D-Link Forums
The Graveyard - Products No Longer Supported => D-Link Storage => DNS-323 => Topic started by: mcduarte2000 on January 01, 2009, 06:46:25 AM
-
I'm trying to configure my DNS-323 to be open to the outside world for connections of FTP over SSL/TLS (my router is a D-Link DIR-655). But unfortunately something is not working.
The connection is established but when using TLS it gets stuck on the LIST command. I already tried to forward the ports 989 and 990 (besides the standard 21 for FTP) to the DNS-323 from my router, using the Port Forwarding Rules table, but it didn't work.
Currently the DNS-323 is on the DMZ of the router, so it shouldn't be a firewall problem, but, when I connect directly to the internal network address of the DNS-323 everything works fine.
Another problem, is that standard FTP, when I put DNS-323 behind the firewall, simply stops working (getting stuck also on the LIST command).
Any ideas of what I should do to make this work?
Thanks,
Miguel
-
hmm, i cant remember the reason exactly, (something to do with control-data or something) but try opening port 20 as well (for the "behind firewall problem")
nighthawk
-
Short of FTP over VPN, you'll find FTP support is pretty limited when using it outside the LAN.
90% of folks have had success by only forwarding Port 21 on the router to the DNS; I personally have had to forward Port 20 as well ... although it shouldn't be required at all.
The DNS does support reassignment of Port 21 although I suspect Port 20 cannot be reassigned natively. There is a DNS Wikki that shows you how to 'mod' the DNS - you will not be able to obtain warranty and support from D-Link however.
HTH,
-
Well the FTP problem behind the Firewall problem actually is solved using the "Virtual Server List" table of the DIR-655 instead of the "Port Forwarding Rules" table.
Still fighting with being able to use the FTP over TLS... It continues getting stuck on the LIST command...
Miguel
-
I posted an other thread on here. i use Filezilla as my ftp client. basically you have to use FTPES and not FTPS. thats what i found. btw it just uses the default ftp port (21).
-
I posted an other thread on here. i use Filezilla as my ftp client. basically you have to use FTPES and not FTPS. thats what i found. btw it just uses the default ftp port (21).
I'm using FileZilla and FTPES. I can use it from inside my network, but not from outside... Can you access your FTP site (using FTPES) from outside your network? Did you create any special configuration on your router besides the normal parameters needed from a normal non-encrypted FTP?
If I try to connect from outside I just get:
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER *******
Status: TLS/SSL connection established.
Response: 331 User ******* OK. Password required
Command: PASS ********
Response: 230 OK. Current restricted directory is /
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 534 Fallback to [C]
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (*************)
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing
-
Hello, is anyone try the latest v1.08 f/w for this issue?
-
have you opened/forwarded your passive port range on your router as well as the port?
have you tried setting your client to NOT use a PASV port range? (dunno how thats done in filezilla)
if it hangs on list this is generally a port issue.
-
have you opened/forwarded your passive port range on your router as well as the port?
What passive port range does the DNS-323's FTP server use?
-
so has this been solved? i have the same problem.
-
I would say wait until 1.08 comes out of beta. The problem with 1.06/1.07 is you don't know the PASV port range, so how could your router possibly compensate for forwarding ports it isn't aware of that it needs to forward? You can't change the range, and trust me it spans well over 10,000 ports. Not ideal or secure.
In 1.08 you'll be able to define a brief range for PASV transfers (1 port * # of simultaneous connections +1)-- so you can put the apporpriate info in your router for proper communication. That would solve the connection drops... port 21's pretty much going to always work if it's properly forwarded.
-
In a few words : With FW 1.08, FTP over SSL/TLS and over Internet will be possible ?
-
mcduarte2000 : It appears that in your logs that you are not connecting over a secure connection. I have this same problem. Anyone heard of a solution?
At first, the server responds as supporting TLS, but then it sends an error 534 saying it will operate on no encryption.
RFC 2228 : http://www.networksorcery.com/enp/rfc/rfc2228.txt
This command indicates to the server what type of data channel
protection the client and server will be using. The following
codes are assigned:
C - Clear
S - Safe
E - Confidential
P - Private
The default protection level if no other level is specified is
Clear. The Clear protection level indicates that the data channel
will carry the raw data of the file transfer, with no security
applied.
You will see in your logs below that you have this problem. I have this problem as well, using DNS-323 server and FileZilla and CuteFTP clients.
Most people would not understand these messages, and thinking that they are on a secure connection, would be running naked / unencrypted.
Check out this post as a way to enabled secure FTP. Then you login as root.
http://nas-tweaks.net/CH3SNAS:Tutorials/fun_plug
---
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER *******
Status: TLS/SSL connection established.
