FileZilla Server STILL drops after entering passive mode

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
startfresh
504 Command not implemented
Posts: 8
Joined: 2016-01-06 03:57

FileZilla Server STILL drops after entering passive mode

#1 Post by startfresh » 2016-01-06 12:50

After reading posts in this forum, the FZ Wiki and FAQs, I still cannot get FZ Server to hold a connection. It has the classic problem of dropping when entering Passive mode.

So I set up an experiment - I left my client (fireFTP) and Router (Linksys EA4500) and Windows 10 Firewall untouched. The Router has ports 21 and 5151 opened for FTP as well as a range of 100 ports above 5000. The experiment used Plain FTP just to avoid additional security complexity.

Then I created these two variants:

Experiment #1
Uninstall FZ Server (including settings); Install fresh new FZ Server. Listen on 5151, get ip from external source, set the passive range the same as the router. Set up one user with full rights and access to everything. Tried testftp.net. No joy. Message is connection time out. Tried fireFTP client (just for confirmation) - unable to connect.

Using the windows Services, I then stopped the FileZilla server service.

Experiment #2
Fresh install of WingFTP. Changed settings and added a user exactly as above for FZ Server. Tried testftp.net and instantly connected. Tried fireFTP client - same...instant connection and usability.

So it would seem that the issues I'm having are not related to router settings. They may be related to Windows Firewall settings if WingFTP is doing something automagically that FZ Server installation is not. Or it may be related to some setting that I need to make in FZ Server that WingFTP sets automagically.

In any event, my goal is to use FZ Server and any/all assistance would be appreciated.

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: FileZilla Server STILL drops after entering passive mode

#2 Post by botg » 2016-01-06 13:11

Check the reply to the PASV command. Is it identical in both the server log as well as displayed on https://ftptest.net/ ?

If the reply differs, some firewall or NAT router has actively sabotaged the connection.

User avatar
boco
Contributor
Posts: 24685
Joined: 2006-05-01 03:28
Location: Germany

Re: FileZilla Server STILL drops after entering passive mode

#3 Post by boco » 2016-01-06 13:12

First, the decision to use plain FTP for testing is not a good one. Routers/firewalls do tamper with FTP traffic (DPS/DPI) unless it is encrypted. That's why testing using FTPS Explicit is better. End-to-end encryption locks out all man-in-the-middle devices.

About the firewall settings: We cannot know what other servers do. They might use transparent port opening/forwarding, or even UPNP/NAT-PMP. FileZilla Server doesn't do any port forwarding/opening by itself, it rightfully expects the Administrator/User to deal with it.

Essentially:
FileZilla Server must know about the range you forwarded/opened. (Passive settings - Custom port range) That port range must really be forwarded/opened by static forwarding, things like port triggering are bound to fail, likely.
FileZilla Server must know your public IPv4 (the router address). While that address is invalid inside your LAN, it must be sent out to clients. Be warned that many routers try to exchange that IP address themselves, if FTP is unencrypted!

So https://ftptest.net is the only way to reliably test public IPs, dynamic URLs, and port forwards/openings. When using the public IP/dynamic URL with FTP client inside your LAN to connect to the server you will likely fail. That's normal and expected. Use the LAN IP of the server in this case. Furthermore, you MUST configure WinFirewall with both the listening port(s) and the complete Passive port range.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

startfresh
504 Command not implemented
Posts: 8
Joined: 2016-01-06 03:57

Re: FileZilla Server STILL drops after entering passive mode

#4 Post by startfresh » 2016-01-06 14:22

@botg - thanks for pointing out the PASV response line. When I run the testftp.net for the FZ Server, there appears to be a response but it flashes and disappears. the response returned is: Error: Connection attempt timed out. Even though I have logging enabled in the FZServer Admin, nothing is getting recorded there either. So I can't even compare the responses

