D-Link Forums

The Graveyard - Products No Longer Supported => D-Link Storage => DNS-323 => Topic started by: P01arBear on October 18, 2009, 04:27:20 PM

Title: DNS-323 FTP behind DIR-655 router problem
Post by: P01arBear on October 18, 2009, 04:27:20 PM
Hi people,

I just finished setting up my DNS-323...I tryed to configure the FTP server and access with my IP (to figure out if it would work for people outside the network). It keeps giving me this message;

(http://moe.mabul.org/up/moe/2009/10/19/img-012236mwsrf.png)

Funny thing is, I only created one account with full R/W access from root. What is even more weird is that, I can log on by using my LAN IP without a problem. I tryed to disable SPI firewall, still no change. And yes, I've set up a virtual server (port 21, also tryed with 20) with static ip.

Any suggestions?

Thanks

PS: Is 1.06 a good FW or should I jump to 1.07? Does 1.07 have new utilities other than supporting Hitachi HDD?

Update; I'm behind a DIR-655 router, I'm suspecting it might be a problem from the router itself...Bad FW flash.
Title: Re: Just another case of FTP access error...
Post by: P01arBear on October 18, 2009, 10:59:50 PM
After reading on the web about similar problems for the past 4-5 hours...

Correct me if I'm wrong but the problem is from the out going information on port 20 wich is bloqued by the router and this can ONLY be corrected with funplug.

If D-Link hasn't took the time to test products and make sure that they are compatible with each other, then my DNS323 is back in the box and refunded in the next hour. I'm not interested at all in 3rd party plugins like fun_plug.

Hope I'm wrong.


Title: Re: Just another case of FTP access error...
Post by: Clayton on October 18, 2009, 11:20:10 PM
FTP software configuration error no doubt, have you tried open IE and typing in ftp://(your wan ip address)
Title: Re: Just another case of FTP access error...
Post by: Clayton on October 18, 2009, 11:21:54 PM
Also jump to firmware 1.08b5
Title: Re: Just another case of FTP access error...
Post by: fordem on October 19, 2009, 05:13:18 AM
Correct me if I'm wrong but the problem is from the out going information on port 20 wich is bloqued by the router and this can ONLY be corrected with funplug.

I'd say you're wrong - but then you expect to give you the details as to the hows & whys, which I don't particularly feel like doing, so let me put it this way ...

1) your router won't block ANY outgoing connection UNLESS you specifically tell it to.
2) mine works without using fun_plug.
3) research active & passive mode ftp - as a matter of fact - research ftp in general

And to give you a further hint as to which area to focus on - there is a higher than average probability that the ftp connection which you think is being blocked by your router is actually being blocked by the router at the client side.
Title: Re: Just another case of FTP access error...
Post by: P01arBear on October 19, 2009, 05:28:16 AM
FTP software configuration error no doubt, have you tried open IE and typing in ftp://(your wan ip address)

When I use the wan IP, it works fine. That is why I'm guessing the problem is from the router, because when I use my web IP, then it blocks.

Also jump to firmware 1.08b5
Have put on 1.07, but will try 1.08 today. Thanks!

Quote from: fordem
I'd say you're wrong - but then you expect to give you the details as to the hows & whys, which I don't particularly feel like doing, so let me put it this way ...

1) your router won't block ANY outgoing connection UNLESS you specifically tell it to.
2) mine works without using fun_plug.
3) research active & passive mode ftp - as a matter of fact - research ftp in general

And to give you a further hint as to which area to focus on - there is a higher than average probability that the ftp connection which you think is being blocked by your router is actually being blocked by the router at the client side.

Well, if I'm going with this idea, it's because it is said on most forums than the DNS-323 cannot fonction without fun_plug behind a DIR-655 router for the reason mentionned above. I've searched active and passive mode, and still...On the forums they say the only way the DNS-323 can be changed is by using fun_plug. I don't see "how" the client could be blocking since, there are very few settings to change on the DNS-323 at first sight, and I've flashed both my DNS-323 and DIR-655 with no change from the factory settings...The ONLY rule I've set up was a virtual server on port 21 towards my DNS-323. On the other hand, I'm glad to hear you have yours working without the fun_plug.

Like I said, I hope I'm wrong. I'll try FW 1.08 after work.

