Raspberry Pi Forums

Guys! I am in trouble to get connection outside my home to my raspberry!
I am able to connect internally using the port 22 and also 2222 which i had to configure as my ISP doesnt allow traffic on 22. I have a fiber converter in my home and asked to my ISP to route all ports incoming from outside to my internal router.
In my router I added the follwoing rules:
ID Service Port Internal Port IP Address Protocol Status Modify
1 3389 3389 192.168.0.200 All Enabled Modify Delete
2 8112 8112 192.168.0.210 All Enabled Modify Delete
3 5900 5900 192.168.0.210 All Enabled Modify Delete
4 8080 80 192.168.0.1 All Enabled Modify Delete
5 2222 22 192.168.0.210 All Enabled Modify Delete
6 2121 21 192.168.0.210 TCP Enabled Modify Delete
7 2100 2100 192.168.0.200 TCP Enabled Modify Delete

Using a online PORT CHECK TOOL tool I have tried to test the connection and got the follwoing results:
port 5900 - Open
port 2222 - Open
port 2121 - Open

Using a online TELNET tool I am getting expected behavior like:
SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u1 for port 2222
220 ProFTPD 1.3.5b Server (Debian) [::ffff:192.168.0.210] for port 2121
RFB 005.000 fort port 5900

Werdly I am able to connect to Raspian using VNC Viewer from outside, by the way the connetion is not working for FTP and SSH from external environnet using respectively ports 2121 and 2222, even all of them are returning a open from online testing tools. Is important to mention that internally all is working fine. And as I am able to conect by VNC internally AND externally I could consider the port forwarding is OK.
PS.: I have dynamic IP and using DDNS service, by the way always testing by name and IP and the behavior is the same for boh ways.

I am confuse about this, doesnt make sense to myself! Please help!!!!
Thank you all in advance!!!

Does your router support NAT hairpin / loopback ?

ghans

HI Ghans, thank your reply...
Actually I am using a TP-LINK TL-WR841N and I have option for port forwarding. There is no additional option like hairpin / loopback... And sincerely I am not sure if this attend or not my need.

Additionally I have tested it on online FTP tool (https://ftptest.net) and got the following return which may help to determine the root cause.


Warning: Plaintext FTP is insecure. You should use explicit FTP over TLS.
Warning: Selected port (2121) is not the default port (21) of the selected protocol.
Status: Resolving address of mydomain.ddns.net
Status: Connecting to xxx.xx.94.6
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, waiting for welcome message...
Reply: 220 ProFTPD 1.3.5b Server (Debian) [::ffff:192.168.0.210]
Command: CLNT https://ftptest.net on behalf of 64.215.22.96
Reply: 500 CLNT not understood
Command: USER userx
Reply: 331 Password required for userX
Command: PASS ****
Reply: 230 User userX logged in
Command: SYST
Reply: 215 UNIX Type: L8
Command: FEAT
Reply: 211-Features:
Reply: TVFS
Reply: SITE COPY
Reply: MFMT
Reply: LANG en-US.UTF-8*;en-US
Reply: SIZE
Reply: SITE MKDIR
Reply: MFF modify;UNIX.group;UNIX.mode;
Reply: REST STREAM
Reply: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
Reply: UTF8
Reply: EPRT
Reply: SITE SYMLINK
Reply: EPSV
Reply: SITE UTIME
Reply: MDTM
Reply: SITE RMDIR
Reply: 211 End
Command: PWD
Reply: 257 "/home/userx" is the current directory
Status: Current path is /home/userx
Command: TYPE I
Reply: 200 Type set to I
Command: PASV
Reply: 227 Entering Passive Mode (10,0,0,2,164,43).
Error: Server returned unroutable private IP address in PASV reply


And as resolution the information were included:

Error: Server returned unroutable private IP address in PASV reply
•Make sure the server is configured to allow passive mode connections.
•If the server is behind a NAT router, make sure the server knows its external IP address.
•The range of ports used for passive mode must be opened in all involved firewalls.
•The range of ports used for passive mode must be forwarded by all involved NAT routers.
•Try uninstalling all firewalls and plug your computer directly into your modem, thus bypassing the router.



Any thoughts

Thank you in advance

If your router doesn't support NAT hairpinning , you will not be able to test your port forwards properly. You must use a smartphone over 3G or public WiFi at Starbucks/your library/friend etc.

Secondly , use SFTP instead of FTP. It is much more secure and much easier to port forward/firewall.

ghans

Hi Ghans,

Coul be the features you have mentioned in the router. Otherwise I have been looking for that and there are many routers with simple port forwarding and looks particular option for NAT with loopback, etc are present only in devices designed for enterprise environment, not for a home usage like my case. I am in doubt about this.
Is there any test we can do that can indicate this is re cause I am not able to connect by FTP and SSH externally? I am able to connect by VNC using port 5900 which also need external to internal and vice-versa communication traffic and this is the point, why I could easy make the VNC work and why this is not be possible to SSH and FTP, supose the forwarding I set in the router was sufficient to allow this communication.

Thank you for the help.

Cesar

Do you have a mobile phone with data and portable hotspot feature?

I use Mobaxterm on my PC as an ssh client, no doubt Putty is similar.
My router is set up for port forwarding - external port 2222 to internal port 22

When the PC is connected to my home WiFi gives an error "Connection reset by [IP address]"
But if I connect it instead to my phone portable hotspot it connects and I can log in.

(I guess this is my router failing NAT hairpinning?)

Specifically for ssh, you may consider using https://www.dataplicity.com. It enables you ssh access to your pi without opening ports or even knowing your IP. It wouldn't work for other services though.