsSocketImpl::Failure(-110)
Error: GnuTLS error -110: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Trace: CTlsSocketImpl::OnSocketEvent(): close event received
Trace: CTransferSocket::OnClose(106)
Error: Transfer connection interrupted: ECONNABORTED - Connection aborted
Trace: CTransferSocket::TransferEnd(3)
Trace: CFtpControlSocket::TransferEnd()
Trace: CFtpControlSocket::ResetOperation(10)
Trace: CControlSocket::ResetOperation(10)
Trace: CFtpRawTransferOpData::Reset(10) in state 6
Trace: CFtpControlSocket::ResetOperation(10)
Trace: CControlSocket::ResetOperation(10)
Trace: CFtpListOpData::Reset(10) in state 3
Error: Directory listing aborted by user
Trace: CFileZillaEnginePrivate::ResetOperation(10)
Status: Disconnected from server
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Trace: CRealControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CControlSocket::DoClose(66)
Trace: CFileZillaEnginePrivate::ResetOperation(0)
networking ubuntu router ftp ftps
networking ubuntu router ftp ftps
asked Nov 19 at 18:29
Kayson
1201
1201
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
Destination IP of data connection does not match peer IP of control connection. Not binding source address of data connection.
That’s pretty definitive. The client is not going to accept a control connection established over a local IP and a data connection over a different IP.
Best solution should be to just change the local DNS to provide the public IP address. Shouldn’t be any harm in that if it works.
At first I thought it might be the client rejecting this particular sort of setup, but I tried several clients and none of those work. They just all time out... I'm trying to avoid doing that DNS setup in general because my router doesn't have enough CPU power to saturate my gigabit ethernet while looping back. So most services route over LAN and I can get the full speed. I don't mind if ftp loops back and is slower since I mainly use smb for file transfers anyways, but I'd like it to at least work...
– Kayson
Nov 19 at 18:56
@Kayson the log of whatever client you listed says the above and it is the client rejecting this setup. It’s probably a security feature. Maybe it can be changed on options in the client. But it’s not going to connect if the two IPs are different as is.
– Appleoddity
Nov 19 at 18:59
Yeah that does make sense. Thanks. I think I need to set up a different server
– Kayson
Nov 19 at 19:05
This is a terrible solution, but I changed my ftp server to respond to passive requests with the local IP. When accessed over WAN, the filezilla client recognizes the internal IP and ignores it, using the control host IP instead. When accessed over LAN, everything works fine.
– Kayson
Nov 19 at 19:36
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Destination IP of data connection does not match peer IP of control connection. Not binding source address of data connection.
That’s pretty definitive. The client is not going to accept a control connection established over a local IP and a data connection over a different IP.
Best solution should be to just change the local DNS to provide the public IP address. Shouldn’t be any harm in that if it works.
At first I thought it might be the client rejecting this particular sort of setup, but I tried several clients and none of those work. They just all time out... I'm trying to avoid doing that DNS setup in general because my router doesn't have enough CPU power to saturate my gigabit ethernet while looping back. So most services route over LAN and I can get the full speed. I don't mind if ftp loops back and is slower since I mainly use smb for file transfers anyways, but I'd like it to at least work...
– Kayson
Nov 19 at 18:56
@Kayson the log of whatever client you listed says the above and it is the client rejecting this setup. It’s probably a security feature. Maybe it can be changed on options in the client. But it’s not going to connect if the two IPs are different as is.
– Appleoddity
Nov 19 at 18:59
Yeah that does make sense. Thanks. I think I need to set up a different server
– Kayson
Nov 19 at 19:05
This is a terrible solution, but I changed my ftp server to respond to passive requests with the local IP. When accessed over WAN, the filezilla client recognizes the internal IP and ignores it, using the control host IP instead. When accessed over LAN, everything works fine.
– Kayson
Nov 19 at 19:36
add a comment |
up vote
1
down vote
Destination IP of data connection does not match peer IP of control connection. Not binding source address of data connection.
That’s pretty definitive. The client is not going to accept a control connection established over a local IP and a data connection over a different IP.
Best solution should be to just change the local DNS to provide the public IP address. Shouldn’t be any harm in that if it works.
At first I thought it might be the client rejecting this particular sort of setup, but I tried several clients and none of those work. They just all time out... I'm trying to avoid doing that DNS setup in general because my router doesn't have enough CPU power to saturate my gigabit ethernet while looping back. So most services route over LAN and I can get the full speed. I don't mind if ftp loops back and is slower since I mainly use smb for file transfers anyways, but I'd like it to at least work...
– Kayson
Nov 19 at 18:56
@Kayson the log of whatever client you listed says the above and it is the client rejecting this setup. It’s probably a security feature. Maybe it can be changed on options in the client. But it’s not going to connect if the two IPs are different as is.
– Appleoddity
Nov 19 at 18:59
Yeah that does make sense. Thanks. I think I need to set up a different server
– Kayson
Nov 19 at 19:05
This is a terrible solution, but I changed my ftp server to respond to passive requests with the local IP. When accessed over WAN, the filezilla client recognizes the internal IP and ignores it, using the control host IP instead. When accessed over LAN, everything works fine.
