ftp via VPN with RV042 and Filezilla
I'm trying to set up ftp all within "local" sites that are connected via RV042 VPNs.
I've selected one site for testing the ftp server.
I can log into the local server at 127.0.0.1 and at the server's LAN IP address 192.168.1.xxx.
However, I can't log into the server from 192.168.2.xxx over the VPN.
The VPNs have been working for a long time and support all sorts of traffic. e.g. I can ping from other sites to the ftp server just fine.
So, something seems to be getting in the way of the ftp.
Each system has a local firewall and they have been set for incoming and outgoing ftp traffic on ports 20,21.
I've selected one site for testing the ftp server.
I can log into the local server at 127.0.0.1 and at the server's LAN IP address 192.168.1.xxx.
However, I can't log into the server from 192.168.2.xxx over the VPN.
The VPNs have been working for a long time and support all sorts of traffic. e.g. I can ping from other sites to the ftp server just fine.
So, something seems to be getting in the way of the ftp.
Each system has a local firewall and they have been set for incoming and outgoing ftp traffic on ports 20,21.
As you have VPN setup if you ping the IP of server 192.168.1.x from 192.168.2.0 subnet; do you get replies.
Also, are you trying to connect the server using IP or name; if name, there is possibility that the name is resolving to public IP instead of private IP.
Finally can you post few sanitized logs for the FTP traffic from both the routers.
Thank you.
Also, are you trying to connect the server using IP or name; if name, there is possibility that the name is resolving to public IP instead of private IP.
Finally can you post few sanitized logs for the FTP traffic from both the routers.
Thank you.
ASKER
Thanks for the replies!
giltjr:
Can you login to the ftp server? Port 21 is the command/control port.
***No. Never. Not with a client program and not with command line.
Well, that is, I *can* log in to 127.0.0.1 and to the servers own LAN IP. So, the server is working to that extent.
With ftp there are two data transfer modes; active and passive.
***The intent here is passive.
Then you have the NAT issue.
***There's no NAT here. This is strictly intra-network communication between to subnets via the VPN. Outgoing packets are routed on the LAN from the gateway device back to the VPN device. Incoming packets from the VPN just hit the LAN directly.
***Also, I have now found that the ftp connections can't even be made from a computer within the same subnet ... so no VPN involved at all!! And, I'm able to turn off the individual firewall programs with no help there either.
dpk_wal:
As you have VPN setup if you ping the IP of server 192.168.1.x from 192.168.2.0 subnet; do you get replies.
***Yes.
Also, are you trying to connect the server using IP or name; if name, there is possibility that the name is resolving to public IP instead of private IP.
***There is no name service traversing the VPNs - so IP addresses only.
Finally can you post few sanitized logs for the FTP traffic from both the routers.
***Routers? If you mean the VPN devices, I've done something similar. I have sniffers all over the place on one end (which happens to be the ftp client end right now). It appears that traffic gets from the ftp client through the VPN device to the DSL modem - can see matching secure packets. This strongly implies that the packets exit the VPN device at the server end (which I can't see directly).
So, it appears that the VPN isn't the issue at all but, rather, it appears that the ftp server isn't "seeing" the initial packets coming from the client. As above, this doesn't even work within the same subnet / no VPN. I can see packets leaving the client with no replies at all and then the client repeats the same type of packet a few times - looks like retries.
As I can turn off the firewall software on both the client and the server I'm a bit reluctant to suppose this is about ports. But maybe I'm missing someting... ?
Ports 20,21 are open on both ends in the firewalls.
I tried opening a "range" of ports for data but not the entire range 1024 - 65535.
(It's not clear to me how to limit to some range in the client as well????)
This aspect doesn't seem to be very well documented - any references?
And, of course, when the firewall isn't running what difference would that make?
giltjr:
Can you login to the ftp server? Port 21 is the command/control port.
***No. Never. Not with a client program and not with command line.
Well, that is, I *can* log in to 127.0.0.1 and to the servers own LAN IP. So, the server is working to that extent.
With ftp there are two data transfer modes; active and passive.
***The intent here is passive.
Then you have the NAT issue.
