New User unable to solve 425 Connection Error.

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
LateJunction
504 Command not implemented
Posts: 7
Joined: 2021-02-02 10:45
First name: Tony
Last name: Hamilton

New User unable to solve 425 Connection Error.

#1 Post by LateJunction » 2021-02-02 11:19

Running Fz Server 0.9.60 beta under Win 10; Fz Client 3.52.2 under Win 10; currently both sever and client on same 'part' of private network behind NAT router.

I have read through this forum extensively on what causes a 425 error and have identified one clear factor: ftptest.net fails with error code 550 'No connections allowed from your IP'. I understand this probably means that I have not set up Passive Mode correctly. But the settings are very obvious and I think I understand them. I have also ensured that incoming requests on a range of ports on the server computer are allowed in Windows Defender and the same range of ports is defined in the sever settings.

The guidance on ftptest.net says 'Make sure you are allowed to connect on <extenal server IP address>. How exactly do I do that?

User avatar
boco
Contributor
Posts: 25448
Joined: 2006-05-01 03:28
Location: Germany

Re: New User unable to solve 425 Connection Error.

#2 Post by boco » 2021-02-02 16:19

Don't follow what's said in the forum, not everything here posted by users is actually correct. The only fountain of wisdom is our Network Configuration Guide (the Passive mode part).
550 'No connections allowed from your IP'
Did you use any IP filters on the server's "IP Filter" page? The message indicates your source IP is not allowed to connect by server configuration.

Did you forward any ports in your router?
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

LateJunction
504 Command not implemented
Posts: 7
Joined: 2021-02-02 10:45
First name: Tony
Last name: Hamilton

Re: New User unable to solve 425 Connection Error.

#3 Post by LateJunction » 2021-02-02 22:48

2nd attempt to post reply (this forum app threw away my first reply attempt after a lot of work as I did not save it in time!)

Firstly on filters:
Yes, I had set filters to '*' for 'not allowed ' and to '192,168.0.0/24' to 'exclude from not allowed'.

Having thought about this in the context of using ftptest.net I realised the this would not allow ftptest.net to connect, so as soon as I set both specifications to blank ftptest.net worked. But I cannot use this configuration in 'production' as it is too risky.. I think the specification of '*' and '192.168.0.0/24' should work with my client IP set to 192.168.0.24, but it doesn't: I get the 425 error.

I have set port forwarding in my router to the correct server address, forwarding ports 21, 22, 990 and a wide range around the port I have chosen for listening on - which is NOT port 21 for 'security by obscurity' reasons. Is this valid?

Over the last 2 days I have tried, repeatedly, combinations of using a server address as either 127.0.0.1 or its valid 'internal' IPv4 address, or the external IPv4 address of the router, using a very wide range of ports, with and without IP filters in the server configuration. I have disabled the firewall on both server and client computers. I have tried with a client that is both wifi and ethernet connected. There has been no successful connection after some hundreds of attempts. I get either the 425 error as in my original post or get a connection time-out error.

It is quite clear to me that I have no idea what I am doing, but I have not been able to find a clear and rigorous problem source identification route map. There is a large amount of information on the filezilla project web-site but it is not diagnostic-based. It uses generic terms which are at technical level that is beyond me. Where should I be looking for a simple diagnostic procedure? The server and client applications both clearly know what is causing the failure to connect but do not reveal the reasons to the inexperienced user.

User avatar
botg
Site Admin
Posts: 33357
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: New User unable to solve 425 Connection Error.

#4 Post by botg » 2021-02-03 15:17

What is your configured passive mode port range?

LateJunction
504 Command not implemented
Posts: 7
Joined: 2021-02-02 10:45
First name: Tony
Last name: Hamilton

Re: New User unable to solve 425 Connection Error.

#5 Post by LateJunction » 2021-02-03 17:51

botg wrote:
2021-02-03 15:17
What is your configured passive mode port range?
"Use custom port range" 57000 - 58000

User avatar
boco
Contributor
Posts: 25448
Joined: 2006-05-01 03:28
Location: Germany

Re: New User unable to solve 425 Connection Error.

