# Vsftpd behind NAT



## Demontager (Jan 6, 2013)

I got few Linux and FreeBSD machines behind NAT router. And I run vsftpd server on all of them. The problem is to access ftp servers from outside, localy works fine. 
My ip is static and I set router to forward ports to vsftps servers, also added passive ports forwarding for each server. When I try to connect from outside, connection stucking on "LIST".


```
Status:	Connecting to 93.XX.XXX.XXX:210...
Status:	Connection established, waiting for welcome message...
Response:	220 VSFTP Debian Server
Command:	USER snich
Response:	331 Please specify the password.
Command:	PASS ********
Response:	230 Login successful.
Command:	OPTS UTF8 ON
Response:	200 Always in UTF8 mode.
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/home/snich"
Command:	TYPE I
Response:	200 Switching to Binary mode.
Command:	PASV
Response:	227 Entering Passive Mode (93,XX,XXX,XXX,4,104).
Command:	LIST
Error:	Connection timed out
Error:	Failed to retrieve directory listing
```

Vsftpd config:

```
# Standalone mode
listen=YES
listen_port=210
max_clients=200
max_per_ip=20
# Message info at login
ftpd_banner=VSFTP Debian Server 
# Access rights
anonymous_enable=YES
local_enable=YES
write_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=NO
hide_ids=YES
#Passive settings
port_promiscuous=YES
pasv_addr_resolve=NO
pasv_address=93.XX.XXX.XXX
pasv_min_port=1100
pasv_max_port=1150
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
anon_max_rate=500000
```
If pasv_address=  commented I see this in FileZilla log:

```
Server sent passive reply with unroutable address. Using server address instead
```


----------



## SirDice (Jan 7, 2013)

You will need to use a firewall that's FTP aware. FTP is rather tricky as it opens up a random port for the data connection. Depending on passive or active FTP it's the server or the client that opens the port.


----------



## Demontager (Jan 8, 2013)

So the problem in my router ( i got Asus RT N-16 with Oleg's firmware) ?  Actualy i tried on another TP-link type, same. 
While searched i found that some people managed to get passive mode working when pasv_min_port max ports defined.
What does it mean    "Response:	227 Entering Passive Mode (93,XX,XXX,XXX,4,104)." ?  I mean digits after my real ip - 4, 104  Are these ports for passive mode ?


----------



## SirDice (Jan 8, 2013)

Demontager said:
			
		

> What does it mean    "Response:	227 Entering Passive Mode (93,XX,XXX,XXX,4,104)."?  I mean digits after my real ip - 4, 104  Are these ports for passive mode ?


Yes, it's a bit tricky as it's printed as two separate bytes, each converted to decimal. In this case the port is 4 * 256 + 104 = 1128.


----------



## Demontager (Jan 8, 2013)

*[SOLVED]* I got success with *Passive mode behind NAT* router. Credits to mak_v from forum.lissyara.su who helped me to figure out this problem.

 The things i've added to vsftpd.conf     -   

```
port_enable=NO
pasv_addr_resolve=YES
```
Moreover i set my router to forward all ports range one by one, e.g.

1100   to  1100
1101  to  1101
1102  to 1102 and so on....

The final config is :

```
##########Main settings######################
listen=YES
listen_port=210
connect_from_port_20=NO
ftpd_banner=Hello! We come in peace!
use_localtime=YES
force_dot_files=YES
#########Passive ports#######################
pasv_enable=YES
pasv_min_port=1100
pasv_max_port=1150
#########Enable local user's login###########
local_enable=YES
#########Chroot options######################
chroot_local_user=YES
allow_writeable_chroot=YES
#########Write permissions###################
write_enable=YES
async_abor_enable=YES
background=YES
local_root=/usr/local/www/apache22/data
##########Userlist options###################
userlist_enable=YES
userlist_deny=NO
userlist_file=/usr/local/etc/vsftpd_user_list
#########Anonymous section###################
anonymous_enable=NO
anon_upload_enable=NO
no_anon_password=NO
anon_other_write_enable=NO
anon_mkdir_write_enable=NO
anon_root=/home/ftp/
#########Logging##############################
xferlog_enable=YES
log_ftp_protocol=YES
syslog_enable=YES
port_enable=NO
pasv_addr_resolve=YES
```

*Note:* I may connect from local LAN as from outside. I saw other people added _pasv_address=_  , that's not necessary and when this enabled you can't connect from LAN.


----------

