Cannot List Directory out of Office

[dducharme]

Hello all,

I have spent the past couple hours trying to get this configured and getting no-where fast so I am hoping someone can quickly take a look and point out what I am missing. I am migrating from a dedicated server hosted by a third party provider to moving everything in house, and while everything else has gone pretty smoothly, the FTP server is causing issues. Here is the setup I am trying:

Webserver: Windows 2012 Essentials - 128.13.13.254
FileZilla Server 0.9.60 Beta installed
Passive Mode set to use ports 50000-60000
Firewall Inbound Rule set to allow program: %ProgramFiles% (x86)\FileZilla Server\FileZilla Server.exe
When tested in the office, this is working without issue so I don't believe the problem is with this specific piece

Sonicwall - 128.13.13.1 (LAN), 192.168.1.254 (WAN)
NAT Policy Destination 192.168.1.254-> 128.13.13.254, Port 20, X1 -> Any
NAT Policy Destination 192.168.1.254-> 128.13.13.254, Port 21, X1 -> Any
NAT Policy Destination 192.168.1.254-> 128.13.13.254, Port 50000 - 60000, X1 -> Any
Firewall Access Rule WAN > LAN Destination 192.168.1.254, Port 20 Allow
Firewall Access Rule WAN > LAN Destination 192.168.1.254, Port 21 Allow
Firewall Access Rule WAN > LAN Destination 192.168.1.254, Port 50000 - 60000 Allow
Firewall Advanced Settings Enable FTP Transformations for TCP Port(s) set to FTP

Verizon FIOS Quantum Gateway - 192.168.1.1
Static NAT Outside Static IP -> 192.168.1.254, Ports 20, 21, 80, 990, 50000-60000

From my reading of the Network Configuration guide that appears to be correct. Port 21 is definitely working as intended as it is allowing the initial connection and is sharing the TLS certificate. However, it is failing on retrieving directory listing. Again, in-house it works without an issue, so I know it is not the credentials, or the Webserver configuration. Thus there is something wrong with the Sonicwall router or FIOS Quantum Gateway but those settings look right to me. Note that this is a Verizon Business connection and not a home connection.

Thank you for any suggestions you may have. I will keep working on this on my end and post again if I find anything else out.

Dan

[dducharme]

OK, I have identified that it is the Verizon Quantum Gateway that is causing the issue. Even if I completely remove the Sonicwall I am still not to retrieve the directory listing outside of the office. Any idea what other ports I should be forwarding as that list appears to be complete...

[botg]

Sonicwall - 128.13.13.1 (LAN), 192.168.1.254 (WAN)

The LAN/WAN assignment seems backwards.

Firewall Advanced Settings Enable FTP Transformations for TCP Port(s) set to FTP

Don't do this. See the section about malicious routers and firewalls in the Network Configuration guide why this setting is a very very bad thing.

[dducharme]

Sonicwall - 128.13.13.1 (LAN), 192.168.1.254 (WAN)

The LAN/WAN assignment seems backwards.

That is the WAN of the Sonicwall which is behind the Verizon Quantum Gateway's DHCP so it is not our static IP. Our internal network uses the 128.13.13.X address space in order to fix IP collisions with periodic VPN connections with our clients.

Firewall Advanced Settings Enable FTP Transformations for TCP Port(s) set to FTP

Don't do this. See the section about malicious routers and firewalls in the Network Configuration guide why this setting is a very very bad thing.

I just checked and on the version of Sonicwall that we are using, I have to choose a port for that setting, it cannot be left blank. So for now I will leave it alone. We do have a new router coming in soon and will hopefully be able to disable it on the new one.

However, while those are good callouts, neither of them address the issue that I am having. As I stated in the last post, I have narrowed it down to being an issue with the Verizon Quantum Gateway, as even with the Sonicwall removed from the network, I could connect to the FTP and accept the SSL certificate, but it continues to fail on getting directory:

Code: Select all

Status:	Connection established, waiting for welcome message...
Status:	Initializing TLS...
Status:	Verifying certificate...
Status:	TLS connection established.
Status:	Logged in
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is current directory.
Command:	TYPE I
Response:	200 Type set to I
Command:	PASV
Response:	227 Entering Passive Mode (128,13,13,254,230,201)
Command:	MLSD
Response:	425 Can't open data connection for transfer of "/"
Error:	Failed to retrieve directory listing
Status:	Connection closed by server

[dducharme]

And as always, actually posting logs and taking a careful look at them reveals the issue. Just in case anyone stumbles across this looking for a solution:

I did not have the Passive mode settings correctly configured. As you can see in the connection message, it was passing the server IP as the passive IP address, but of course that is not my public IP and is behind 2 layers of NAT and so is useless outside of the office. As soon as I set the IPv4 specific External Server IP to use my static IP, the directory began to show up as expected.