#6 Post by boco » 2021-02-03 18:47

But I cannot use this configuration in 'production' as it is too risky.. I think the specification of '*' and '192.168.0.0/24' should work with my client IP set to 192.168.0.24, but it doesn't: I get the 425 error.
No, it doesn't. Connections coming from outside will always have their public IPs assigned, which are usually dynamic. If you really want to only have IPs from your local IP range reach the server, only people from inside your LAN can connect. Safe but probably not what you need.
There is one other way - setting up a reverse proxy. The howto is, however, beyond the scope of this forum. One famous software supporting this is nginx.
I have set port forwarding in my router to the correct server address, forwarding ports 21, 22, 990 and a wide range around the port I have chosen for listening on - which is NOT port 21 for 'security by obscurity' reasons. Is this valid?
There's much confusion, here.
You need to forward and open:
1. The primary listening port. By default, it's 21, but if you changed it, forward your port.
2. The secondary listening port (990 by default), but ONLY if you want to offer Implicit FTPS services.
3. The complete custom port range.

All of these need to be forwarded statically (not triggered), and solely for the TCP protocol. FTP does not make any use of UDP or other protocols. Note: Port 22 is SFTP, which FileZilla Server does not support.

Each and any test involving the Internet needs to be done using https://ftptest.net, due to the design limitations of NAT. You cannot solve any problems with the NAT setup while being part of it.
It is quite clear to me that I have no idea what I am doing, but I have not been able to find a clear and rigorous problem source identification route map. There is a large amount of information on the filezilla project web-site but it is not diagnostic-based. It uses generic terms which are at technical level that is beyond me. Where should I be looking for a simple diagnostic procedure? The server and client applications both clearly know what is causing the failure to connect but do not reveal the reasons to the inexperienced user.
FileZilla software, especially the Server, are traditionally targeted at power users, i. e. people with experience in the network field. That's why all messages are very technical.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

LateJunction
504 Command not implemented
Posts: 7
Joined: 2021-02-02 10:45
First name: Tony
Last name: Hamilton

Re: New User unable to solve 425 Connection Error.

#7 Post by LateJunction » 2021-02-03 20:52

I am aware that you must have a significant work load through this forum alone, but I need your continued support, please.

Let me respond to your points in the order you have made them:

I understand that connections from outside my LAN will use their public (=external and = WAN IP, yes?) IP and I need to test that that connectivity works. Part of that has already been done, using ftptest.net but with server IP filter settings which leave my server open to attack. Before addressing that issue, I want to demonstrate to my self that connection to my server is available for requests inside my LAN. Hence I have set the 'allow IP' address to an internal one - 192.168.0.24. But, as I said, configured this way, this results in a 425 error. If I set no limits on IP filtering by the server, then I still get a 425 error.

About port forwarding:
1. My primary listening port is forwarded, by implication, when I forward the range 57000 to 58000. I thought you were suggesting that I forward my primary listening port explicitly; when I attempt to do this my router tells me that forwarding of that port is already defined.
2. Forwarding port 990 is not, per se, a requirement, but from what I was able to understand from the documentation on the project site, it was something that I was required to support, so I included it. Attempts to connect using this port fail, but it is of no consequence.
3. The complete port range is forwarded, as previously stated.

I do not use port triggering. Whilst I cannot claim to understand it, the (barely usable) guidance available for my router (ISP supplied) does at least allow me to understand that I should not use port triggering.

Yes, I have done the test using ftptest.net; it works, as long as I do not specify any server IP filtering. As I hope you can see, everything you have specified already applies to my configuration, but I have no idea of where to go, what to do from here to get connections from other users - either on my LAN or external to my router, to work.

Do you have any further advice you could give me?

User avatar
botg
Site Admin
Posts: 33357
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: New User unable to solve 425 Connection Error.

#8 Post by botg » 2021-02-04 13:28

Please post a complete log from both the server and a client experiencing the error.

User avatar
boco
Contributor
Posts: 25448
Joined: 2006-05-01 03:28
Location: Germany

Re: New User unable to solve 425 Connection Error.

