Many modern routers and firewalls attempt to intelligently handle passive FTP traffic by automatically modifying FTP commands to work seamlessly with the device. However, specifying the public IP for passive command responses can lead to issues, particularly if port forwarding is correctly set up. If you've ensured proper port forwarding but are still encountering passive FTP problems, this might be the root cause.
Diagnosing the Issue:
One way to diagnose this issue is to monitor the log file from Cerberus FTP Server and the FTP client during a passive connection attempt. Excerpts from both logs can reveal discrepancies in the ports used, indicating potential interference from the router.
Symptoms:
1. Different Ports in Logs:
- Cerberus Log:
```
May 01 13:12:04 42 257 "/" is the current directory
May 01 13:12:04 42 TYPE A
May 01 13:12:04 42 200 Type ASCII
May 01 13:12:04 42 PASV
May 01 13:12:04 42 227 Entering Passive Mode (X,X,X,X, 7,255)
May 01 13:12:04 42 MLSD
```
- FTP Client Log:
```
Command: TYPE A
Response: 200 Type ASCII
Command: PASV
Response: 227 Entering Passive Mode (X,X,X,X,130,128)
Command: MLSD
```
2. Firewall Blocking Connection:
Sometimes, even when ports are consistent, stateful packet inspection firewalls may block the connection if the public IP address is used in the FTP command.
Steps to Resolve:
To address either issue, adjust Cerberus FTP Server's PASV IP setting to use the internal LAN IP instead of the external or public IP visible from outside the local network. Follow these steps for each FTP interface:
1. Go to Server Manager and select the Listeners page.
2. Click on the FTP or FTPS listener matching your server's IP (avoid modifying the Default listener and skip the localhost listener on the loopback IP - 127.0.0.1).
3. In the PASV Options section, select the "Use Different IP for Passive" radio button, and input the local IP address in the provided text box (e.g., if the IP listed on the listener is192.168.0.110, enter that in the box).
4. Click the Update button to apply the changes.
5. Retest the connection.
Comments
0 comments
Please sign in to leave a comment.