Vsftpd behind NAT

[Demontager]

I got few Linux and FreeBSD machines behind NAT router. And I run vsftpd server on all of them. The problem is to access ftp servers from outside, localy works fine.
My ip is static and I set router to forward ports to vsftps servers, also added passive ports forwarding for each server. When I try to connect from outside, connection stucking on "LIST".

Status:	Connecting to 93.XX.XXX.XXX:210...
Status:	Connection established, waiting for welcome message...
Response:	220 VSFTP Debian Server
Command:	USER snich
Response:	331 Please specify the password.
Command:	PASS ********
Response:	230 Login successful.
Command:	OPTS UTF8 ON
Response:	200 Always in UTF8 mode.
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/home/snich"
Command:	TYPE I
Response:	200 Switching to Binary mode.
Command:	PASV
Response:	227 Entering Passive Mode (93,XX,XXX,XXX,4,104).
Command:	LIST
Error:	Connection timed out
Error:	Failed to retrieve directory listing

Vsftpd config:

# Standalone mode
listen=YES
listen_port=210
max_clients=200
max_per_ip=20
# Message info at login
ftpd_banner=VSFTP Debian Server 
# Access rights
anonymous_enable=YES
local_enable=YES
write_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=NO
hide_ids=YES
#Passive settings
port_promiscuous=YES
pasv_addr_resolve=NO
pasv_address=93.XX.XXX.XXX
pasv_min_port=1100
pasv_max_port=1150
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
anon_max_rate=500000

If pasv_address= commented I see this in FileZilla log:

Server sent passive reply with unroutable address. Using server address instead

 

[SirDice]

You will need to use a firewall that's FTP aware. FTP is rather tricky as it opens up a random port for the data connection. Depending on passive or active FTP it's the server or the client that opens the port.

 

[Demontager]

So the problem in my router ( i got Asus RT N-16 with Oleg's firmware) ? Actualy i tried on another TP-link type, same.
While searched i found that some people managed to get passive mode working when pasv_min_port max ports defined.
What does it mean "Response: 227 Entering Passive Mode (93,XX,XXX,XXX,4,104)." ? I mean digits after my real ip - 4, 104 Are these ports for passive mode ?

 

[SirDice]

What does it mean "Response: 227 Entering Passive Mode (93,XX,XXX,XXX,4,104)."? I mean digits after my real ip - 4, 104 Are these ports for passive mode ?

Yes, it's a bit tricky as it's printed as two separate bytes, each converted to decimal. In this case the port is 4 * 256 + 104 = 1128.

 

[Demontager]

[SOLVED] I got success with Passive mode behind NAT router. Credits to mak_v from forum.lissyara.su who helped me to figure out this problem.

The things i've added to vsftpd.conf -

port_enable=NO
pasv_addr_resolve=YES

Moreover i set my router to forward all ports range one by one, e.g.

1100 to 1100
1101 to 1101
1102 to 1102 and so on....

The final config is :

##########Main settings######################
listen=YES
listen_port=210
connect_from_port_20=NO
ftpd_banner=Hello! We come in peace!
use_localtime=YES
force_dot_files=YES
#########Passive ports#######################
pasv_enable=YES
pasv_min_port=1100
pasv_max_port=1150
#########Enable local user's login###########
local_enable=YES
#########Chroot options######################
chroot_local_user=YES
allow_writeable_chroot=YES
#########Write permissions###################
write_enable=YES
async_abor_enable=YES
background=YES
local_root=/usr/local/www/apache22/data
##########Userlist options###################
userlist_enable=YES
userlist_deny=NO
userlist_file=/usr/local/etc/vsftpd_user_list
#########Anonymous section###################
anonymous_enable=NO
anon_upload_enable=NO
no_anon_password=NO
anon_other_write_enable=NO
anon_mkdir_write_enable=NO
anon_root=/home/ftp/
#########Logging##############################
xferlog_enable=YES
log_ftp_protocol=YES
syslog_enable=YES
port_enable=NO
pasv_addr_resolve=YES

Note: I may connect from local LAN as from outside. I saw other people added pasv_address= , that's not necessary and when this enabled you can't connect from LAN.