FTP Passive Mode Routing Error in FileZilla: Fixing “Unroutable Address” Server Response


2 views

When FileZilla throws the "Server sent passive reply with unroutable address" warning, we're dealing with a fundamental FTP protocol mismatch. The server is advertising its internal network address (like 192.168.x.x or 10.x.x.x) in the PASV response, which the client can't route to externally.

Command: PASV
Response: 227 Entering Passive Mode (192,168,1,100,195,149)

While the certificate prompt might seem related, it's actually a red herring. The sudden appearance of certificate verification suggests either:

  • The server recently enabled FTP over SSL/TLS (not SFTP)
  • FileZilla's certificate cache was cleared

Let's examine the actual network traffic using Wireshark. Here's what to look for in the packet capture:

FTP Control Channel:
Server: 220 FTP Server Ready
Client: USER username
Server: 331 Password required
Client: PASS ******
Server: 230 Login successful
Client: PASV
Server: 227 Entering Passive Mode (10,0,0,5,204,178)  <-- Problem here!

For server admins, the fix involves configuring the FTP server to advertise its external IP:

# For vsftpd (Linux)
pasv_address=your.public.ip.address
pasv_addr_resolve=YES
pasv_min_port=50000
pasv_max_port=51000

# For FileZilla Server (Windows)
<PassiveMode>
  <UseCustomPortRange>1</UseCustomPortRange>
  <CustomPortRangeMin>50000</CustomPortRangeMin>
  <CustomPortRangeMax>51000</CustomPortRangeMax>
  <UseExternalIP>1</UseExternalIP>
  <ExternalIP>your.public.ip.address</ExternalIP>
</PassiveMode>

When you can't modify server configuration, try these FileZilla settings:

  1. Go to Edit → Settings → Connection → FTP
  2. Enable "Fall back to active mode"
  3. Or enable "Ask your operating system for the external IP address"

For networks using NAT, you might need port forwarding rules like:

# Sample iptables rules for Linux NAT
iptables -t nat -A PREROUTING -p tcp --dport 50000:51000 -j DNAT --to-destination 10.0.0.5
iptables -A FORWARD -p tcp -d 10.0.0.5 --dport 50000:51000 -j ACCEPT

For quick testing without GUI tools, use this cURL command to verify passive mode:

curl -v --disable-epsv --ftp-pasv ftp://username:password@yourserver.com/

When connecting to an FTP server using passive mode in FileZilla, you might encounter this specific error message:

Server sent passive reply with unroutable address. Using server address instead.

This typically occurs when:

  • The FTP server returns an internal (NAT) IP address in its PASV response
  • There's a misconfiguration in the server's passive mode settings
  • A certificate prompt appears unexpectedly for a previously accessed server

The FTP protocol's passive mode requires the server to send its IP address for data connections. When the server is behind NAT (like 192.168.x.x or 10.x.x.x), FileZilla detects this as "unroutable" and falls back to the server's public IP.

The certificate prompt suggests either:

1. Server SSL/TLS configuration changed
2. Local certificate store was modified
3. Proxy or MITM interference

For administrators, the proper solution is to configure the FTP server with:

# vsftpd.conf example
pasv_address=your.public.ip.address
pasv_min_port=50000
pasv_max_port=51000
pasv_enable=YES
pasv_addr_resolve=YES

For ProFTPD:

PassivePorts 50000 51000
MasqueradeAddress your.public.ip.address

If you can't modify server configuration, try these FileZilla settings:

  1. Go to Edit > Settings > Connection > FTP
  2. Under "Passive mode", select "Fall back to active mode"
  3. Alternatively, enable "Ask your operating system for the external IP address"

To handle certificate issues:

Site Manager > Select your site > FTP
Set Encryption to "Require explicit FTP over TLS"
Click "Allow fall back to plain FTP" if needed

To verify the server's behavior, use these terminal commands:

# Test basic FTP connection
telnet ftp.example.com 21
USER username
PASS password
PASV

# Parse the response (should show public IP)
227 Entering Passive Mode (192,168,1,1,195,138)

For developers automating FTP transfers, here's how to handle this in Python:

from ftplib import FTP
import socket

class FixedFTP(FTP):
    def makepasv(self):
        host, port = super().makepasv()
        if host.startswith(('192.168.', '10.')):
            host = self.host  # Use server's public IP
        return host, port

ftp = FixedFTP()
ftp.connect('ftp.example.com', 21)
ftp.login('user', 'pass')
ftp.retrlines('LIST')  # Works with corrected PASV

For PHP developers:

$conn = ftp_connect("ftp.example.com");
ftp_login($conn, "user", "pass");
ftp_pasv($conn, true); // Enable passive mode

// Workaround for unroutable addresses
$original = ftp_get_option($conn, FTP_USEPASVADDRESS);
ftp_set_option($conn, FTP_USEPASVADDRESS, false);

// Your file operations here
ftp_close($conn);

Ensure these ports are open on both server and client firewalls:

  • Control connection: TCP 21 (or your custom port)
  • Passive mode range: TCP 50000-51000 (or your configured range)
  • Outbound connections from client