FTP issue - PORT command with passive mode

[piotr80]

I'm trying to connect to a server over FTPS - passive mode. It's failing. With the same server, it does connect in passive without encryption. And I found why.

This is the encrypted connection attempt, ftp logs from vsftpd:

FTP command: Client "97.182.**.**", "PASV"
FTP response: Client "97.182.**.**", "227 Entering Passive Mode (184,103,147,26,35,138)."
FTP command: Client "97.182.**.**", "PORT 192,168,0,102,239,246"
FTP response: Client "97.182.**.**", "500 Illegal PORT command."

So first of all, is PORT correct for passive mode? Then, Total Commander is requesting PORT with a local IP which fails.

Now with a non-encrypted mode (ftp), it goes thru (with over 10 seconds delay after 227 response from server), but ONLY because the local address requested by the TC is translated by the local router to the external one (ie. TC is requesting the same 192.168.0.102 but the vsftpd logs show public IP). So I would think TC is wrong in two ways, one - requesting PORT after PASV (although I'm just guessing here) and second, requesting local address (I can't find a way to set it up otherwise).

Is there a way to fix it?

[ghisler(Author)]

TC switches to PORT (active) mode when passive mode fails, e.g. when the FTP server returns an IP address and port to connect which are not accessible.
1. is 184.103.147.26 the correct server IP address?
2. Since it works without encryption, it probably means that there is some kind of firewall between the client and the server which listens on the FTP control connection and opens the necessary ports for the data connection. This doesn't work when the control connection is encrypted because the firewall can't see what's happening. Therefore you would have to:
- set the range of passive ports in the ftp server, at least 1000 ports, e.g. port 10000-11000.
- allow "TCP in" for these ports in the firewall