FTP blocked

petersstrempel
Level 3

Since switching to TPG NBN (fibre to the premise) with a TP Link Archer VR1600v modem I have been unable to FTP to my WordPress blog.

 

I have added rules to my Windows 10 firewall to allow FileZilla through with zero constraints on public and private networks.  I am not running a third party AV/Firewall.

 

On the router I have done the following:

  • I have added the virtual server FTP service for my PC on port 21.  No joy.
  • I have added FileZilla to port triggering with an external port range 5000-7000 for FTP and UDP.  This allows FileZilla's wizard to connect to its own test FTP site, but no joy for my own WordPress blog.
  • I have made my PC a DMZ.  No joy.

My web host has no problems with the server, and can reach my FTP account remotely without difficulty.  My web host says if I had a static IP he could whitelist it, but that's not how your setup works, is it.

 

Why is this so difficult?  FTP has been a web standard for decades!

11 REPLIES 11
david64
Level 12

Hi @petersstrempel . When you set up the port forwarding, have you done it on the proper WAN port? The one shown on Advanced Status page.

Have you set up DDNS so you can access your home network using a host name?

You can use www.portchecktool.com to test your setup.

petersstrempel
Level 3

Advanced settings list no ports, just the WAN interface name, which is indeed the same interface for which I configured port 21.

 

Why would I need DDNS?  I am just trying to use FTP, not use my local machine as a server.

 

And no, the port is not reported as open by portchecktool.

 

Are you telling me I need a DDNS service just to use FTP?

 

Does TPG supply it free of charge?

david64
Level 12

@petersstrempel . I may have misunderstood.

Do you have a FTP server connected to the Archer that you connect to from the internet?

Or, is the FTP server elsewhere and you connect to it from the Archer network?

 

My previous post (deleted) was not correct. Just reading more about FTP. 

 

If the latter, you connect to port 21 on the remote server. If Filezilla uses Passive FTP, it sends PASV command to server. Server responds with a port number that Filezilla should connect to for the data transfer. This saves having to do any setup in local router ("firewall friendly") because Filezilla is always making the outbound connection. 

 

I don't see that you need a virtual server definition for port 21 since you don't have a FTP server.

Do you know if you are getting a connection to the remote FTP server? You can do telnet command to the remote ip address and port 21.

 

petersstrempel
Level 3

I am using an FTP client on my local machine to try to connect to a remote server.  I am not using my local machine or router as a server.

 

No passive FTP setting gets through the router. 

 

Only an active connection succeeds with the FileZilla client at all, if, and only if, I specify port triggering for port 21 to a range of ports that is fewer than all available port, and that range doesn't interfere with router UPNp and CWMP functions. Say, 5000 to 7000, established through port triggering by port 21 in the router settings.

 

But even that doesn't allow me to connect to my remote server, which is expecting a passive connection.

 

How do I tell this piece of crap router not to arbitrarily restrict ports for FTP?

 

If you don't work for TPG, or are not familiar with the specific router, you may not be able to help me at all.

david64
Level 12

@petersstrempel . Suggest using packet capture software, eg Wireshark, to see what's going on. And on the FTP server.

The active command and the passive response carry an ip address which has to be translated into external ip address. This would be done by the FTP ALG function of the router.

If you have the router from your previous provider, use it to compare the datastreams.

petersstrempel
Level 3

Not sure that's feasible.  The previous router was ADSL, not DSL, and that connection is terminated.  Local IP address translation is done by the FTP client, and remote server IP address is a DNS job.

 

david64
Level 12

@petersstrempel . What model was your ADSL router? Some later models could do ADSL plus NBN VDSL plus ethernet WAN. Keep it since it could be useful as a switch or network extender.

Understand about DNS having to find the ip address of your FTP server; everything after that uses ip addresses.

Wireshark will be useful at your end and it would be really good to have it at the server end as well. It will show if the FTP ALG of your VR1600 is correct or has a bug. And if whatever at the other end is correct.

 

(Following is my understanding of FTP.)

If Filezilla client uses Passive FTP, it will send PASV command to server on port 21. Server returns a PASV response containing its local ip address and a port number that it will open for the client to connect to. The FTP ALG on the "router" at the server end changes the local ip address to the public ip address. When PASV response is received by your router, there is nothing special for it to do. Your client receives the PASV response with the port number and the public ip address (most likely the same as it used for the initial connection). Filezilla connects to that ip address and port number for data transfer.

 

If Filezilla client uses Active FTP, it will send a PORT command to server on port 21. Command contains the client's local ip address (eg. 192.168.1.101) plus the port number that the client will open for the server to connect to. The VR1600 FTP ALG should change the local ip address in the PORT command to its public ip address. Not clear from here on. Does VR1600 know to open this port for return traffic, or, do you have to set port triggering for the range of ports that Filezilla has been configured to use?

 

Last resort is to replace VR1600 with something of your own choice. If you use a VOIP home phone, it connects to the FTTP NBN box. TPG FTTP does not use VLAN ID which makes things a bit easier.

david64
Level 12

@petersstrempel . Can you turn on logging in Filezilla? It should show how far the process is getting.

petersstrempel
Level 3

It's not a helpful error message:

 

Status: Connecting to 52.163.122.115:21...
Status: Connection attempt failed with "ETIMEDOUT - Connection attempt timed out".
Error: Could not connect to server
Status: Waiting to retry...
Status: Resolving address of xxxxxxxx.com [domain name redacted]
Status: Connecting to 52.163.122.115:21...
Status: Connection attempt failed with "ETIMEDOUT - Connection attempt timed out".
Error: Could not connect to server