What's new

[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@atkinsom Looking back at @errorsys' previous post I think his issue is with SFTP, not FTPS.

Do you have a double NAT setup?

EDIT: Also reboot your router after making changes to the SFTP settings. I found that when I enabled WAN SFTP access the router didn't update the running vsftpd.conf file and my client couldn't connect. Restarting sorted that out.
Thanks Colin. I'm not running a Double Nat and I will restart the router once my wife has finished her uploads. Just out of curiosity where are the WAN SFTP settings you're mentioning? All I see is an option to enable TLS in the new GUI interface as per below. Thanks so much for any help

upload_2020-3-22_19-28-53.png
 
Just out of curiosity where are the WAN SFTP settings you're mentioning? All I see is an option to enable TLS in the new GUI interface as per below.
You won't see it in the GUI. SFTP and FTPS are two completely different things.

Whereas FTPS is an extension to the FTP protocol, SFTP is an extension to the SSH protocol. As such you need to add it using Entware's OpenSSH package openssh-sftp-server. That's it, there's nothing to configure.

If you still don't have any luck with FTPS after the reboot try changing Filezilla's debug level to Info. Then check what IP address and port it is trying to use after you get this message:

Status: Server sent passive reply with unroutable address. Using server address instead.
 
Last edited:
Well I’m only really familiar with the fork these days, been ages since I used tomato. So I would say load up the latest fork, and then reset the nvram afterward. Set up again from scratch, no imported settings. For 2.4ghz, go in and set the channel to something manual such as 11. Disable both beam forming options, disable Bluetooth coexistence, disable reduce usb3 interference, and disable airtime fairness (some of these I think are disabled by default). I would also consider trying “N only” mode. If that doesn’t do anything for you, I’m out of ideas.

Thanks for your suggestions .
I did install the fresh firmware and then reset to default by using the restore button in settings and also by pressing WPS button during start and it was completely reset . ( not sure how to do NvRam reset in Forks firmware).
The results were same.

I then tried manually all the channels which could give me good results , one important thing which i observed was 20 Mhz was giving me highest MB 20-30 Mpbs but after sometime again that would come to 6-8 Mbps.
I have even tried router reboot and checked if this helped , but no its the same result .
Attached screenshot of my router settings for 2Ghz .

Let me know if i am missing something or if there are any other suggestions .
 

Attachments

  • 2g-General.jpg
    2g-General.jpg
    25.2 KB · Views: 205
  • 2g-Advanced.jpg
    2g-Advanced.jpg
    38.2 KB · Views: 178
And I should say 2.4 GHz is not meant for fast downloads. Anyway not by using the hardware fit for John's fork.

Oh, yes, if you have neighbors near don't use 40 MHz wide channels for 2.4.

I agree its not for faster downloads but i have bean using this router for years and speed was good , now suddenly 6-7 Mbps is not expected right ?
yes 20 Mhz gives me some relief but the max boost i get is 20-30 mpbs and i am using the same for now.
 
I guess yes , if not i would have problems with even with 5 ghz right ?
Humm ... didn't notice 5 GHz was/is working fine, but anyway strange things happen when the power supply unit is somehow defective and depending on the signal interference generated I just thought it might be possible that one band is affected while the other don't. But I may be wrong I guess...
Regards
 
Humm ... didn't notice 5 GHz was/is working fine, but anyway strange things happen when the power supply unit is somehow defective and depending on the signal interference generated I just thought it might be possible that one band is affected while the other don't. But I may be wrong I guess...
Regards

No worries , let me see if i can find any 19 Volt adapter
 
You won't see it in the GUI. SFTP and FTPS are two completely different things.

Whereas FTPS is an extension to the FTP protocol, SFTP is an extension to the SSH protocol. As such you need to add it using Entware's OpenSSH package openssh-sftp-server. That's it, there's nothing to configure.

If you still don't have any luck with FTPS after the reboot try changing Filezilla's debug level to Info. Then check what IP address and port it is trying to use after you get this message:

Status: Server sent passive reply with unroutable address. Using server address instead.
Thanks Colin. I rebooted and once again TLS and SFTP connections work perfect on the routers built-in VSFTPD server using the internal network. Once I connect from an external source I get the same error as you see below. It's trying to establish the connection but at the end the server refuses the connection which is what I was getting before when the FTP server wasn't starting. I know this is different but just a thought. Anyway I know this is a dev build so I understand there are always going to be quirks but I'm at at a loss right now as I've tried 3 different external sites using the Filezilla FTP client and no difference. Thanks
 

Attachments

  • Capture.JPG
    Capture.JPG
    39 KB · Views: 219
Last edited:
@atkinsom I'm confused as to why this isn't working. You said you don't have double NAT but I can see in the router's PASV response that it thinks that its WAN IP address is 192.168.0.1 :confused: Is this your router's WAN address or LAN address?
 
