FTP not working from outside LAN

[Jimbo]

Hello,

I have setup a USB media drive with FTP on my AC56U/Merlin. I have also setup a NO-IP account. All working well from inside the LAN, access to FTP via NO-IP address perfect. The problem, is when I'm ouside home, and not in LAN anymore. FTP connection to port 21 on the FTP server from the Asus router is rejected by the server itself.
I've done all sorts of trials, forward port 21, open the port via iptables on the firewall script, without success.

I have seen some threads in this and other forums hinting that there might be actually a problem with the external access to the FTP on the Asus router. Not sure is a bug that was there or still is (unbelievable if that's the case).

Could anyone be so kind to confirm, or otherwise guide me on any other possible solution or what might be going wrong?.

Thanks in advance!

 

[john9527]

Sorry to ask the obvious, but for confirmation....did you switch on the 'Enable WAN access' switch on the FTP setup page?

 

[Jimbo]

Hi, no sorries. Thanks for answering, but...yes I did.

It looks like the router/Merlin itself might be blocking the port when not in LAN. Have you tried this yourself?, any other ideas?. BTW, I'm running the latest test builds for 378.54 (the only ones where VPN autostart actually works, but seems more bugs might be still hanging around).

 

[martinr]

Given that FTP is unencrypted and relies for secure login on username-password pairs rather than on public-key infrastructure, it might be a blessing in disguise (not being able to WAN access via FTP); no bad thing if it makes you consider setting up a secure tunnel via ssh or a vpn and to use one of the secure file tranfer protocols.

 

[Jimbo]

@martinr, I know what you mean. But, as a matter of fact, the router is actually setup as OpenVPN client to a VPN provider, with all firewalling and port forwarding and policy routing as you can imagine. Thinking about also setting this up as an OpenVPN server, makes me really wonder if it could work at all, not just routing, but CPU, bandwidth and so on.

 

[martinr]

@martinr, I know what you mean. But, as a matter of fact, the router is actually setup as OpenVPN client to a VPN provider, with all firewalling and port forwarding and policy routing as you can imagine. Thinking about also setting this up as an OpenVPN server, makes me really wonder if it could work at all, not just routing, but CPU, bandwidth and so on.

Understood, Jimbo, but inferring your level of knowledge from your reply, it sounds like the sort of thing you could do in your sleep. I guess you could run off a settings backup file first and, if yo do have problems, just revert back. But if you do get it to work, don't forget to turn off WAN access on the FTP page.

Best of luck if you decide to give it a go.

 

[Jimbo]

Thanks @martinr. But to be honest, don't have much time honestly, and I'd prefer to focus on the root problem which seems to be that the port might not be accessible from the internet at all. Otherwise, is like to try to solve problem 1, I move into problem 2, and so on....which has been the case so far (I summarized my initial post for the sake of sanity ).

Hopefully Merlin or someone else could take a look and confirm if there's indeed an issue with the port 21 blocked from WAN somehow on the firmware. I'd hate to move to dd-wrt but seems to be the most fully functional firmware after all.

 

[martinr]

I'd intended trying to FTP in remotely to my RT-AC68U to see what results I get. I'm rummaging through the router's webui and for the life of me I can't find the settings for turning FTP on. Can you point me in the right direction?

And in Googling to find where the setting is, I found:

http://www.snbforums.com/threads/need-help-on-setting-up-ftp-for-asus-n56u-n66u-router.7793/

I assume you've seen this or there's nothing of relevance?

 

[octopus]

http://192.168.1.1/Advanced_AiDisk_ftp.asp

 

[martinr]

http://192.168.1.1/Advanced_AiDisk_ftp.asp

AHA!** Many thanks. Sorry, I've just remembered I don't have a usb drive plugged in: I'm using both usb outputs to power 2 Raspberry Pis and I don't know when I'll be back to plug in a usb drive . So, unfortunately, I can't, after all, test my own router's response to remote ftp access.

**Every time I go into the webui I seem to discover something new - I just discovered the page on Port Triggering. That's why I'm reluctant to use John's outstanding nvram save/restore utility: manually re-entering the settings helps my familiarity with the webui, but it still doesn't guarantee that I remember where the FTP setting is.

 

[john9527]

But, as a matter of fact, the router is actually setup as OpenVPN client to a VPN provider

Are you sure it's not the provider that's blocking the port? I know with my provider, ftp is blocked (even outgoing from the my PC through the client). I had to code iptables rules to route ftp around the VPN.

Also, are you sure that your DDNS is actually reflecting your VPN ip? There are cases where it can still setup your normal ISP address.

Have you tried FTP without the VPN client active?

 

[Jimbo]

Hi @john9527, and @martinr, thank you so much for your inputs. Only now I managed to arrive home to test a bit. So here it goes, the complete story with my ISP, VPN, etc. I don't think it changes much of the current situation, but might help you out to understand the pickle I'm in and maybe others with this interesting issue.

My Cable ISP has this fantastic expanding mechanism, in Europe at least, of allegedly running out of IPv4 addresses (interestingly this only happens to regular customers, for biz customer there as many IPv4 as one may want ), and they have what's (unfortunately) known as a dual stack "lite" IPv4 connection. In human terms, it means, we have X customers connected with the same IPv4, we have a gateway in between with an IPv6 translating, repackaging and routing to the customers. As long as the customers don't need external access, all fine. If they do need access to their home LAN (what a strange use case right?), then these gentle people offers them to switch to a business plan, which out of coincidence is a bit more expensive, requires re-activation fee, and gets you stuck with a 2 year contract.

