Is there any chance that any of the plugins I've installed could be affecting my TC being now unable to connect to a ftp site?
This is what I get in the end:
[...]
Get directory
TYPE A
200 TYPE is now ASCII
PASV
227 Entering Passive Mode (#####)
PORT 192,168,xx,xx,16,194
500 I won't open a connection to 192.168.xx.xx (only to MY_EXTERNAL_IP_HERE)
QUIT
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.
[...]
I'm asking because plugins are about the only thing that was changed/updated lately on my side (whereas my provider says they didn't change anything).
When you're behind NAT and FTP client sends PORT command, the NAT device rewrites the address to public one. But with encrypted connection it's not possible, because, well, the connection is encrypted and NAT device can't change anything. :)
Edit: On second look, you already seem to use passive mode (PASV command), but it fails for some reason and TC then tries active mode (PORT command). So you need to figure out why passive mode fails. There can be many reasons. You can have firewall blocking outgoing connections, or even the server can be misconfigured.
I tried both passive and active. Nothing was changed on either side, network-wise, since I was last able to use it. I only updated a few plugins in TC.
Things sometimes break unintentionally. I think other plugins can't affect this. If you want to be sure, just try to run TC with clean .ini files (= without any plugins) and you'll see if it changes anything:
Switching between passive and active mode won't help you much now, because it's always "try the selected one and if it fails, try the other one rather then failing immediately". And your log shows PASV immediately followed by PORT which means that passive mode connection failed and TC went back to active (and active mode can't work with FTPS and NAT without additional settings).
You could also set up port forwarding for active mode (set external IP address and port range in TC's settings and then forward the same ports at NAT router). But it's quick workaround rather than proper solution.
Yep, confirmed, it's not the plugins. I tried with a clean TC on another computer - the same thing. And I tried WinSCP (with FTP / TLS Explicit encryption setting) on this one - the same "I won't open a connection to ... (only to ....)" error was reported.
Which makes things even weirder. I'll try connecting to another FTPS server if I can find one, to see whether it's the server's fault after all, or start chasing ghosts if it's not the server.
It's not weirder at all. WinSCP seems to use active mode by default. So it sends PORT command with internal address. And it must fail, it's the correct behaviour (with FTPS and NAT). But more interesting thing is that WinSCP does not use fallback as TC. So try to select passive mode in settings (to be sure that only PASV command is sent) and connect again. It will either work or you'll get some different error.
As another server you can try ftps://ghisler.ch that I found mentioned somewhere else in this forum.
Yes, you can try ftps://ghisler.ch - no uploads possible, but sufficient for connection tests.
Usually when passive mode fails it's a problem with a firewall on the SERVER side. If you use a firewall like iptables, you have to
- allow access by TCP from the outside to a port range, e.g. 50000-55000 (at least 1000 ports, the more the better)
- define the same port range in the ftp server software for data connections
If you are on shared hosting, it's possible that the hoster has turned on the firewall. You need to make a support request to enable ftp via passive mode.
If FTP works but FTPS doesn't, then the server may be using so-called "stateful packet inspection" firewall. It listens on the control connection to see the requested ports, and opens only those. However, when the control connection is encrypted, the firewall cannot see the requested ports, and cannot open them. The only solution really is to allow a fixed port range (see above). That's exactly what I did on ghisler.ch.
Yes, as I wrote, he needs to:
- allow access by TCP from the outside to a port range, e.g. 50000-55000 (at least 1000 ports, the more the better)
- define the same port range in the ftp server software for data connections. For pure-ftpd, all he needs to do is add a line to pure-ftpd.conf:
PassivePortRange 50000 55000
I'll try connecting to another FTPS server if I can find one, to see whether it's the server's fault after all, or start chasing ghosts if it's not the server. 