Response: 331 User ******* OK. Password required
Command: PASS ********
Response: 230 OK. Current restricted directory is /
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 534 Fallback to [C]
-
I am also using filezilla and have forwarded ports, ect.
The thing is i can't even connect to the directory.
The dns sits behind the second router, all ports static, pppoe is active and dyndns updates.
im still not getting any progress with this. all firewalls are also off.
Any hints mcduarte2000 for even getting logged on?
-
Really frustrated with this problem. I bought this a few months back planning to use it to help with some backups of certain files on webservers. Spent the past weeks trying to troubleshoot this with absolutely no joy. If I had known this in first place wouldn't have spent £400 on it :(
Exact same symptoms. Can connect locally but via the net on static IP just gets to LIST and dies. I could cry :(
-
Try Filezilla in Active mode not passive. I set it this way through a DIR-625 to a DNS-323 ftp server and it works fine. In passive mode, I cannot get it to work.
-
Would be nice if one of the moderators would step in and shed some light on this matter. Either there is or is not a problem in the firmware . No disrespect as I know all newly released firmware will have bugs without a doubt. If this is a known issue, it would be greatly appreciated to let the users know. Till then, I could be fighting a losing battle trying to get FTP over explicit TLS/SSL to work.
Thanks
Mosil
-
Would be nice if one of the moderators would step in and shed some light on this matter. Either there is or is not a problem in the firmware . No disrespect as I know all newly released firmware will have bugs without a doubt. If this is a known issue, it would be greatly appreciated to let the users know. Till then, I could be fighting a losing battle trying to get FTP over explicit TLS/SSL to work.
Thanks
Mosil
I agree. I've tried every permutation of options using Filezella and another FTP program with no success. I don't want to access my files in the clear which is not prudent. Perhaps the moderater can provide a step-by-step guide for setting it up. I'm using a D-Link Router (655).
-
Hi all...
I might be able to shed a little light on this. I noticed that I can connect with TLS for login authentication, but the channels were unencrypted (like everyone else). After looking at the GPL files (at least those included with firmware 1.05), the PureFTPd version that DLink is using is version 1.0.21...
This is significant, as PureFTPd introduced TLS during connect (login) with version 1.0.16. Encryption over the data channel was only enabled with version PureFTPd version 1.0.22 (per the changelog on the PureFTPd site).
I don't have the GPL files for firmware 1.08 - but it seems like the PureFTPd version has not changed.
Bottom line - data is not going to be encrypted. Perhaps our wish list for 1.09 Beta can include a later version of PureFTPd to get that data encryption feature.
-DocD
-
Hi all...
I might be able to shed a little light on this. I noticed that I can connect with TLS for login authentication, but the channels were unencrypted (like everyone else). After looking at the GPL files (at least those included with firmware 1.05), the PureFTPd version that DLink is using is version 1.0.21...
This is significant, as PureFTPd introduced TLS during connect (login) with version 1.0.16. Encryption over the data channel was only enabled with version PureFTPd version 1.0.22 (per the changelog on the PureFTPd site).
I don't have the GPL files for firmware 1.08 - but it seems like the PureFTPd version has not changed.
Bottom line - data is not going to be encrypted. Perhaps our wish list for 1.09 Beta can include a later version of PureFTPd to get that data encryption feature.
-DocD
If I understand you correctly, the password submitted is encrypted, but everything after that is not?
-
If this is the case would it not be simple for DLink to correct. It would be nice if we heard from DLink moderator or a DLink engineer. Has anybody heard from them since they released 1.08 final? Have they went dead on us?
HELLO MR. DLINK IS THIS CORRECT? IF IT IS CAN IT BE FIXED WITH THE NEW SOFTWARE?
-
same problem here:
Response: 220---------- Welcome to Pure-FTPd [TLS] ----------
Response: 220-You are user number 1 of 10 allowed.
Response: 220-Local time is now 08:55. Server port: 21.
Response: 220-This server supports FXP transfers
Response: 220 You will be disconnected after 2 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Error: Connection timed out
Error: Could not connect to server
using filezilla with FTPES
-
If I understand you correctly, the password submitted is encrypted, but everything after that is not?
Hi jrak...
That is indeed correct. Just the login credentials, no data is encrypted. :-[
DocD
-
Hi jrak...
That is indeed correct. Just the login credentials, no data is encrypted. :-[
DocD
So any files or documents that are transferred could be read by anyone that can tap into the transmission? I would like to access my files away from home, typically from a hotel that provides wireless access. How risky would that be?
-
ZIP the files with a strong password using the AES encryption.
-
jrak,
That would be very risky....I would go with what gunrunnerjohn suggested and encrypt the files. I really don't see the point why the user's credential is encrypted and the data is wide open. I guess there are a few benefits for those who don't really care about security but that is not me. Currently I am using the system as it is....with my username and passwd encrypted. I am also using a program called "Ironkey". This is all done on the server side and it basically encrypts the file. This way it is not easily accessed during transmission. I am sure if someone really wants to crack it they can but it will definetely get the regular snooping "Joe" to go elsewhere and look.