That's life, so I tried as much as possible to work around this, not because of the money, but because I consider it not fair, specially because the ISP "rents" you a very expensive router with all sorts of DDNS and NAS, which you can never use . Of course, you can't also bridge the ISP modem, or if you do, you'd end up with the same limitation (DS-lite) but at your Asus router now.

The only really valid workaround option I have reached so far, is to try to manage this via my (yet) fixed VPN provider IPv4 address, which reaches the Asus router. And this is the point where I am, managed to get a fixed IPv4 visible, but can't manage to access port 21. My VPN provider looks really serious and competent when you reach the right support guys, and they tell me they are not blocking port 21 (my ISP is tunneled so I do not care).

So per your questions:
Are you sure it's not the provider that's blocking the port? -> According to my VPN they are open
are you sure that your DDNS is actually reflecting your VPN ip? -> Yes, I'm positive
Have you tried FTP without the VPN client active? -> I can't. From the fantastic story I described, I would end up with the pathetic shared IPv4, which the ISP gateway does not allow to uniquely route nor port forward.

This only leaves the most evident suspect so far, which would be Merlin/Asus screwing up port 21 of its own FTP from the internet.

Maybe it'd be as simple as a candid soul around who might have a normal IP address (a luxury for some of us these days ), to just enable the FTP and WAN access to it with a random USB drive and try to access it from their external IP.
Or perhaps Mr. @RMerlin might be able jump in with a possible already available answer, and perhaps correct any of my investigations so far.

Thank you all in any case, really appreciate all the ideas and feedback. Whatever else you may come up with, just spit it out and I'll give it a shot.
My other solution is succumb to my ISPs business plan, which might be the only option left.

Greetings.

 

[martinr]

Jimbo,

That's some story; reminds me of the old days of the shared telephone "party line".

I really am way out of my depth on this one but sometimes an innocent question can trigger a thought process not previously considered....... Right now I'm remotely connected to my home router via my Windows laptop connected to the OpenVPN server on my router using WinSCP. I've also connected to my Humax Fox T2 Freeview PVR using FireFTP as a Firefox extension/add-on. I wondered if you might have any other device with an FTP server on your network - just for troubleshooting purposes - that you could try to connect to that might tell you if the problem is indeed in the router?

 

[Jimbo]

Hey martinr,

That might be a good good idea, regarding the receiver. I have a linux sat box on that same LAN, though no idea on setting up an FTP on it. But the thing is I'm not sure what this might bring, because according to the note on the Asus router GUI itself, port forwarding tab:

When you set 20:21 as your FTP server's port range for your WAN setup, then your FTP server would be in conflict with RT-AC56U's native FTP server.

which sounds like a ridiculous clash: port 21 of Asus FTP from WAN not working, but nevertheless might crash with whatever port 21 on the same LAN. Remember the goal is to have the Asus FTP running, port 21, not any other PC or equipment on any other port

Another idea perhaps, might be, why the heck is it not possible to move Asus' FTP to any other port other than 21??. I'd guess this would be a static variable in some header file...but I ain't no expert. @RMerlin, would you be around?.

 

[RMerlin]

The FTP config under VIrtual Server has nothing to do with the built-in server. Leave that setting untouched unless you plan on running an FTP server behind your router. That setting is for the NAT helper.

You are trying to get quite a non-standard setup running there, so I can't help you with that. There's just too many variables involved, including the tunnel provider itself. That's not the fault of the firmware.

 

[john9527]

@Jimbo - That's some setup.....let me see if I understand correctly. The last hop from your ISP to the router basically takes incoming IPv4 and converts it to IPv6 to send to the router?

If that's the case, I'm surprised that your VPN client would work at all since the VPN client included with the router isn't IPv6 aware (well, it sort of is, but there are no specific firewall rules set up to allow IPv6 through the VPN tunnel).

 

[Jimbo]

I suspected the port forward would not be the culprit. Have tried with and without though. Removed now. i also have the port included in iptables for the router IP. I think I have tried removing it, but FTP would be completely blocked.

IPv6 is not the issue. Deep down in its log there are 2 IPs associated. One IPv4 (DS-lite) and one IPv6. I have also tried the IPv6, my VPN supports it, but it doesn't work at all from ISP side. All routing that I see at least goes over the IPv4 or as IPv4 traffic (they at least also told me I cannot use the IPv6 associated...otherwise probably not much need for a biz account right? . No need to worry about IPv6.

Just to throw a bit more suspicion on the firmware, I CAN ACCESS THE ASUS GUI OVER THE INTERNET, so there's definitively something screwed up or blocking port 21 of the router's FTP from my point of view.

 

[Jimbo]

...would you know if there is any way of changing the Asus FTP port to any other than port 21?

 

[System Error Message]

Its not possible to access FTP from WAN from ASUS because the firmware port forwarding only works in the forward chain not input. You would have to go into the linux file system and configure FTP to listen onto WAN.

 

[Jimbo]

Thanks for confirming what looked pretty evident @System Error Message , aside from @RMerlin quickly absolving the firmware (no offense!).

I was thinking if it'd be possible to redirect the port to some random one, ie, 2021, via IPTABLES, i.e:
iptables -A -i tap11 -p tcp -m tcp --dport 2021 -j DNAT --to-destination "Asus LAN IP":21

Could this work or clash with its own FTP?. I'm not sure if it'd be a correct way, I'm wondering basically is any way to work around, and make the Asus "believe" he is receiving from LAN...?