Thanks, keep the info coming.
Title: Re: Just another case of FTP access error...
Post by: gunrunnerjohn on October 19, 2009, 05:31:41 AM
I've used FTP over the Internet from my DNS-323 through my Actiontec MI424WR Verizon FiOS router without any problems.  All I did was forward port 21 to allow access to it.
Title: Re: Just another case of FTP access error...
Post by: P01arBear on October 19, 2009, 06:29:02 AM
I've used FTP over the Internet from my DNS-323 through my Actiontec MI424WR Verizon FiOS router without any problems.  All I did was forward port 21 to allow access to it.

It might be specific to DIR-655 router. I was thinking about SPI firewall that would create a conflict, but when disabled still had the same problem.

Wich firmware are you using on the DNS? I've seen that on 1.08 you can edit the passive ports, that might help but I'll check it after work.
Title: Re: Just another case of FTP access error...
Post by: gunrunnerjohn on October 19, 2009, 06:38:43 AM
Well, I have 8.08b5, but I've been using FTP for a long time, I know it worked fine with 1.06.

You can edit the passive ports on 1.08, but I left mine at the defaults.


Title: Re: Just another case of FTP access error...
Post by: P01arBear on October 19, 2009, 06:43:53 AM
So then I guess the problem is really from the router itself, wich I assumed since it was accessible with my wan IP but not from my web IP.


Maybe a tech could try a DNS behind a DIR-655 and give me tips? Would appreciate it.

Actual settings:
Router DIR-655 FW 1.21, only rule is virtual server port 21 towards the DNS. SPI active, DHCP reserve for DNS.
DNS-323 FW 1.07, has only 1 ftp account with full access R/W.
Title: Re: Just another case of FTP access error...
Post by: gunrunnerjohn on October 19, 2009, 06:48:35 AM
Well, D-Link should have both of those pieces in-house for a test.  ;D
Title: Re: Just another case of FTP access error...
Post by: P01arBear on October 19, 2009, 07:55:08 AM
Well, D-Link should have both of those pieces in-house for a test.  ;D

Well, that is kind of what I'm hoping for...
Title: Re: Just another case of FTP access error...
Post by: fordem on October 19, 2009, 08:04:44 AM
When I use the wan IP, it works fine. That is why I'm guessing the problem is from the router, because when I use my web IP, then it blocks.

What do YOU mean by wan ip & web ip?  Most of us don't have a WAN that is not the world wide web - do you mean LAN ip and WAN ip - so to speak one internal, the other external?

Are you trying to test access using the public ip from within the same network, I would strongly suggest you test from a different public ip.

Quote
Have put on 1.07, but will try 1.08 today. Thanks!
I've been using the ftp server from outside the LAN since fw1.03, it does have quirks, but it does work.

Quote
if I'm going with this idea, it's because it is said on most forums than the DNS-323 cannot fonction without fun_plug behind a DIR-655 router for the reason mentionned above. I've searched active and passive mode, and still...On the forums they say the only way the DNS-323 can be changed is by using fun_plug. I don't see "how" the client could be blocking since, there are very few settings to change on the DNS-323 at first sight, and I've flashed both my DNS-323 and DIR-655 with no change from the factory settings...The ONLY rule I've set up was a virtual server on port 21 towards my DNS-323. On the other hand, I'm glad to hear you have yours working without the fun_plug.

Like I said, I hope I'm wrong. I'll try FW 1.08 after work.

Thanks, keep the info coming.

You see - that's the problem with fora - any one come along and post anything, and often in support related fora what you find is post from a lot of frustrated and sometimes misguided folks who don't necessarily know what they're doing, just that it doesn't work, the way they think it should.

I will make this as a statement of fact, based on personal experience - the ftp server in the DNS-323 can be accessed from the internet using active ftp with any of the firmware versions from 1.03 coming forward, without the use of any third party add-ins or tricks (I'll exclude the 1.08 betas, for no other reason than I have not tested the ftp server in those) and you should be able to do it with the DNS-323 behind any consumer grade NAT router and with only port 21 forwarded.

The potential problem areas are whether or not your ISP is blocking port 21 to prevent an ftp server from being used AND the NAT firewall router at the client side.

On a number of occasions - in this forum, and at least one other, I have offered to assist in the testing and in every case but one I was able to access the DNS-323 - so, if you'd like, PM me the URL or public ip your router is at along with the security details and I'll take a look at it.
Title: Re: Tech needed: DNS-323 FTP behind DIR-655 router problem
Post by: P01arBear on October 19, 2009, 08:50:17 AM
Could you explain how to switch the modes of ftp Active/Passive? I don't see anything about that.

When I mentioned WAN IP, i meant my external - public IP (sorry, my main language is french...I'm a bit rusty). So yes, I can access it using my 192.168.0.xxx IP, but not using my public IP.

