Peplink Balance 305 and FTPS issues


#1

Hello everyone,

I have been working on this now for a couple of days, and now just completely frustrated. I am attempting to setup an FTP server on a windows box to handle the backups for our off-site devices, like servers and such. I am using the Filezilla FTP server, and an FTP script to accomplish this on the machines in question. I am testing the connection with just the Filezilla client. All I get out of Filezilla is when connecting is:

425 Can’t open data connection for transfer of “/”

I login fine but it appears when getting a directory listing. Server connections are fine internally. and regular FTP works fine, it’s just FTPS.

Network setup:

  • Peplink Balance 305 Firmware 6.3.1 build 3471
  • Dual Wan connections

How it’s setup:
I have added my FTP windows server as a server in the configuration. Then under services I have added 3 entries

FTP: WAN1 to FTP server, port 21
FTPS: WAN1 to FTP server, Port 990
FTPS_Passive: WAN1 to FTP server, Ports 50010-50074 (passive ports set in filezilla)

After setting those, the connection fails with the 425 error. I thought since we have the dual WAN ports that it might attempt to respond via the second IP address. so I added the following to outbound policy:

FTP: Persistence From FTP Server to Any, Port 21
FTPS: Persistence From FTP Server to Any, Port 990
FTPS_Passive: Persistence From FTP Server to Any, Ports 50010-50074

Still nothing, same error.

Dumbfounded now I added the following to Access Rules:

INBOUND

FTP: WAN1 to FTP server, port 21
FTPS: WAN1 to FTP server, Port 990
FTPS_Passive: WAN1 to FTP server, Ports 50010-50074 (passive ports set in filezilla)

OUTBOUND

FTP: from FTP server to any, port 21
FTPS: from FTP server to any, Port 990
FTPS_Passive: from FTP server to any, Ports 50010-50074 (passive ports set in filezilla)

Still same error.

I have no Idea what to try next. Never had these issues before, set this kind of thing up multiple times over the years.

Any help would be greatly appreciated.

Thank you.


#2

Hello @Wavauiwi,
Not sure about your ISP, though in Australia most ISPs block FTP into your own IP unless you ask specifically for it to be allowed (just as they block email ports too and other common ports). Have you checked that your ISP is not blocking the traffic?
Happy to Help,
Marcus :slight_smile:


#3

You might also want to restrict ALL outbound traffic from the FTP server to WAN1, since all of your inbound requests are allowed only on WAN1. There is a service forwarding option specifically for FTP as well. You could scrap unencrypted FTP and use the custom port settings to make the ftp service forwarding point to your secure port.

IMO - SFTP is a better secure file transport mechanism speaking from a purely network perspective. None of the control port and data port stuff. All traffic just appears as an SSH tunnel to network gear. I am pretty sure you can run a flavor of SFTP services using Cygwin on Windows. Or stand up a Linux server.