Passive mode for FileZilla FTP isn't working

Question

We have FileZilla server 0.9.37 running on Windows server 2008 R2

Active mode works OK, The Windows firewall on the server is off.

Our Router is a DrayTek vigor 2820. Under NAT, Open Ports, I have opened the following ports for the servers local IP

TCP 20-22, TCP 45100-65535

In FileZilla server, under passive mode settings (I can't post an image so...)

Use the following IP: 213.106.150.123
Don't use external IP from local connections: Checked
Use custom port range: 45100-65535

From a remote server in Germany which I RDP into I try connecting back to the FileZilla server.

Status: Connecting to 213.106.150.123:21...
Status: Connection established, waiting for welcome message...
Response:   220 --
Command:    USER ftp_001471
Response:   331 Password required for ftp_001471
Command:    PASS ********
Response:   230 Logged on
Status: Connected
Status: Retrieving directory listing...
Command:    CWD /
Response:   250 CWD successful. "/" is current directory.
Command:    TYPE I
Response:   200 Type set to I
Command:    PASV
Response:   227 Entering Passive Mode (213,106,150,123,238,133)
Command:    MLSD
Response:   425 Can't open data connection.
Error:  Failed to retrieve directory listing

The status window on FileZilla server reports the following

(not logged in) (87.106.131.22)> Connected, sending welcome message...
(not logged in) (87.106.131.22)> 220 --
(not logged in) (87.106.131.22)> USER ftp_001471
(not logged in) (87.106.131.22)> 331 Password required for ftp_001471
(not logged in) (87.106.131.22)> PASS ********
ftp_001471 (87.106.131.22)> 230 Logged on
ftp_001471 (87.106.131.22)> CWD /
ftp_001471 (87.106.131.22)> 250 CWD successful. "/" is current directory.
ftp_001471 (87.106.131.22)> TYPE I
ftp_001471 (87.106.131.22)> 200 Type set to I
ftp_001471 (87.106.131.22)> PASV
ftp_001471 (87.106.131.22)> 227 Entering Passive Mode (213,106,150,123,195,197)
ftp_001471 (87.106.131.22)> MLSD
ftp_001471 (87.106.131.22)> 425 Can't open data connection.

If I change the FileZilla passive mode setting from our external IP to Default, I get the following details from the client in Germany trying to connect.

Status: Connecting to 213.106.150.123:21...
Status: Connection established, waiting for welcome message...
Response:   220 --
Command:    USER ftp_001471
Response:   331 Password required for ftp_001471
Command:    PASS ********
Response:   230 Logged on
Status: Connected
Status: Retrieving directory listing...
Command:    CWD /
Response:   250 CWD successful. "/" is current directory.
Command:    TYPE I
Response:   200 Type set to I
Command:    PASV
Response:   227 Entering Passive Mode (213,106,150,123,196,198)
Command:    MLSD
Response:   425 Can't open data connection.
Error:  Failed to retrieve directory listing

And the details on the server.

(not logged in) (87.106.131.22)> Connected, sending welcome message...
(not logged in) (87.106.131.22)> 220 --
(not logged in) (87.106.131.22)> USER ftp_001471
(not logged in) (87.106.131.22)> 331 Password required for ftp_001471
(not logged in) (87.106.131.22)> PASS ********
ftp_001471 (87.106.131.22)> 230 Logged on
ftp_001471 (87.106.131.22)> CWD /
ftp_001471 (87.106.131.22)> 250 CWD successful. "/" is current directory.
ftp_001471 (87.106.131.22)> TYPE I
ftp_001471 (87.106.131.22)> 200 Type set to I
ftp_001471 (87.106.131.22)> PASV
ftp_001471 (87.106.131.22)> 227 Entering Passive Mode (192,168,1,4,195,198)
ftp_001471 (87.106.131.22)> MLSD
ftp_001471 (87.106.131.22)> 425 Can't open data connection.

What am I doing wrong?

When I specify the external IP the client and server report the same, but the ports get screwed up and when I run with default the server uses its internal IP but the port assignment looks better.

Edit: more testing and its working.

So I installed the FTP server in IIS 7.5, disabled FileZilla and it worked! I then tried re-enabling FileZilla and that too worked! This was all from my home ADSL connection.

I then tried again from our remote server in Germany and it failed, hangs on the directory listing in passive mode for both IIS FTP and FileZilla.

I guess there is something up with the Firewall / router at the data centre in Germany. I don't really want to mess with the remote server router(I'm not even sure I can alter firewall rules as its hosted) I'm worried about corporate customers suffering the same fate when trying to access our FTP sites.

Answer 1

I had a similar issue, and resolved it by choosing "default" in the "External Server IP Address for passive mode transfers" option in Filezila server settings. In other words, don't enter your public IP address here even if you are on a private address. The reason is that your Firewall may have "FTP inspection" enabled, and it will do the translation of your server private IP address to its public IP address for you. In this case, also enabling this translation in Filezila will cause problems, and the connection will get lost after your client issues the PASV command.

Answer 2

I suggest you try to locally on the server using Windows' FTP or another installed client. This way you will see if it's network/firewall issue or an issue with the configuration of the FTP server. Also check Filezilla server's log files if the commands.

If it depends on the firewall, here is a TechNet article that could help: How to Configure Windows Firewall for a Passive Mode FTP Server. But you wrote that the Windows firewall is off, so I suppose it is a problem of the external firewall/router (also check the client side).

Answer 3

I realize that it might be a change, but the new FTP server in 2008 is very robust and I wound up replacing FileZilla myself with it. You might want to look into it as well.