Quote from: fordem
The potential problem areas are whether or not your ISP is blocking port 21 to prevent an ftp server from being used AND the NAT firewall router at the client side.
For sure, my ISP isn't blocking the port since I was using a software ftp program before with no problem. But about the NAT client side settings, how do I set that up? I've put rules in exept virtual server port 21 towards the DNS.

Thanks for the info
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: gunrunnerjohn on October 19, 2009, 12:29:56 PM
The 1.08b5 software has settings for passive mode, don't know about earlier versions.  I had FTP working in earlier versions, but I just turned it on and it worked, so I didn't anguish over the detailed settings. :)
Title: Re: Tech needed: DNS-323 FTP behind DIR-655 router problem
Post by: fordem on October 19, 2009, 01:38:25 PM
Could you explain how to switch the modes of ftp Active/Passive? I don't see anything about that.

When I mentioned WAN IP, i meant my external - public IP (sorry, my main language is french...I'm a bit rusty). So yes, I can access it using my 192.168.0.xxx IP, but not using my public IP.
For sure, my ISP isn't blocking the port since I was using a software ftp program before with no problem. But about the NAT client side settings, how do I set that up? I've put rules in exept virtual server port 21 towards the DNS.

Thanks for the info

If I might say so - there's no need to apologise, your English is a lot better than my French.

You still haven't provided one VITAL but of information - are you trying to access the public ip from a host on the same network as the DNS-323 - if this is what you are doing, I'd suggest you test from a different public ip - it removes one more variable.

Active & passive ftp - you're using passive ftp - this can be seen from the error dialogue box in your first post, you'll need to switch modes in the ftp client that you are using.

A comment here - I dislike gui FTP clients because many of them hide the commands that they use and the responses from the server in an attempt to make things easier to use.  When they work, they work well, when they don't work, troubleshooting becomes a nightmare.  I actually use the CLI FTP client that's built into Windows as my first choice.

Maybe I should briefly define active and passive ftp ...

 - with active ftp the ftp client contacts the ftp server on port 21 and sets up the data transfer, and then the ftp server contacts the ftp client and transfers the data - the problem with active ftp is that when the ftp client is behind a firewall which does not know how to handle the incoming data connection, it discards the connection and the transfer fails.

 - passive ftp was supposed to be the cure for this firewall related issue, in that the ftp server would instruct the ftp client to make the data connection also - and this works well provided the ftp server is not behind a firewall - but - if the ftp server is behind a firewall, then both the ftp server AND the firewall now have to be configured to support passive ftp - so all we've really done is transfer the problem from client side to server side.

I'm also going to tell you here - that whilst the DNS-323 does support passive ftp, in that it recognizes the pasv command and will respond to it, the implementation is broken and it will NOT work in any firmware version prior to the 1.08 beta (which I have not tested) - active ftp does work, passive does not.

So...

1) test from outside of your network
2) change your ftp client to active and see what happens - you can use Internet Explorer as an ftp client, and you can change it from the default passive mode in Tools/Internet Options/Advanced.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: P01arBear on October 19, 2009, 04:19:32 PM
Hey I'm back!

Well, here's what I've been up to;

I got home and upgraded to 1.08, wich had a few new fonctions that I was glad to see. I set up the passive info on the DNS, but also on the router. Up to now...It works!

I'm going to kick in a few more tests with some buddies outside the network, see how it goes.

All I can say is, if someone is using a DIR-655 router and wants to access his DNS-323 from outside the network on FTP, he needs to get the 1.08 firmware and set the passive ports correctly on the rules of the router or else it will never work.

In other words, the main problem is the router not routing correctly the passive ports.

I'll come back and give you the final results after my tests.

Thanks all, appreciate it.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: gunrunnerjohn on October 19, 2009, 04:55:40 PM
Glad to hear you sorted it out. :)
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: fordem on October 19, 2009, 05:26:05 PM
In other words, the main problem is the router not routing correctly the passive ports.

Not quite - as in my previous post YOU have to configure both the router and the ftp server to match one another IF you are going to use passive ftp.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: P01arBear on October 20, 2009, 05:32:20 AM
Not quite - as in my previous post YOU have to configure both the router and the ftp server to match one another IF you are going to use passive ftp.
Not so sure, what settings would you require for it to work like you say? You see, my router is buggued up since a few days. No mather if I change or flash the firmware or the router, it won't keep my port forwarding & application rules. They just disapear after rebooting the router, so I can't really change anything.