@boco
boco wrote:First, the decision to use plain FTP for testing is not a good one. Routers/firewalls do tamper with FTP traffic (DPS/DPI) unless it is encrypted. That's why testing using FTPS Explicit is better. End-to-end encryption locks out all man-in-the-middle devices.
I know plain FTP is unencrypted and insecure. But for purposes of troubleshooting I was holding it constant. It worked before with the same router and server and now somehow it doesnt. It works with wingFTP but not with FZ.
boco wrote:About the firewall settings: We cannot know what other servers do. They might use transparent port opening/forwarding, or even UPNP/NAT-PMP. FileZilla Server doesn't do any port forwarding/opening by itself, it rightfully expects the Administrator/User to deal with it.
OK great. I thought it was useful to know that somehow plain FTP with the port settings that I've set up CAN connect with the server sitting behind the router and winFirewall. It IS possible. Now to get FZ to work...
boco wrote:Essentially:
FileZilla Server must know about the range you forwarded/opened. (Passive settings - Custom port range) That port range must really be forwarded/opened by static forwarding, things like port triggering are bound to fail, likely.
FileZilla Server must know your public IPv4 (the router address). While that address is invalid inside your LAN, it must be sent out to clients. Be warned that many routers try to exchange that IP address themselves, if FTP is unencrypted!
FZServer DOES know about the range I forwarded/opened. All set. Same as router. Router is not using port triggering. 5151 is a single port forward, the 100 port range is a fixed range.
Getting to know the public IP address may hold the key. My previous set up was an unencrypted (plain) setup and worked just fine through the same router I am using now. I just upgraded (replaced) my cable modem. Could that have been the change that broke my setup? I'll work on setting up an encrypted connection and see if that changes things.
boco wrote:you MUST configure WinFirewall with both the listening port(s) and the complete Passive port range.
I've looked in the incoming and outgoing rules in Win Firewall and there are no entries for either FZ or wingFTP. Can you point me to any tutorial on setting these up if that's essential for FZ to work?

UPDATE: created a key and set up FTP over TLS. Added a static port routing for port 990. testftp.net still reports "connection attempt timed out"

startfresh
504 Command not implemented
Posts: 8
Joined: 2016-01-06 03:57

Re: FileZilla Server STILL drops after entering passive mode [SOLVED]

#5 Post by startfresh » 2016-01-08 13:39

After days of trying to sort this out, it came down to one thing: on the passive mode settings, select "Retrieve external IP address from:" and set it to "https://ip.filezilla-project.org/ip.php".

I found this "tip", buried at the bottom of this post: viewtopic.php?t=37607

For reference:
Cable connection (dynamic IP)
Router: Cisco EA4500 with NAT Enabled, Port 5151 and 1000 ports above 50000 all forwarded to the server where FZServer is hosted
FZServer: listen on 5151, 1000 port range entered in "Passive Mode Settings"->"Use Custom Range", FTP over TLS enabled with (generated) certificate, disallow plain unencrypted box checked
Windows 10 firewall: FZ added as a program exception (public and private networks)

Additional notes:
fireFTP no longer works now that TLS over FTP is set up (See: https://bugzilla.mozilla.org/show_bug.cgi?id=478322


Hope this helps someone else in the future.
Last edited by startfresh on 2016-01-08 14:48, edited 1 time in total.

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: FileZilla Server STILL drops after entering passive mode

#6 Post by botg » 2016-01-08 14:09

FileZilla Server does not understand https:// URLs. Fetching from a https:// URL effectively disables fetching the external IP address.

If things magically appear to work even though they are clearly not configured correctly you have a malicious router or firewall sabotaging the content of TCP connections.

startfresh
504 Command not implemented
Posts: 8
Joined: 2016-01-06 03:57

Re: FileZilla Server STILL drops after entering passive mode

#7 Post by startfresh » 2016-01-08 14:52

@botg
I understand that you believe what you are saying. I am telling you that the ONLY way that Filezilla will return my correct external IP address is by adding the "s". I tried every possible combination of settings (including directly setting my external ip address directly), followed the Network Configuration guide to the letter and as noted above, verified that the same settings work in other software. I'll check out the link you provided and report back if I find that I have a "malicious" router.