-
Thanks for the guidance on encrypting files. It certainly is not what I anticipated when I purchased the DNS-323 a year ago. It would be far better and easier to have the encryption system built into FTP process. I would welcome hearing from the D-Link moderator on this.
-
FTP is not secure. There are too many implementations for DLINK to pick one that would make people happy. Most don't need or want security and it just slows the system down, requires a specific client etc. If you need that functionality, run a full linux box. Keep the DNS323 a simple unit that serves the masses.
-
Dosborne, a full linux box sounds great but if all you want is encrypted ftp isn't using a full linux box like swatting house flies with a bassball bat? From an economics standpoint the DNS-323 uses 19 watts how much electricity does your full linux box use? I bet that I could pay for a dns-323 in a year with the savings.
Also, If a company advertises a feature it should work.
Terry
-
Jrak,
Another alternative would be to install fun_plug on your system. The encryption is SSH which is by far better than SSL/TLS. Keep in mind that it would voids any warranty that you have on your box. You can read a little more on it here.....
http://wiki.dns323.info/howto:fun_plug#how_fun_plug_works
-
Jrak,
Another alternative would be to install fun_plug on your system. The encryption is SSH which is by far better than SSL/TLS. Keep in mind that it would voids any warranty that you have on your box. You can read a little more on it here.....
http://wiki.dns323.info/howto:fun_plug#how_fun_plug_works
Thanks for the advice. I was holding off on installing the fun_plug until my warranty expired and I had the chance to install the new firmware. Seeing as the latter does not meet my needs and my warranty has expired, the fun_plug is an option I want to try.
-
After looking at the fun_plug installation instructions, I've decided that it's a bit more trouble than I care to undertake at this time. If I need to use FTP, I limit my downloading to files that don't have any confidential information in them.
Like others who have contributed to this thread, I would like to hear from the D-Link moderator on this topic. Is D-Link planning to fully implement FTP over explicit TLS/SSL for the DNS-323?
-
Fun_plug is not as hard as it looks as i did it myself but if you are not comfortable then stay away. The last thing you want to do is brick your system. I am with you on this one......we will have to issue a search warrant for the Moderators... ;D
-
FTP over TLS works perfektly for my behind the DIR-655.
Now I'm running a DIR-825 but the configurations are the same as I had on the DIR-655.
My FTP-settings in the DNS-323 with Firmware 1.08 are the following:
-------
Max. User: 10
Idle Time: 10 (minutes)
Port: 21212 (to avoid FTP-hacking attacks)
Passive Mode: Use the following port range: 30000 - 30020
Client Language: Northern European
Flow Control: Unlimited
SSL/TLS: (marked) Allow SSL/TLS connection only
-------
Now to the settings in the DIR-825.
-------
Advanced -> Port Forwarding:
1. Enabled
Name: FTP-Server
IP-Addres: IP of DNS-323
TCP: 21212
Schedule: Always
2. Enabled
Name: Passive-FTP
IP-Addres: IP of DNS-323
TCP: 30000-30020
Schedule: Always
-------
That's everything. FTP over SSL is working perfectly for me.
Running FileZilla as FTP program. Settings there are:
Port: 21212
Servertype: FTPES - FTP over explicit TLS/SSL.
/Geraner
-
I made the changes you suggested, but still got the command "534 Fallback to [C]" which indicates that whatever follows is transmitted in clear text.
Perhaps you can post your log from Filezilla.
Connecting to XXX.XXX.XX.XXX:21212...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [TLS] ----------
Response: 220-You are user number 1 of 10 allowed.
Response: 220-Local time is now 15:42. Server port: 21212.
Response: 220-This server supports FXP transfers
Response: 220 You will be disconnected after 2 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER XXXX
Status: TLS/SSL connection established.
Response: 331 User XXXX OK. Password required
Command: PASS **************
Response: 230 OK. Current restricted directory is /
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Extensions supported:
Response: EPRT
Response: IDLE
Response: MDTM
Response: SIZE
Response: REST STREAM
Response: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response: MLSD
Response: ESTP
Response: PASV
Response: EPSV
Response: SPSV
Response: 211 End.
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 534 Fallback to [C]
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (XXX,XXX,XX,XXX,XXX,XX)
Command: MLSD
Response: 150 Accepted data connection
Response: 226-ASCII
Response: 226-Options: -l
Response: 226 2 matches total
Status: Directory listing successful
-
Well, now I see that I also get "534 Fallback to [C]". Have never realized this.
Does it really mean that the FTP-traffic is not encrypted then?