– Kayson
Nov 19 at 19:36
add a comment |
up vote
1
down vote
up vote
1
down vote
Destination IP of data connection does not match peer IP of control connection. Not binding source address of data connection.
That’s pretty definitive. The client is not going to accept a control connection established over a local IP and a data connection over a different IP.
Best solution should be to just change the local DNS to provide the public IP address. Shouldn’t be any harm in that if it works.
Destination IP of data connection does not match peer IP of control connection. Not binding source address of data connection.
That’s pretty definitive. The client is not going to accept a control connection established over a local IP and a data connection over a different IP.
Best solution should be to just change the local DNS to provide the public IP address. Shouldn’t be any harm in that if it works.
answered Nov 19 at 18:43
Appleoddity
6,78121024
6,78121024
At first I thought it might be the client rejecting this particular sort of setup, but I tried several clients and none of those work. They just all time out... I'm trying to avoid doing that DNS setup in general because my router doesn't have enough CPU power to saturate my gigabit ethernet while looping back. So most services route over LAN and I can get the full speed. I don't mind if ftp loops back and is slower since I mainly use smb for file transfers anyways, but I'd like it to at least work...
– Kayson
Nov 19 at 18:56
@Kayson the log of whatever client you listed says the above and it is the client rejecting this setup. It’s probably a security feature. Maybe it can be changed on options in the client. But it’s not going to connect if the two IPs are different as is.
– Appleoddity
Nov 19 at 18:59
Yeah that does make sense. Thanks. I think I need to set up a different server
– Kayson
Nov 19 at 19:05
This is a terrible solution, but I changed my ftp server to respond to passive requests with the local IP. When accessed over WAN, the filezilla client recognizes the internal IP and ignores it, using the control host IP instead. When accessed over LAN, everything works fine.
– Kayson
Nov 19 at 19:36
add a comment |
At first I thought it might be the client rejecting this particular sort of setup, but I tried several clients and none of those work. They just all time out... I'm trying to avoid doing that DNS setup in general because my router doesn't have enough CPU power to saturate my gigabit ethernet while looping back. So most services route over LAN and I can get the full speed. I don't mind if ftp loops back and is slower since I mainly use smb for file transfers anyways, but I'd like it to at least work...
– Kayson
Nov 19 at 18:56
@Kayson the log of whatever client you listed says the above and it is the client rejecting this setup. It’s probably a security feature. Maybe it can be changed on options in the client. But it’s not going to connect if the two IPs are different as is.
– Appleoddity
Nov 19 at 18:59
Yeah that does make sense. Thanks. I think I need to set up a different server
– Kayson
Nov 19 at 19:05
This is a terrible solution, but I changed my ftp server to respond to passive requests with the local IP. When accessed over WAN, the filezilla client recognizes the internal IP and ignores it, using the control host IP instead. When accessed over LAN, everything works fine.
– Kayson
Nov 19 at 19:36
At first I thought it might be the client rejecting this particular sort of setup, but I tried several clients and none of those work. They just all time out... I'm trying to avoid doing that DNS setup in general because my router doesn't have enough CPU power to saturate my gigabit ethernet while looping back. So most services route over LAN and I can get the full speed. I don't mind if ftp loops back and is slower since I mainly use smb for file transfers anyways, but I'd like it to at least work...
– Kayson
Nov 19 at 18:56
At first I thought it might be the client rejecting this particular sort of setup, but I tried several clients and none of those work. They just all time out... I'm trying to avoid doing that DNS setup in general because my router doesn't have enough CPU power to saturate my gigabit ethernet while looping back. So most services route over LAN and I can get the full speed. I don't mind if ftp loops back and is slower since I mainly use smb for file transfers anyways, but I'd like it to at least work...
– Kayson
Nov 19 at 18:56
@Kayson the log of whatever client you listed says the above and it is the client rejecting this setup. It’s probably a security feature. Maybe it can be changed on options in the client. But it’s not going to connect if the two IPs are different as is.
– Appleoddity
Nov 19 at 18:59
@Kayson the log of whatever client you listed says the above and it is the client rejecting this setup. It’s probably a security feature. Maybe it can be changed on options in the client. But it’s not going to connect if the two IPs are different as is.
– Appleoddity
Nov 19 at 18:59
Yeah that does make sense. Thanks. I think I need to set up a different server
– Kayson
Nov 19 at 19:05
Yeah that does make sense. Thanks. I think I need to set up a different server
– Kayson
Nov 19 at 19:05
This is a terrible solution, but I changed my ftp server to respond to passive requests with the local IP. When accessed over WAN, the filezilla client recognizes the internal IP and ignores it, using the control host IP instead. When accessed over LAN, everything works fine.
– Kayson
Nov 19 at 19:36
This is a terrible solution, but I changed my ftp server to respond to passive requests with the local IP. When accessed over WAN, the filezilla client recognizes the internal IP and ignores it, using the control host IP instead. When accessed over LAN, everything works fine.
– Kayson
Nov 19 at 19:36
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1376759%2fpassive-mode-ftp-works-over-wan-but-not-lan%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown