USG60 port forwarding (SFTP/FTP) does not work anymore

Options
Pedro_vde
Pedro_vde Posts: 17  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security

Hello,

recently we changed the settings of our FTP server from serving plain FTP to SFTP. Initial test seemed to work, but now the forwarding seems to be stopped by our USG60.

When testing a login directly to the servers IP from the internal network the connection works, but when using the URL and thus coming in by the WAN the FTP-client gives an error that the connection is expired after 20 seconds of inactivity, Error: Cannot connect to server.

I have this settings regarding the NAT:

The Internal IP is set to "SynologyFTP":

When I connect using this IP-address from the lan, the connection works using both ports 21 & 22.

When I check the open ports on our domain or fixed IP address both ports seems open.

Anyone any suggestions or solutions?

Best Answers

  • Pedro_vde
    Pedro_vde Posts: 17  Freshman Member
    First Anniversary Friend Collector First Comment
    Answer ✓
    Options

    --- PROBLEM SOLVED ---

    I had changed the incoming port on the Synology to port 115 in one of the attempts before and forgot to put it back to port 22. Stupid me...

    anyway the solution to this issue:

    USG is using port 22 for SSH, Synology uses port 22 standard for SFTP access. USG was thinking that an FTP-user would try to login to the USG and overruled the port forwarding NAT. USG rejected the attempt.

    I've changed the USG SSH port to another port and have a NAT that forwards port 22 from the WAN to the Synology with the corresponding Security Policy.

  • Pedro_vde
    Pedro_vde Posts: 17  Freshman Member
    First Anniversary Friend Collector First Comment
    Answer ✓
    Options

    --- PROBLEM SOLVED ---

    When attempting to solve the issue in one of the previous steps, I've changed the SFTP incoming port on the Synology to 115. I forgot about that. Changed back to port 22 and the problem is solved.

    The issue was caused by the fact that the USG uses port 22 as the standard port to access SSH. I've changed the SSH port - as suggested by @USG_User - to another port.

    I have a port forwarding NAT for port 22 that goes to the Synology with the according Security Policy and the setup is working now.

    Thanks to @USG_User and @PeterUK to think along!

«13

All Replies

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Has you created a security policy for that ports from WAN1 to LAN1?

  • Pedro_vde
    Pedro_vde Posts: 17  Freshman Member
    First Anniversary Friend Collector First Comment
    Options

    Yes, I did... forgot to attach:


  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2020
    Options

    You may need the NAT the passive ports too.

  • Pedro_vde
    Pedro_vde Posts: 17  Freshman Member
    First Anniversary Friend Collector First Comment
    Options

    In the past our setup worked without the passive ports (49152-65535). This might be applicable but we don't want to use the insecure plain FTP, but just the SFTP.

  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2020
    Options

    from the remote side get https://simulatedsimian.github.io/tracetcp.html

    run

    tracetcp IP:22

    Some ISP block port 22

  • Pedro_vde
    Pedro_vde Posts: 17  Freshman Member
    First Anniversary Friend Collector First Comment
    Options

    Thank you for thinking along Peter... The problem now is that I don't have access to a windows host to run TraceTCP... I'll look for a Mac Alternative

  • Pedro_vde
    Pedro_vde Posts: 17  Freshman Member
    First Anniversary Friend Collector First Comment
    Options

    I've installed tcptraceroute and ran tcptraceroute hostname port

    these are the results:

    Selected device en0, address 192.168.0.120, port 50778 for outgoing packets

    Tracing the path to xxxx.tech (nnn.nnn.nnn.nnn) on TCP port 22 (ssh), 30 hops max

     1 d5152c90c.static.xxxx.be (nnn.nnn.nnn.nnn) 2.002 ms 1.858 ms 3.877 ms

     2 * * *

    so apparently the ISP is not blocking port 22

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Did you check reaching the Synology SFTP Server in LAN1 from WAN (Internet) by using your public IP address and not the URL?

  • Pedro_vde
    Pedro_vde Posts: 17  Freshman Member
    First Anniversary Friend Collector First Comment
    Options

    Yes I did, and this is not working neither. That's why I came to the conclusion I've should have messed up with the USG60 configuration.

    A quick roundup at this moment:

    • Access from the LAN to the servers IP works on port 21 and port 22
    • Access from WAN by Fixed IP does not work, neither on port 21, nor 22
    • Access from WAN by URL does not work, neither on port 21, nor 22
    • TCP Traceroute on port 22 by URL shows port open
    • TCP Traceroute on port 22 by Public Fixed IP shows port open
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Ok, it's not a DNS problem. Checked

    Did you try temporarily switching off the Security Policy Control and/or did you check the USG logs for any blocked connections to exclude any Policy Control issues?

Security Highlight