The fact is, the FTP still works without adding any rules. The only change is that I clicked on using my external IP when in passive mode, and since then everything works well.

The ONLY real problem now, is that the external IP doesn't update itself, that isn't much help when your IP changes when your away from your PC.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: gunrunnerjohn on October 20, 2009, 05:37:30 AM
That's what DynDNS is for.  As far as port forwarding, that's not an issue, ports are forwarded on the LAN side, the WAN address doesn't matter.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: P01arBear on October 20, 2009, 06:42:26 AM
I think the problem is not about port forwarding, but external IP.

I don't mean to argue, but....Maybe it does mather specificly with the DIR-655 router? I couldn't make it work with older firmwares, but since 1.08 you have additionnal settings for passive mode. If I don't check the box to use the external IP or put in the right IP, then my FTP won't work from outside the network, I've tested it. The FTP doesn't communicate correctly the external IP. Maybe there is another "better" way to set it up, but I figured out yet (and since I can't add rules on my router anymore, it's not that easy).

Like you said, I do have DynDNS. But the router doesn't return the right IP in passive mode it would seem.

All in all, I would suggest to D-Link's team to make the DNS-323 able to auto-update the external IP. In that case, it would be able to work alone.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: gunrunnerjohn on October 20, 2009, 06:53:23 AM
I'm missing something here.  The router isn't the one that's returning the external IP address, that's determined by your ISP and provided by your modem to the router.

Are we arguing?  I thought we were just discussing the issue.  I don't have a problem, so if it pains you to talk about it, I'm gone!
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: P01arBear on October 20, 2009, 07:03:09 AM
Sorry, I didn't mean that in a bad way (like I said, I'm french, so maybe my expression wasn't right).

I don't know if you're using FW 1.08, if not maybe you would understand better when seing it visualy. Because there is a new setting to "check" use external IP adress and then you type in your external IP.

Now, my external IP is not the problem. The problem is when I connect to my FTP in passive mode, without this function, the FTP won't work. Meaning, the external IP sent back by the DNS-323 once logued seems to be the key to this problem. Yes, it's fixed with FW 1.08 (at a some point at least). But if my ISP changes my IP, then I won't be able to access the DNS until I update my IP on the panel manualy at home. Not so useful if I'm far away and need to get into my DNS!

CLIENT [OK] -> CONNECTED TO DNS [OK] -> /!\ DNS IN PASSIVE RETURNS INFO ABOUT EXTERNAL IP /!\

Right now it's working well from my work. If I had unchecked "use external IP address in passive mode" or in that same setting of the DNS would not have typed it my correct external IP manualy, then I would be able to connect to my DNS but it would reject me with the message I first showed at the begining of this thread.

Did I explain better now? :)
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: gunrunnerjohn on October 20, 2009, 07:13:00 AM
Maybe you need to be talking to the D-Link support on the DIR-655 router side for this issue.  As I have mentioned, my IP address has changed several times from power outages, and DynDNS handles the change just fine, and my DNS-323 has no problem with FTP connections from the Internet.  I'm not sure how I see this as a DNS-323 issue.  My FTP worked before 1.08, and it still does.  I also have a friend that has Comcast and a D-Link DIR-615, and I've accessed his DIR-323 FTP server a number of times as well.  I know he's not running 1.08, last time I checked, he was on 1.06 firmware.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: P01arBear on October 20, 2009, 07:21:15 AM
Maybe this will also help.

My main usage will be with IE as client. I've tried with a FTP client (Filezilla), it gives me this message IF I DON'T CHECK "USE EXTERNAL IP IN PASSIVE MODE" on my DNS;
Status: Server sent passive reply with unroutable address.

DynDNS -> DNS FTP SERVER [OK]
DNS FTP SERVER -> CLIENT [OK BUT REPLIES WRONG IP -  Perhaps 192.168.0.xxx instead?]

So you see, I can connect. I just doesn't reply the correct address.

If I do check it and type in my actual IP, then it works. I figure they have added this function because of similar problems that were fixed unofficialy with fun_plug wich would do the exact same thing by giving the external IP address, but now this is added tru the D-Link panel wich I'm glad to see because I didn't want third party plugins such as fun_plug.

So right now you must be saying "Well, if it works when that's checked, keep that setting". The only problem remaining is the need to update the external IP address that the FTP server replies with if my ISP changes my IP for some reason, then I have to change it on my DNS FTP server. This is where I suggest to D-Link's team to figure out a way of making it auto-updatable so it can be independant.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: gunrunnerjohn on October 20, 2009, 08:19:51 AM
Did you look at the DynDNS client in the DNS-323?  If that's active, maybe they use that?
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: P01arBear on October 20, 2009, 08:25:49 AM
Did you look at the DynDNS client in the DNS-323?  If that's active, maybe they use that?

