Many of the newer, "smarter" routers and firewalls attempt to detect passive FTP traffic and automatically modify the FTP commands to work correctly with the router or firewall device. Specifying the public IP for passive command responses can cause problems with these routers and firewalls. If you are certain that you've correctly setup port forwarding and you are still having problems with passive FTP then this might be your problem.
One way to diagnose this issue is to monitor the log file from Cerberus and the FTP client as a passive connection is attempted. The log file excerpts below are from a connection attempt from a popular FTP client to Cerberus FTP Server. The client is located outside of the local network Cerberus FTP Server is installed on.
May 01 13:12:04 42 257 "/" is the current directory
May 01 13:12:04 42 TYPE A
May 01 13:12:04 42 200 Type ASCII
May 01 13:12:04 42 PASV
May 01 13:12:04 42 227 Entering Passive Mode (X,X,X,X, 7,255)
May 01 13:12:04 42 MLSD
Command: TYPE A
Response: 200 Type ASCII
Response: 227 Entering Passive Mode (X,X,X,X,130,128)
The indication that the router is changing the FTP command is the difference in the ports listed between the client log and the server log. See "Steps to resolve" below for a solution.
Sometimes the router does not change the ports but still has problems when the external or public IP is used for the passive command. Many stateful packet inspection firewalls will deny the connection when they see the public IP address used in the FTP command. The firewall expects the local address to be used and will modify the FTP passive command in-route to use the public IP. If the public IP has already been specified then the firewall will often block the connection. See "Steps to resolve "below for a solution.
Steps to resolve:
To resolve either issue you have to change Cerberus FTP Server's PASV IP setting to be your internal LAN IP and not the external or public IP visible from outside your local network. You may need to perform these steps for each FTP interface.
- Go to Server Manager and select the Listeners page
- Click on the FTP or FTPS listener that matches your internal IP. Do NOT select the Default FTP or FTPS listener. Modifying the Default listener will not change existing listeners.
- In the PASV Options section click the Use Different IP for Passive radio button and in the textbox that appears put in the same IP as the interface (your local IP address). i.e. If your local IP is 192.168.0.110 then make the passive IP 192.168.0.110.
- Click the Update button
Please sign in to leave a comment.