#9 Post by boco » 2021-02-04 20:40

* and 192.168.0.0/24
Denying everyone access and allowing 192.168.0.0/24 means that ONLY connections from that range are allowed to connect. It excludes everything outside that IP range, i. e. ALL external ones. For a public server with random IPs connecting, whitelist-filtering by IP does not work. You can still blacklist offending IPs and ranges/prefixes. though.
1. My primary listening port is forwarded, by implication, when I forward the range 57000 to 58000. I thought you were suggesting that I forward my primary listening port explicitly; when I attempt to do this my router tells me that forwarding of that port is already defined.
If the listening port is included, no need to separately doing it. My comment was because you mentioned 21,22 and 990, also.
Important: The listening port(s) MUST NOT be included in the Custom port range, as they are not available for data connections. For example, if your server listens on 57000, the Custom port range must be 57001 to 58000, excluding that port.
2. Forwarding port 990 is not, per se, a requirement, but from what I was able to understand from the documentation on the project site, it was something that I was required to support, so I included it. Attempts to connect using this port fail, but it is of no consequence.
No, we do generally NOT recommend Implicit FTP over TLS. It is not an official FTP standard and implementations in clients can vary. Unless you explicitly need Implicit (no pun intended), avoid it.

I do not use port triggering. Whilst I cannot claim to understand it, the (barely usable) guidance available for my router (ISP supplied) does at least allow me to understand that I should not use port triggering.
Port triggering automatically opens secondary ports if the trigger port is found to be busy. This does not work for FTP, as the trigger port is usually completely idle during transfers.

_____
Small note concerning OS: For Windows 10, include the release branch you are on. Ms have had introduced various bugs into release branches that sometimes applied to FTP as well. With default Windows settings, you should be on the Windows 10 20H2 branch now. Quality-wise, it's on the low end.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

LateJunction
504 Command not implemented
Posts: 7
Joined: 2021-02-02 10:45
First name: Tony
Last name: Hamilton

Re: New User unable to solve 425 Connection Error.

#10 Post by LateJunction » 2021-02-05 18:54

botg wrote:
2021-02-04 13:28
Please post a complete log from both the server and a client experiencing the error.
Thank you, but this will now not be necessary. In a frenzy of frustrated changes to options I found that setting the Passive Mode Option for 'Don't use external IP for local connections' to 'selected' immediately made both external and internal connections successful where neither would work before this change. It was previously unselected on the basis of advice I had read somewhere at some point on the forum site.

No further questions on the 425 error at this time.

LateJunction
504 Command not implemented
Posts: 7
Joined: 2021-02-02 10:45
First name: Tony
Last name: Hamilton

Re: New User unable to solve 425 Connection Error.

#11 Post by LateJunction » 2021-02-05 19:14

boco wrote:
2021-02-04 20:40
* and 192.168.0.0/24
Denying everyone access and allowing 192.168.0.0/24 means that ONLY connections from that range are allowed to connect. It excludes everything outside that IP range, i. e. ALL external ones.
Yes, I understand. That is exactly what I am striving to achieve in testing internal connections. I will further reduce it to specific internal IPs when I go 'live' with this server.
For a public server with random IPs connecting, whitelist-filtering by IP does not work. You can still blacklist offending IPs and ranges/prefixes. though.
I do not wish to ever get to the situation of having 'offending IPs' - the admin of blacklist management is too much. So, I will just follow the strategy for Internal users: only specific, identified external IPs will be able to connect.

Important: The listening port(s) MUST NOT be included in the Custom port range, as they are not available for data connections. For example, if your server listens on 57000, the Custom port range must be 57001 to 58000, excluding that port.
Strange: now that I have got connections working for both internal and external IPs, I find the 'system' works as I expect even though my identified listening port is in the middle of the custom range of ports (initially 1,000 now reduced to 100) defined to the server and to the port forwarding in my router. Changing the listening port to be one less than the first port in the custom range defined to the server and then defining a range for port forwarding that starts one earlier than the custom range defined to the server (and hence includes the listening port) works as expected too.

User avatar
boco
Contributor
Posts: 25448
Joined: 2006-05-01 03:28
Location: Germany

Re: New User unable to solve 425 Connection Error.

#12 Post by boco » 2021-02-05 22:50

FileZilla Server will propose randomly chosen ports from the custom port range to clients for data connections. With your former configuration, you had a 1:1000 chance for getting a guaranteed connection error, as the listening port is occupied. With the listening port being outside that range, that won't occur.

As you use a custom listening port, unwanted connections will most probably never happen.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Post Reply