425 Can't open data connection for transfer of "/"

[ciscodz]

Hello

I hope everyone is fine.

Here I just set up a FTPS solution with a Filezilla server and after testing from outside I get an error message that appears knowing that I have complied with the requirements for deployment unless I forgot something or I made a mistake

can you please help me to solve the problem?

Materials used:
1- Physical server under Windows server 2012
2- Buffalo NAS connected to the server through network sharing
3- NAT and opening of Router and Firewall ports (Passive Range)
4- Antivirus used on the server Microsoft Essential
5- huawei H532e Router

For information the server is accessible from the private LAN

Thank you in advance for your support.

Regards.

[botg]

Two observations:

1. The configured passive mode port range is wrong. Please refer to our Network Configuration guide for instructions, you can test your configuration on https://ftptest.net/
2. The client is using active mode, in which case all client-side firewalls and NAT routers need to be configured for active mode.

[ciscodz]

Hello botg

Thank you for your feedback.

I'll review the configuration in both directions and come back to you if need it.

Thank you again.

[ciscodz]

Hello

I made some changes I can connect to the server but for a little while after I have disconnected message

on the link https://ftptest.net/ he displays me "Make sure the account has permissions to list directories

What more do I need to check?

Thank you in advance.

Regards.

[botg]

Could you please post the log from the test?

[ciscodz]

Hello

test used with Implicit over TLS

---------------------------------------------------------------------

Status: Resolving address of x.x.x.x Ip Public of Lan where located Srv

Status: Connecting to x.x.x.x Ip Public of Lan where located Srv

Warning: The entered address does not resolve to an IPv6 address.

Status: Connected, performing TLS handshake...

Status: TLS handshake successful, verifying certificate...

Status: Received 1 certificates from server.

Status: cert[0]: subject='C=DZ' issuer='C=DZ'

Status: Waiting for welcome message...

Reply: 220-FileZilla Server 0.9.60 beta

Reply: 220 Hello

Command: CLNT https://ftptest.net on behalf of 105.102.146.143 @Ip public of test site

Reply: 200 Don't care

Command: USER admtec4

Reply: 331 Password required for admtec4

Command: PASS ***********

Reply: 230 Logged on

Command: SYST

Reply: 215 UNIX emulated by FileZilla

Command: FEAT

Reply: 211-Features:

Reply: MDTM

Reply: REST STREAM

Reply: SIZE

Reply: MLST type*;size*;modify*;

Reply: MLSD

Reply: AUTH SSL

Reply: AUTH TLS

Reply: PROT

Reply: PBSZ

Reply: UTF8

Reply: CLNT

Reply: MFMT

Reply: EPSV

Reply: EPRT

Reply: 211 End

Command: PBSZ 0

Reply: 200 PBSZ=0

Command: PROT P

Reply: 200 Protection level set to P

Command: PWD

Reply: 257 "/" is current directory.

Status: Current path is /

Command: TYPE I

Reply: 200 Type set to I

Command: PASV

Reply: 227 Entering Passive Mode (x,x,x,x,195,159)

Command: MLSD

Status: Data connection established, performing TLS handshake...

Status: TLS handshake successful, verifying certificate...

Status: Received 1 certificates from server.

Status: cert[0]: subject='C=DZ' issuer='C=DZ'

Warning: Control and transfer connection do not share the same TLS session. Without TLS session resumption, an attacker could swap transfers between you and another user connected to the same server. Make sure the server allows session resumption and caches sessions for the entire duration of the control connection.
[/u][/b]
Listing: 220-FileZilla Server 0.9.60 beta

Listing: 220 Hello

Reply: 425 Can't open data connection for transfer of "/"

Error: Listing failed

Results

Error: Listing failed

Make sure the account has permissions to list directories.

Regards.

[ciscodz]

Hello

test with Explicit over TLS

[ciscodz]

Hello

Attached configuration of FilezillaSRV and routeur

[botg]

Those ports aren't forwarded, they are remapped. You need forwards.

[boco]

Try to set the internal port for the "PASV" rule in the router to 50000.

[ciscodz]

Hello boco&botg

Thnak you for your return

botg the port mapping functionality has the same function as the portording, knowing that it is the only functionality available on the router

Boco I forwarded the port ''Ithink'' the problem is that I can connect to the server about 5 seconds after that disconnects this problem can it come from the port forwording?

I attached an image on the moment when I connect

I added once again a capture of the router (I still modified the ports) possible to indicate me where I was wrong and please correct it if possible

Internal port : 990
External ports passive : 60000-60020
Private LAN : 192.168.1.3
Public if you need to indicate where I put it on the router

Thank in advance for your great support.

[boco]

The Passive port range must not be forwarded to the listening port! This will never work, as the listening port is already in use. Rule of thumb: Each internal port must only be touched by one forwarding rule.

Forward ext 990 to int 990, and ext 60000-60020 to int 60000(-60020). The router only requires the first internal port and will figure out the others by itself. Note that a range of only 21 passive ports isn't nowhere enough for even moderate use. 100 or more ports are recommended.

Why do you insist on Implicit FTP over TLS? Explicit is recommended over Implicit and uses the normal listening port 21.

[ciscodz]

Hello Boco

Than kyou for your return

As requested I changed the passive port number to 200 (256 Ports max supported by my router) and declared the rule on the router

For the connection protocol I passed explicit as recommended

I attached image of configuration router, the problem is that you asked me to forwarder ext range ports 60000-60200 to int ports 60000-60200 can you please indicate on the yellow part of the image the port number I integrate

Ports passive used 60000-60200 / 21

Thank you for your support

[ciscodz]

Hello Boco

I solved the problem by forwarding the passive ports to port 0 internally "I don't know if it's recommended or not but it works

Now I have another problem I have a NAS connected to the FTP server via network mapping Filezilla does not want to recognize the path '' 550 Home directory does not exist'' I will look for and maybe find a solution

Once again thank you for your great support

[boco]

Very complicated and might not work:

viewtopic.php?f=6&t=9200