Cannot Connect to FTP Server Behind Zyxel Router

SoloReaver
SoloReaver Posts: 1  Freshman Member
edited April 2021 in Security

Hi everyone, 

So I am trying to setup an FTP folder on my Windows server, running Windows Server 2008 r2. I believe I have it setup correctly on the server end, but I'm running into problems with my Zyxel ZyWall USG-100 Plus router.

I can also access it through ftp clients from the Internet as long as I create rules under NAT and Firewall to route *any* service to my server. But as soon as I just make rules for FTP only, it doesn't work. It can connect/login to the server, but it gets stuck on "Retrieving directory listing", and I get an error that says "Failed to retrieve directory listing" when I try to connect with my FTP client.

I also have FTP ALG and FTP Transformations enabled for port 21.

Does anyone have any suggestions to fix this? Thanks


Comments

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Answer First Comment Third Anniversary
    I can also access it through ftp clients from the Internet as long as I create rules under NAT and Firewall to route *any* service to my server. I just make rules for FTP only, it doesn't work.
    What is port number of FTP Server? It seems the port number of FTP server is not port 21 or 22 ,therefore, remote client cannot access.
  • DennizOlof
    DennizOlof Posts: 20  Freshman Member
    First Answer First Comment Sixth Anniversary
    SoloReaver, Classic issue.

    You need to configure the FTP client software to use "passive mode" PASV because otherwise your
    connection is a "active mode" FTP session and that does not work, for the most part through
    a firewall.

    With active mode, you always get stuck at the same line, getting directory listing and nothing happens.

    If you have a FTP on a public IP a active session will work just fine, however as most traffic on the Internet often involves some form of firewall, passive mode works much better and almost never fails. Only under rare conditions it could fail but nothing the average Internet users will notice.
  • pvairo
    pvairo Posts: 1  Freshman Member
    First Comment
    Hi,
    I use this post for a similar issue.

    This is my scenario:
    FTP protocol on port 8881
    FTP client logged in and connected on FTP server correctly
    FTP client tries to upload the zip file on server
    The connection enters in passive mode, but...
    227 Entering Passive Mode (192,168,45,10,250,56)
    [Replacing PASV mode reply address 192.168.45.10 with 93....]

    192.168.45.10 is the FTP server IP (SERVER10)
    192.168.45.254 is the USG110 LAN IP
    192.168.1.254 is the USG110 WAN IP (ZYWALL_WAN)
    192.168.1.1 is the Vodafone router IP
    93.... is the WAN IP  

    I think that the problem is the reply with FTP server IP instead of USG110 WAN IP.
    How can I show/exit with the USG110 WAN IP (192.168.1.254)? 


    These are the zywall's configurations:




  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @pvairo,
    In your topology, FTP server is behind two NAT router, the upper layer router(Vodafone) is unable to aware FTP connection.
    You must enable FTP alg (tcp 8881) on Vodafone router for ftp data port connection.

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)