***There's no NAT here. This is strictly intra-network communication between to subnets via the VPN. Outgoing packets are routed on the LAN from the gateway device back to the VPN device. Incoming packets from the VPN just hit the LAN directly.
***Also, I have now found that the ftp connections can't even be made from a computer within the same subnet ... so no VPN involved at all!! And, I'm able to turn off the individual firewall programs with no help there either.
dpk_wal:
As you have VPN setup if you ping the IP of server 192.168.1.x from 192.168.2.0 subnet; do you get replies.
***Yes.
Also, are you trying to connect the server using IP or name; if name, there is possibility that the name is resolving to public IP instead of private IP.
***There is no name service traversing the VPNs - so IP addresses only.
Finally can you post few sanitized logs for the FTP traffic from both the routers.
***Routers? If you mean the VPN devices, I've done something similar. I have sniffers all over the place on one end (which happens to be the ftp client end right now). It appears that traffic gets from the ftp client through the VPN device to the DSL modem - can see matching secure packets. This strongly implies that the packets exit the VPN device at the server end (which I can't see directly).
So, it appears that the VPN isn't the issue at all but, rather, it appears that the ftp server isn't "seeing" the initial packets coming from the client. As above, this doesn't even work within the same subnet / no VPN. I can see packets leaving the client with no replies at all and then the client repeats the same type of packet a few times - looks like retries.
As I can turn off the firewall software on both the client and the server I'm a bit reluctant to suppose this is about ports. But maybe I'm missing someting... ?
Ports 20,21 are open on both ends in the firewalls.
I tried opening a "range" of ports for data but not the entire range 1024 - 65535.
(It's not clear to me how to limit to some range in the client as well????)
This aspect doesn't seem to be very well documented - any references?
And, of course, when the firewall isn't running what difference would that make?
As you are not able to ftp to the server on the local subnet; for testing purpose disable the firewall on the server; as you already have wireshark running, monitor all the communication and the ports used.
You would now depending on the communication can open the required ports.
There can be many reasons why the server is not responding including the server configuration, firewall blocking ports is one of them.
Thank you.
You would now depending on the communication can open the required ports.
There can be many reasons why the server is not responding including the server configuration, firewall blocking ports is one of them.
Thank you.
ASKER
OK - apparently some operator error involved. I re-quit the firewall and now it works.
So, the issue would be how to set up the firewall - in this case Trendmicro IS.
So, the issue would be how to set up the firewall - in this case Trendmicro IS.
Am not very conversant with trendmicro IS configuration; some other expert should be able to help here.
Please request attention if no resolve.
Thank you.
Please request attention if no resolve.
Thank you.
ASKER
That's OK - I can do Trendmicro just fine. The problem I'm having is *what* to do in general.
All I can find to read says that passive ftp uses ports ">1023" which means 1024 on up to 65535.
Does this mean that I have to open the entire port range of ports 1024-65535 for incoming and outgoing TCP on the server?
Ref: http://slacksite.com/other/ftp.html
All I can find to read says that passive ftp uses ports ">1023" which means 1024 on up to 65535.
Does this mean that I have to open the entire port range of ports 1024-65535 for incoming and outgoing TCP on the server?
Ref: http://slacksite.com/other/ftp.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thaks for sticking with me. As it turned out, everything worked as it you suggested with no changes except checking the built-in ftp setting on the Trendmicro firewall.
No special passive port range on the Server needed it appears. And, that makes sense....
No special passive port range on the Server needed it appears. And, that makes sense....
With ftp there are two data transfer modes; active and passive.
With active the server actually acts like a client and connects to the client. However, it uses the source port 20 and goes to a random port on the client.
With passive the client acts like the client and connects from a random port to a random port.
Then you have the NAT issue. Typically ftp process will use the commands PORT (active) or PASV (passive). In these commands are the IP address and port number that are going to be used. With SSL this is encrypted and so whatever is doing the NAT can't do it because it can't see the PORT/PASV command.
One solution to this is to use a ftp server and client that supports extended mode, this will use EPSV or EPRT commands instead. These commands do not have the IP address, and it is assumed that the data connection will occur with the same IP address and the command control.
Another solution is to try the CCC command just prior to the PUT/GET command. This will put the command control connection in clear text mode so any NAT'ing devices can see the PORT/PASV command.