The log tells us earlier: "Status: TLS/SSL connection established." In your case also.
Because FileZilla tells me that the connection is encrypted. (symbol at the right corner) When I click on this a window with the certificate information is opening.
So I'm not sure about the "534 Fallback to [C]" whether this is telling us that there is no encryption. Becuase Filzella tells me it is encrypted.
Here is my FTP log from FileZilla
-----
Status: Connecting to x.x.x.x:21212...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [TLS] ----------
Response: 220-You are user number 1 of 10 allowed.
Response: 220-Local time is now 09:43. Server port: 21212.
Response: 220-This server supports FXP transfers
Response: 220 You will be disconnected after 10 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER xxxxx
Status: TLS/SSL connection established.
Response: 331 User xxxxx OK. Password required
Command: PASS ***********
Response: 230 OK. Current restricted directory is /
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Extensions supported:
Response: EPRT
Response: IDLE
Response: MDTM
Response: SIZE
Response: REST STREAM
Response: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response: MLSD
Response: ESTP
Response: PASV
Response: EPSV
Response: SPSV
Response: ESTA
Response: AUTH TLS
Response: PBSZ
Response: PROT
Response: 211 End.
Command: PBSZ 0
Response: 200 PBSZ=0
Command: PROT P
Response: 534 Fallback to [C]
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (x,x,x,x,117,53)
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Response: 150 Accepted data connection
Response: 226-ASCII
Response: 226-Options: -l
Response: 226 1 matches total
Status: Directory listing successful
------
-
You are right. The traffic is not encrypted. Data is been sent in clear text. :o
I made a test.
Created a .txt file with the text: geraner is sending a testfile via FTP TSL/SSL to the DNS-323.
This file I transfered from my local computer to the DNS-323 via FTP (TLS/SSL activated).
Before the file transfer via FTP I started Wireshark to log the traffic during the FTP file transfer.
If the traffic would be encrypted, than Wireshark will not be possible to see any datatransfer unencrypted.
See the print screen bellow, which information Wireshark could capture during "encrypted" file transfer to the DNS-323.
(http://www.steffenlanghammer.eu/images/DNS-FTP.png)
D-Link, can you fix this problem please!?
-
Hi, This must be really old news but I am not sure if anyone managed to resolve this FTP over TLS issue.
Here is what works for me. So I just want to share as it was very frustrating when it didn't work and I struggled over a whole weekend (trial and error).
My config is DNS-320 Sharecentre with Firmware Rev 2.00 Firmware date: Dec 17 2010. Yours may be different so I don't know if it will work for you.
My IP address for the DNS-320 is 192.168.1.100.
1. For the DNS-320, after logging in as admin,
Under Management - Application Management - FTP server, use the following settings and selections:
Max Users 10
Idle Time 5
Port 3688 {you can also select anything between 1025 to 3688; just don't select the default 21 - it won't work}
Passive mode - use the default port range (55536~55663)
- do not need to select Report External IP in PASV mode {optional to select this}*
External IP: {leave this blank}*
Client language: ISO8859-1 << Western European (ISO8859-1)
Flow Control Unlimited
SSL/TLS Select Allow SSL/TLS connection only
FXP Disable
Note*: These two options Report External IP in PASV mode and the actual external IP address are actually optional. You can unselect these option - it should work fine for most good FTP clients. The only thing is that If you do not select Report External IP in PASV mode, then some client such as Filezilla will complaint that unable to connect to IP indicated by PASV mode and then it will fall back to server external IP and it will continue just fine. However, for each transaction it will have this annoying warning message "server sent passive reply with unrouteable address. Using server address instead". If you have an Internet connection that has permanent static IP address, then you can configure this Report External IP in PASV mode and fill in your external IP address in the next line.
2. On your router, depending on the make and model, you have to find the NAT - virtual server menu or some other routers call it the port-forwarding menu.
Add the following entries:
a) External port 3688; Server IP {enter your internal FTP server IP address eg. 192.168.1.100}; Internet port 3688. Protocol: TCP.
b) External port 55536-55663; Server IP {enter the same FTP server internal IP addr 192.168.1.100}; Internal port 55536-55663 (same as external port); Protocol TCP.
3. On the client end (I use Filezilla on a laptop tethered to my phone with 4G data network), select the following:
Host IP : Public IP address of your router (you can check this by using canyouseeme.org on your browser from your home network); Alternatively if you already have DDNS setup, then just type in your hostname.domain as per your DDNS instead of numeric IP address.
Port: 3688
Protocol: FTP
Encryption: Use Explicit FTP over TLS
Logon type: Normal
Username:{username to the FTP server}
Password: {password to the FTP server}
The rest of the settings should be able to leave it as default or auto.
-
Thank you for posting. Hope it helps future users. ;)