@atkinsom I'm confused as to why this isn't working. You said you don't have double NAT but I can see in the router's PASV response that it thinks that its WAN IP address is 192.168.0.1 :confused: Is this your router's WAN address or LAN address?
That is my routers LAN address. For sure have no double nat as the router is connected to a dumb technicolor TC4350 cable modem with no WiFi capabilities. The router receives an IP from the ISP provider much the same as if I connected my laptop direct to the cable modem. I'm just as confused as you are as internally it works great with no issues but with external connections that's where it fails. If I disable TLS then again everything is perfect with internal and external connections. Real head scratch-er for me that's for sure.

EDIT: I wonder if I have to setup passive FTP ports much as I did with another FTP server I have running on my personal PC as a backup. I needed to add port forwarding ports in order for the connection to finally succeed. Now the question becomes would this need to be done with a conf file and iptables?
 
Last edited:
@atkinsom Do you have any VPNs active when you're testing this? In your Filezilla setup what are you using in the "Host" field, an IP address or DDNS name?
 
EDIT: I wonder if I have to setup passive FTP ports much as I did with another FTP server I have running on my personal PC as a backup. I needed to add port forwarding ports in order for the connection to finally succeed. Now the question becomes would this need to be done with a conf file and iptables?
The firmware should already have done this for you. You can check it by issuing these commands:
Code:
# nvram get ftp_pasvport
57530

# iptables-save | grep 57530
-A INPUT -p tcp -m tcp --dport 57530:57560 -j ACCEPT

EDIT: Are you port forwarding for another FTP server on your LAN? (port 21)
 
@atkinsom Do you have any VPNs active when you're testing this? In your Filezilla setup what are you using in the "Host" field, an IP address or DDNS name?
@ColinTaylor I do not have active VPN Clients running on the router. I do have 2 VPN servers configured on the router with different settings using different ports but there are no active connections used at this time. I'm using the DDNS name. Just as an FYI I tested TLS connections to 2 different FTP servers on my internal network via outside connections and they both connected with out issues. One is going to my PC on the internal network and the other is going to my NAS. Again both those servers have port forwarding rules setup on the router for passive connections. Thanks again for your help.
 
The firmware should already have done this for you. You can check it by issuing these commands:
Code:
# nvram get ftp_pasvport
57530

# iptables-save | grep 57530
-A INPUT -p tcp -m tcp --dport 57530:57560 -j ACCEPT

EDIT: Are you port forwarding for another FTP server on your LAN? (port 21)
Yes I'm forwarding to Port 21 to one of the FTP servers but the internal router is using port 2021 from the outside
Also ran your commands and they are exactly the same as yours...now I'm really confused
 
Last edited:
Yes I'm forwarding to Port 21 to one of the FTP servers but the internal router is using port 2021 from the outside
This sounds like the problem. AFAICT the router's ftp server is hard-coded to use port 21. If you're doing something like port forwarding external port 2021 to internal port 21 that would explain why it isn't working.
 
This sounds like the problem. AFAICT the router's ftp server is hard-coded to use port 21. If you're doing something like port forwarding external port 2021 to internal port 21 that would explain why it isn't working.
OK thanks Colin...I'm going to attack this from a different angle. See my screenshot below re: external FTP port for the router where you can decide what port to use for external connections

upload_2020-3-23_11-8-46.png
 
OK thanks Colin...I'm going to attack this from a different angle. See my screenshot below re: external FTP port for the router where you can decide what port to use for external connections

View attachment 22139
Ah, OK. It now becomes clear.

Using that option creates a DNAT rule for the incoming ftp connection, as follows:
Code:
-A VSERVER -p tcp -m tcp --dport 2021 -j DNAT --to-destination 192.168.1.1:21
or something like this if you specify a source IP
Code:
-A VSERVER -s 123.123.123.123/32 -p tcp -m tcp --dport 2021 -j DNAT --to-destination 192.168.1.1:21
Unfortunately this breaks TLS* PASV connections.

You can do this to fix it. [Since V42E7 this is not necessary as the firmware automatically creates the rule]
Untitled.png

* The reason why this additional rule is not required when using non-TLS FTP is because the router has a ftp helper which reads the PORT and PASV commands and dynamically NATs the appropriate data port. With a TLS connection the commands are encrypted and therefore cannot be read.
 
Last edited:
@ColinTaylor ....You are bang on. I was heading that way but dismissed it since the rule was auto created as per your command you showed me above. Your explanation is perfect and I'm sure this will help others in a similar situation. Thanks very much
 
I upgraded my RT-AC66U a few days ago from 39E3 to 42D5 and it is running smoothly, no issues detected, even without resetting the router after upgrade. I'm using a small set of features: DoT, DHCP, DNSFilter, Parental Control.
Great work! Thank you John! And thanks for the Community for good support.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top