Maybe so, will try after work! But I doubt it, this function si directly in the FTP panel, the DynDNS is another panel that doesn't really interact with the ftp server.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: gunrunnerjohn on October 20, 2009, 08:28:11 AM
Well, if the box knows the external IP address... :)

Can't hurt to enable it and see...
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: P01arBear on October 20, 2009, 08:33:05 AM
Well, if the box knows the external IP address... :)

Can't hurt to enable it and see...


It knows it already, it just doesn't auto-update it for some reason.

When I check "USE EXTERNAL IP ADDRESS FOR PASSIVE" my external IP was already written and I didn't have to change it. Then my IP changed in the night and it didn't auto-update itself.

But, I'll try DynDNS on my DNS instead of giving that task to the router. I'll keep you up.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: fordem on October 20, 2009, 08:33:51 AM
When passive ftp is being used, the ftp server will tell the ftp client to make a data connection and it will specify an ip address and a port on which the connection is to be made - and if the ftp server is not configured correctly it will specify it's private ip address, which is what you are experiencing here..
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: gunrunnerjohn on October 20, 2009, 08:42:21 AM
How would he change that using D-Link's configuration?  Why is it I don't see this issue using the same FTP server and the same configuration if it's a DNS-323 FTP server issue?
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: P01arBear on October 20, 2009, 08:57:33 AM
When passive ftp is being used, the ftp server will tell the ftp client to make a data connection and it will specify an ip address and a port on which the connection is to be made - and if the ftp server is not configured correctly it will specify it's private ip address, which is what you are experiencing here..
That is precicely what I was trying to say, you just explained it more simply than I did. ^^

How would he change that using D-Link's configuration?  Why is it I don't see this issue using the same FTP server and the same configuration if it's a DNS-323 FTP server issue?
This can be changed only in firmware 1.08, older firmwares cannot change it (like 1.07). And maybe this issue is specific when behind the DIR-655 router, I don't know...Maybe a conflict with routers that have SPI firewall? I really dunno.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: fordem on October 20, 2009, 09:04:10 AM
He fixes it with that same "use external ip address for passive" check box.

Yours works because you're using active ftp - I can tell that because you said yours worked before you went to the 1.08 beta - he's using passive ftp - I can tell that from the error messages he is reporting.

Active & passive ftp are two distinctly different animals - it's either you get lucky and it works or you (not personal, but any user attempting to use ftp on a DNS-323) sit down and make a concious decision to understand how ftp works or you end up going around in circles and becoming frustrated.

It is also, at least in my opinion very important, that you (again not personal) recognize that D-Link is now fixing a "known broken" passive ftp implementation and it may still have bugs in it - I would not be surprised if the implementation was checking the "external ip" only during configuration, rather than everytime it needs to send the external ip address.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: P01arBear on October 20, 2009, 09:08:11 AM
Quote from: fordem
would not be surprised if the implementation was checking the "external ip" only during configuration, rather than everytime it needs to send the external ip address.
Let's hope they fix this on the next firmware.  :-\
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: gunrunnerjohn on October 20, 2009, 09:11:16 AM
You're probably right, I just enabled the FTP previously and there was no problem accessing it.  I never gave active or passive a thought, since all the folks that needed access had no problems getting in.  The only thing I ever did was forward port 21 to the DNS-323.

You have to ask yourself why not use active mode... :)
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: P01arBear on October 20, 2009, 09:14:38 AM
Quote from: gunrunnerjohn
You have to ask yourself why not use active mode... :)

Well, if it works with IE, then why not. I was using passive since most IE are by default in passive.

To get it working on IE, I think I have to go in the options, advanced and uncheck passive ftp right?

I'll also try that after work.

Edith: At my job, I can't edit IE's settings. The options are locked, so I've now got a good reason to stick with passive.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: fordem on October 20, 2009, 09:29:49 AM
You have to ask yourself why not use active mode... :)

Because active mode is known to be problematic especially when the client is behind a NAT router.  The earlier NAT routers did not know how to "fixup" the ftp protocol - and believe it or not - "fixup" is an actual Cisco command.
Title: Re: DNS-323 FTP behind DIR-655 router problem
Post by: gunrunnerjohn on October 20, 2009, 10:35:52 AM
I guess we all have "newer" routers. :)