USG60 port forwarding (SFTP/FTP) does not work anymore

Pedro_vde

Hello,

recently we changed the settings of our FTP server from serving plain FTP to SFTP. Initial test seemed to work, but now the forwarding seems to be stopped by our USG60.

When testing a login directly to the servers IP from the internal network the connection works, but when using the URL and thus coming in by the WAN the FTP-client gives an error that the connection is expired after 20 seconds of inactivity, Error: Cannot connect to server.

I have this settings regarding the NAT:

The Internal IP is set to "SynologyFTP":

When I connect using this IP-address from the lan, the connection works using both ports 21 & 22.

When I check the open ports on our domain or fixed IP address both ports seems open.

Anyone any suggestions or solutions?

Pedro_vde

--- PROBLEM SOLVED ---

I had changed the incoming port on the Synology to port 115 in one of the attempts before and forgot to put it back to port 22. Stupid me...

anyway the solution to this issue:

USG is using port 22 for SSH, Synology uses port 22 standard for SFTP access. USG was thinking that an FTP-user would try to login to the USG and overruled the port forwarding NAT. USG rejected the attempt.

I've changed the USG SSH port to another port and have a NAT that forwards port 22 from the WAN to the Synology with the corresponding Security Policy.

Pedro_vde

--- PROBLEM SOLVED ---

When attempting to solve the issue in one of the previous steps, I've changed the SFTP incoming port on the Synology to 115. I forgot about that. Changed back to port 22 and the problem is solved.

The issue was caused by the fact that the USG uses port 22 as the standard port to access SSH. I've changed the SSH port - as suggested by @USG_User - to another port.

I have a port forwarding NAT for port 22 that goes to the Synology with the according Security Policy and the setup is working now.

Thanks to @USG_User and @PeterUK to think along!

USG_User

Has you created a security policy for that ports from WAN1 to LAN1?

Pedro_vde

Yes, I did... forgot to attach:

PeterUK

You may need the NAT the passive ports too.

Pedro_vde

https://businessforum.zyxel.com/discussion/comment/12665#Comment_12665

In the past our setup worked without the passive ports (49152-65535). This might be applicable but we don't want to use the insecure plain FTP, but just the SFTP.

PeterUK

from the remote side get https://simulatedsimian.github.io/tracetcp.html

run

tracetcp IP:22

Some ISP block port 22

Pedro_vde

Thank you for thinking along Peter... The problem now is that I don't have access to a windows host to run TraceTCP... I'll look for a Mac Alternative

Pedro_vde

I've installed tcptraceroute and ran tcptraceroute hostname port

these are the results:

Selected device en0, address 192.168.0.120, port 50778 for outgoing packets

Tracing the path to xxxx.tech (nnn.nnn.nnn.nnn) on TCP port 22 (ssh), 30 hops max

 1 d5152c90c.static.xxxx.be (nnn.nnn.nnn.nnn) 2.002 ms 1.858 ms 3.877 ms

 2 * * *

so apparently the ISP is not blocking port 22

USG_User

Did you check reaching the Synology SFTP Server in LAN1 from WAN (Internet) by using your public IP address and not the URL?

Pedro_vde

https://businessforum.zyxel.com/discussion/comment/12685#Comment_12685

Yes I did, and this is not working neither. That's why I came to the conclusion I've should have messed up with the USG60 configuration.

A quick roundup at this moment:

• Access from the LAN to the servers IP works on port 21 and port 22
• Access from WAN by Fixed IP does not work, neither on port 21, nor 22
• Access from WAN by URL does not work, neither on port 21, nor 22
• TCP Traceroute on port 22 by URL shows port open
• TCP Traceroute on port 22 by Public Fixed IP shows port open

USG_User

Ok, it's not a DNS problem. Checked

Did you try temporarily switching off the Security Policy Control and/or did you check the USG logs for any blocked connections to exclude any Policy Control issues?