Background / Network Structure
The are two layers of routers. The router at the outer layer has public Internet IP 123.123.123.123 (fake as example) and private IP 192.168.0.1. The router at the inner layer, which is also a client of the outer router, has public IP 192.168.0.2 and private IP 192.168.1.1. A computer of Windows 7 Enterprise with FileZilla Server is a client of the inner router with IP 192.168.1.48. All IPs are static.
I have been using Windows Remote Desktop from the other side of the Internet connecting to the Win7 machine for months. So I think that my port forward rules in both routers are correct.
From the other side of the Internet, FTP connection is also fine. I have already
- Set the FileZilla Server FTP port to 21
- Set the FileZilla Server implicit FTP over TLS port to 990
- Set the FileZilla Server Passive mode custom port range to 1024-65534
- Allowed those ports in Windows Firewall Inbound Rules
- Forwarded those ports (TCP) to IP
192.168.1.48at the inner router - Forwarded those ports (TCP) to IP
192.168.0.2at the outer router
Define...
There are three network locations:
- Internet, somewhere in the Internet.
- Outer sub-net, as a client of the outer router, having IP address
192.168.0.xxx. - Inner sub-net, as a client of the inner router, having IP address
192.168.1.xxx.
What I can do / What I cannot do:
A. Windows Remote Desktop - As I have forwarded port 3389 on both routers, RDP works on ALL three locations.
B. Basic FTP (not FTPS implicit, not FTPS explicit) using port 21 - works on ALL three locations. Very insecure though.
C. FTPS (I focus on FTPS implicit, which is more secure) using port 990:
- Over the Internet, through
ftps://123.123.123.123:990, it works. - At the outer sub-net, a computer and a mobile phone, having IP
192.168.0.11and192.168.0.12. Access the FTP server byftps://192.168.0.2:990, this, and only this situation, does not work, and I do not know why. - At the inner sub-net, which is in the same sub-net with the FTP Server. Access by
ftps://192.168.1.48:990. It works as expected.
Added: Explicit FTPS does not work on case C2 also.
More on the Problem
As mentioned above, only the clients in the outer sub-net cannot access the FTP server by implicit FTPS (port 990) protocol.
To be precise, according to the logs of the FTP server and FTP client, we can login, but fail to list the directories and files.
FileZilla FTP Client log at case C2:
Status: Connecting to 192.168.0.2:990...
Status: Connection established, initializing TLS...
Status: Verifying certificate...
Status: TLS connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (192,168,1,48,32,136)
Command: MLSD
Response: 425 Can't open data connection for transfer of "/"
Error: Failed to retrieve directory listing
FileZilla FTP Server log at case C2:
(000873)12/05/2017 01:50:00 - (not logged in) (192.168.0.11)> Connected on port 990, sending welcome message...
(000873)12/05/2017 01:50:00 - (not logged in) (192.168.0.11)> 220-FileZilla Server 0.9.60 beta
(000873)12/05/2017 01:50:00 - (not logged in) (192.168.0.11)> 220-written by Tim Kosse (tim.kosse@filezilla-project.org)
(000873)12/05/2017 01:50:00 - (not logged in) (192.168.0.11)> 220 Please visit https://filezilla-project.org/
(000873)12/05/2017 01:50:00 - (not logged in) (192.168.0.11)> TLS connection established
(000873)12/05/2017 01:50:02 - (not logged in) (192.168.0.11)> USER midnite
(000873)12/05/2017 01:50:02 - (not logged in) (192.168.0.11)> 331 Password required for midnite
(000873)12/05/2017 01:50:02 - (not logged in) (192.168.0.11)> PASS ***
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> 230 Logged on
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> SYST
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> 215 UNIX emulated by FileZilla
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> FEAT
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> 211-Features:
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> MDTM
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> REST STREAM
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> SIZE
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> MLST type*;size*;modify*;
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> MLSD
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> AUTH SSL
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> AUTH TLS
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> PROT
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> PBSZ
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> UTF8
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> CLNT
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> MFMT
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> EPSV
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> EPRT
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> 211 End
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> PBSZ 0
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> 200 PBSZ=0
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> PROT P
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> 200 Protection level set to P
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> PWD
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> 257 "/" is current directory.
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> TYPE I
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> 200 Type set to I
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> PASV
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> 227 Entering Passive Mode (192,168,1,48,32,136)
(000873)12/05/2017 01:50:02 - midnite (192.168.0.11)> MLSD
(000873)12/05/2017 01:50:12 - midnite (192.168.0.11)> 425 Can't open data connection for transfer of "/"