So reading the malicious router link you posted I will note that the scenario posed at the top of that post is not relevant. I presume that ftptest.net is NOT behind a malicious router. My FZ Server is set up exactly in accordance with the instructions at the bottom of that article (but for the https replacing the http in the "retrieve external ip address from" box). When I say my connection works, it is ftptest.net that tells me so.

I can also tell you that I can not "uninstall" any firewalls as is advised in the troubleshooting. It is, of course, possible that Comcast (cable company) has malicious firewalls and/or routers, but I have no control over this. The advice to "uninstall" firewalls does not apply in my case. The only firewall I have control over is the Windows 10 firewall and the exceptions there are set in accordance with the FZ Network Configurations article.

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: FileZilla Server STILL drops after entering passive mode

#8 Post by botg » 2016-01-08 15:15

This has nothing to do with belief. It's a cold hard fact that FileZilla Server cannot handle https:// URLs. Feel free to fact-check your own belief system by reading FileZilla Server's source code.


Did you test using FTP over TLS, which is protected against malicious routers and firewalls, or did you test plaintext FTP where malicious routers and firewalls have a field day?

startfresh
504 Command not implemented
Posts: 8
Joined: 2016-01-06 03:57

Re: FileZilla Server STILL drops after entering passive mode

#9 Post by startfresh » 2016-01-08 15:25

As repeated many times. I have followed every one of your instructions, wiki articles, etc. I am using FTP over TLS.

If FZ Server CAN retrieve my external IP address using the https: prefix, then perhaps FZ has a malicious router...

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: FileZilla Server STILL drops after entering passive mode

#10 Post by botg » 2016-01-08 16:28

startfresh wrote:If FZ Server CAN retrieve my external IP address using the https: prefix [...]
It simply can't.

Did you restart the server service after making configuration changes? If using an invalid configuration, cached values from the last used valid configuration may still be used.

startfresh
504 Command not implemented
Posts: 8
Joined: 2016-01-06 03:57

Re: FileZilla Server STILL drops after entering passive mode

#11 Post by startfresh » 2016-01-08 19:07

Yep. Works like a champ every time - connects every time, no hesitation. Stop/Restart/Stop/Start windows service. Online/Offline/Offline from the administrator UI.

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: FileZilla Server STILL drops after entering passive mode

#12 Post by botg » 2016-01-08 22:11

I know it does, since you have re-entered the http:// URL. The server logs don't lie.

startfresh
504 Command not implemented
Posts: 8
Joined: 2016-01-06 03:57

Re: FileZilla Server STILL drops after entering passive mode

#13 Post by startfresh » 2016-01-08 22:55

I don't know what you mean by your last comment. If you are somehow able to see what I've entered for my Filezilla settings then: a) that's frightening and b) why can't you put that to good use to tell me what I need to change?

Coincidentally, yes, I did change it back to http: to see if I could get the damn thing to work as you suggest (for the 99th time). It still doesn't work with http: and now doesn't work with https: either.

I'm back to square one.

User avatar
boco
Contributor
Posts: 24685
Joined: 2006-05-01 03:28
Location: Germany

Re: FileZilla Server STILL drops after entering passive mode

#14 Post by boco » 2016-01-09 00:23

Since the ip.php script is run by the FileZilla Project, of course the Admin can see your requests in the server logs (of the web server). Each and every web server does create such logs, nothing frightening about it. Note that only you can see your settings, nobody else.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: FileZilla Server STILL drops after entering passive mode

#15 Post by botg » 2016-01-09 01:13

The metadata of all requests to filezilla-project.org and its subdomains is logged and retained for a short amount of time to combat abuse and to diagnose server issues. All server logs are strictly confidential. Unless required by law, logfiles are not shared with any third party.

Bold claims make me look into logfiles. There simply have been resolver requests from FileZilla Server using the same IP address you are posting from, coinciding with your posting times.

Post Reply