I'm using vsftpd on a Debian server behind another Debian firewall. The natting is correct and I can connect to the ftp server from the outside. However, when the client issues the PASV command, the ftp server returns its internal IP (192.168.0.19).
I do not have the pasv_address directive set inside the conf file so that "the address is taken from the incoming connected socket" (copied out of the manual). It seems to me that when an external client issues PASV, the firewall's external IP address should be returned, and when an internal client connects, the internal FTP server's IP should be returned.
When I set the pasv_address directive to the firewall's external IP, everything works externally but then it breaks internally. When I either set it to the internal IP address or comment out the pasv_address, the internal clients work but the external ones don't.
Anyone have any insight there?
Edit 1: Here is the server-side log file:
Thu Sep 7 10:36:15 2017 [pid 9093] FTP command: Client "x.x.x.x", "USER yyy"
Thu Sep 7 10:36:15 2017 [pid 9093] [yyy] FTP response: Client "x.x.x.x", "331 Please specify the password."
Thu Sep 7 10:36:15 2017 [pid 9093] [yyy] FTP command: Client "x.x.x.x", "PASS <password>"
Thu Sep 7 10:36:15 2017 [pid 9092] [yyy] OK LOGIN: Client "x.x.x.x"
Thu Sep 7 10:36:15 2017 [pid 9094] [yyy] FTP response: Client "x.x.x.x", "230 Login successful."
Thu Sep 7 10:36:15 2017 [pid 9094] [yyy] FTP command: Client "x.x.x.x", "OPTS utf8 on"
Thu Sep 7 10:36:15 2017 [pid 9094] [yyy] FTP response: Client "x.x.x.x", "200 Always in UTF8 mode."
Thu Sep 7 10:36:15 2017 [pid 9094] [yyy] FTP command: Client "x.x.x.x", "PWD"
Thu Sep 7 10:36:15 2017 [pid 9094] [yyy] FTP response: Client "x.x.x.x", "257 "/""
Thu Sep 7 10:36:15 2017 [pid 9094] [yyy] FTP command: Client "x.x.x.x", "CWD /DownloadProduction/"
Thu Sep 7 10:36:15 2017 [pid 9094] [yyy] FTP response: Client "x.x.x.x", "250 Directory successfully changed."
Thu Sep 7 10:36:15 2017 [pid 9094] [yyy] FTP command: Client "x.x.x.x", "TYPE A"
Thu Sep 7 10:36:15 2017 [pid 9094] [yyy] FTP response: Client "x.x.x.x", "200 Switching to ASCII mode."
Thu Sep 7 10:36:15 2017 [pid 9094] [yyy] FTP command: Client "x.x.x.x", "PASV"
Thu Sep 7 10:36:15 2017 [pid 9094] [yyy] FTP response: Client "x.x.x.x", "227 Entering Passive Mode (192,168,0,19,192,27)."
Edit 2: I was able to get this working using ProFTPD. Here is the serverfault case for that: ProFTPd server behind firewall returns internal IP address for WAN and LAN connections
Best Answer
If you are behind an external firewall, the incoming connection comes actually from the external firewall. So the server IP address is its internal IP address. What you describe is a "correct" behavior. The FTP server is not aware (and cannot be) of the external IP address of the firewall.
What you can do is to assign two IP addresses to the FTP server. One for an external use and one for an internal use. And configure the FTP server to return the firewall external IP address for connections on the external IP address; and internal IP address for connections on the internal IP address.
Though I'm no sure, if vsftpd does allow such configuration. ProFTPD does.