LAN and WAN see different things (Shared drives)

[secunet_se]

Hi!

I'm trying to set up a new server using the latest version and I'm a bit stumped as to what is going wrong now.
I am behind a pFsense router and port 21/990 as well as the passive range (8000.9000) is forwarded to my server machine, took down it's firewall for now.
The server is running as admin and service, and as well as the same login/pass used to access the smb shares from my TrueNAS server.
When I use FileZilla client from another machine in the network using the domain name I connect fine and see all folders accessible by that user.
When the user tries he connects, but see no folders
What is the difference here, am I missing opening something in pfSense?
Connecting with the same credentials to the FTP server from within the LAN and from WAN gives very different results.
The server is hosted on a virtual Windows Server 2022 machine under ESXi 7 if that matters.
The same drives/shares are shared fine on another machine using an older FileZilla server (Using the same credentials).
The admin account accessing shared drives and running the server does have the permission to run as a service.

Please advice

[botg]

Maybe there's already some other FTP server running on the router? Maybe the forwarding isn't to the correct machine?

If the user connects and sees nothing, is the connection attempt even showing up in the server log?

[secunet_se]

No, no FTP server is running on the router and all ports are correctly forwarded.
Looking at the logs there seems to be something differing that might help.

When I log on using his credentials I see:

Code: Select all

2023-04-21T07:54:00.750Z << [FTP Session 37 10.20.10.120 niko1977] 257 "/" is current directory.
2023-04-21T07:54:00.750Z >> [FTP Session 37 10.20.10.120 niko1977] TYPE I
2023-04-21T07:54:00.750Z << [FTP Session 37 10.20.10.120 niko1977] 200 Type set to I
2023-04-21T07:54:00.750Z >> [FTP Session 37 10.20.10.120 niko1977] PASV
2023-04-21T07:54:00.765Z << [FTP Session 37 10.20.10.120 niko1977] 227 Entering Passive Mode (10,20,10,21,33,14)
2023-04-21T07:54:00.765Z >> [FTP Session 37 10.20.10.120 niko1977] MLSD
2023-04-21T07:54:00.765Z << [FTP Session 37 10.20.10.120 niko1977] 150 Starting data transfer.
2023-04-21T07:54:00.765Z << [FTP Session 37 10.20.10.120 niko1977] 226 Operation successful

But the same passage for him is:

Code: Select all

2023-04-21T04:13:12.516Z << [FTP Session 34 174.194.96.21 niko1977] 257 "/" is current directory.
2023-04-21T04:13:12.704Z >> [FTP Session 34 174.194.96.21 niko1977] TYPE I
2023-04-21T04:13:12.704Z << [FTP Session 34 174.194.96.21 niko1977] 200 Type set to I
2023-04-21T04:13:12.891Z >> [FTP Session 34 174.194.96.21 niko1977] PASV
2023-04-21T04:13:12.891Z << [FTP Session 34 174.194.96.21 niko1977] 425 Cannot prepare for data connection.
2023-04-21T04:13:13.079Z >> [FTP Session 34 174.194.96.21 niko1977] PORT 192,168,1,3,206,68
2023-04-21T04:13:13.079Z << [FTP Session 34 174.194.96.21 niko1977] 200 PORT command successful.
2023-04-21T04:13:13.282Z >> [FTP Session 34 174.194.96.21 niko1977] MLSD
2023-04-21T04:13:13.282Z << [FTP Session 34 174.194.96.21 niko1977] 150 Starting data transfer.
2023-04-21T04:13:28.485Z !! [FTP Session 34 174.194.96.21 niko1977] GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated.
2023-04-21T04:13:28.485Z == [FTP Session 34 174.194.96.21 niko1977] Client did not properly shut down TLS connection
2023-04-21T04:13:28.485Z !! [FTP Session 34 174.194.96.21 niko1977] Control channel closed with error from source 0. Reason: ECONNABORTED - Connection aborted.

Does this help any? Missing ports that need to be open?

[oibaf]

According to the log the error is "425 Cannot prepare for data connection". Usually this should be preceded by another log line explaining the reason for that inability to prepare for the data connection, but there's one precise situation this doesn't happen (will be fixed): when looking up the host name.

You said you have provided a host name for the passive mode, but have you also clicked on the "Use the default host for local connections" checkbox? If so, that would explain why it works from within the lan, but not from within the wan. Did you check the host name is resolved correctly?

[secunet_se]

I run my own dns on the pfsense router so external requests resolves to my public IP while LAN requests resolves to the LAN IPs. I think this should be fine.
As far as I can see the config, shared drives, everything is set up identically for both my old (v0.9.60) and new one (v1.6.7).
I see now I have made 2 big mistakes though.
For one I typoed my IP finding host with a comma instead of a period
And I used a host that resolved to an internal IP :X
When I set the hostname for passive to a domain that won't resolve to a LAN IP I passed the FTP test. (But eventually all host on my domains will resolve internally so I need to use a good "my IP" service I guess).

[boco]

Any dynamic DNS service should be fine. You'll need this anyway, unless you want to constantly hand out IPs.