First off, many thanks and great respect to shibby and contributors for this awesome tomato build. Been using the shibby builds on my old Linksys E4200 as well with great performance.
Secondly, I am very sorry if this has been nailed in a different discussion and i just wasn't able to find it. I have Google'd and Google'd for two solid days trying to find out what's up but i really can't seem to figure it out and i wondered if there is a bug preventing me from accomplishing this. But here goes…
NOTE: I'm still a rookie Linux user and I would really appreciate anyone taking the time to explain any iptables or other syntax/command that may be suggested.
So, I run a small FTP server on my router for my personal stuff and also to have tools and what else available everywhere i go as i fix peoples PC problems etc and prefer to access what i need remotely.
I have been using normal FTP on my old E4200 but as i got a newer ASUS RT-AC56U now i would want to use some security. I run the latest tomato-RT-AC56U-ARM—124-AIO-64K by shibby on it and it works great.
Currently i attempt on an Explicit SSL/TLS setup and i almost has it working. But i have hit a wall now and I need some help from the experts.
I have it all working on the LAN side and the initial connection working on the WAN side from a remote location, but when the passive mode and directory listing is requested, the connection is timing out and a socket error. I figure it's the router firewall that kills it and/or the encrypted connection that cannot be read and interpreted.
I have tried with a static passive port range and forwarded those ports to the router IP, plus i have changed the default command port and forwarded that as well.
First it listed the LAN IP remotely and i entered the pasv_addr_resolve and pasv_address and now it works with the correct IP but still with a timeout on listing.
I feel like i have tried it all and i cannot figure what to do next. The funny part is that i set up a test server (FileZilla) on one of my PCs with Explicit SSL and forwarded the ports through the router, and my remote PC connects straight away from the WAN side, but still the router vsFTPd server wont work.
Here is what i currently have in the custom config:
pasv_address=<URL ASSOCIATED WITH MY IP>
iptables lists the following under the wanin chain:
0 0 ACCEPT tcp — * * 0.0.0.0/0 192.168.1.1 tcp multiport dports 1448,25000:25100
Conntrack FTP tickbox checked.
I am also a little confused about the forwarding setup and in some places i found by searching Google, people mention that i must put in a few iptables lines in the Firewall scripts, but i am not sure if that is true and if it is, which to put. Also it makes little sense to me why the FileZilla server running off a PC beyond the router works as intended by the directly attached storage on the router does not.
I use FlashFXP as client and have tried with WinSCP as well just to root that out. Below is the FlashFXP log of the connection attempt, with my domain and IP masked as i would prefer not to put it up here publicly.
**FlashFXP 5.0.0 (build 3799)
Winsock 2.2 — OpenSSL 1.0.1j 15 Oct 2014
[R] Connecting to Private Server - TLS -> DNS=ftp[dot]my-domain[dot]org IP=XXX.XXX.XXX.XXX PORT=1448
[R] Connected to Private Server - TLS
[R] 220 Welcome to the FTP Server!
[R] AUTH TLS
[R] 234 Proceed with negotiation.
[R] TLSv1 negotiation successful…
[R] TLSv1 encrypted session using cipher AES256-SHA (256 bits)
[R] PBSZ 0
[R] 200 PBSZ set to 0.
[R] USER testusr
[R] 331 Please specify the password.
[R] PASS (hidden)
[R] 230 Login successful.
[R] 215 UNIX Type: L8
[R] AUTH SSL
[R] AUTH TLS
[R] REST STREAM
[R] 211 End
[R] OPTS UTF8 ON
[R] 200 Always in UTF8 mode.
[R] 257 "/"
[R] PROT C
[R] 200 PROT now Clear.
[R] 227 Entering Passive Mode (XXX,XXX,XXX,XXX,98,12).
[R] Opening data connection IP: XXX.XXX.XXX.XXX PORT: 25100
[R] Data Socket Error: Connection timed out
[R] List Error**
So thank you in advance to anyone who can spare me a bit of their valuable time to look over this and be my guest to ask for missing details.
I'm close to giving up on this, and will so if none have any ideas.