Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[ttmcmurry]

I've been reading up on other posts about this subject:

http://forums.dlink.com/index.php?topic=2263.0
http://forums.dlink.com/index.php?topic=2319.0

Here's what I see:

Status:    Resolving address of my.dns323.box
Status:    Connecting to x.x.x.x:21...
Status:    Connection established, waiting for welcome message...
Response:    220---------- Welcome to Pure-FTPd [TLS] ----------
Response:    220-You are user number 2 of 10 allowed.
Response:    220-Local time is now 01:08. Server port: 21.
Response:    220 You will be disconnected after 2 minutes of inactivity
Command:    USER User
Response:    331 User User OK. Password required
Command:    PASS ********
Response:    230 OK. Current restricted directory is /
Status:    Connected
Status:    Retrieving directory listing...
Command:    PWD
Response:    257 "/" is your current location
Command:    TYPE I
Response:    200 TYPE is now 8-bit binary
Command:    PASV
Response:    227 Entering Passive Mode (192,168,0,196,131,93)
Status:    Server sent passive reply with unroutable address. Using server address instead.
Command:    LIST

What I understand is the FTP server is going to use a passive port range.  But what is the port range Pure-FTPd will use?  There's no chance I'm going to forward all ports to the 323.  I could always use ffp and download another ftp daemon, but would much rather have this built-in feature working on its own.

Oh, and I do have port 21 forwarded properly on my dir-655.

When inside the private network, things work great.  Across the internet, there is only one FTP client that works, Microsoft's FTP.  For some broken reason it works while filezilla doesn't.

Travis

[hilaireg]

Hi 'ttmcmurry',

Few things to check:

1) Port 20 & 21 must be forwarded to the internal DNS-323 for Active FTP to work
2) Some Web Browsers (ex: IE 7) have an 'Advanced' feature enabled for Passive FTP; you need to disable Passive as Active is only supported
3) Some Web Browsers (ex: IE 7) have an 'Advanced' feature enabled for FTP Folder View; you may need to disable this feature

HTH,

[fordem]

Hi 'ttmcmurry',

Few things to check:

1) Port 20 & 21 must be forwarded to the internal DNS-323 for Active FTP to work
2) Some Web Browsers (ex: IE 7) have an 'Advanced' feature enabled for Passive FTP; you need to disable Passive as Active is only supported
3) Some Web Browsers (ex: IE 7) have an 'Advanced' feature enabled for FTP Folder View; you may need to disable this feature

HTH,

You only need to foward port 21 for active ftp.

ftp differs from most other protocols in that it uses two communication channels - a control channel on port 21 and a data channel on port 20 (these are the well known ports for active ftp, passive ftp is a different).

Consumer routers uses a process known as NAT (Network Address Translation) to share a single public ip address between several hosts using private ip addresses - communication requests originating on the inside of the router are allowed out and when the reponses are received they are directed to the originating host.  Communication requests originating from the outside of the router are discarded because the NAT mechanism would not know which host the request was meant for - the way around this is port forwarding, a mechanism through which any reguest arriving on a particular port is forwarded to a specified host.

With active ftp - the request is made on the control channel (port 21) which, because it originates on the outside of the firewall has to have the port forwarded, but, after the initial communication, the data channel is established by the server from the inside of the firewall so port forwarding is not required at the server side.

[hilaireg]

You need to forward Port 20 traffic to the DNS if you intend to write to the DNS from outside your NAT'ed LAN.

[fordem]

You need to forward Port 20 traffic to the DNS if you intend to write to the DNS from outside your NAT'ed LAN.

I installed my first ftp server as part of a Y2K project - it's behind a Cisco SOHO91 NAT firewall/router and it's been running all this time without port 20 forwarded - I've also used the ftp server on my DNS-323 from time to time for both upload and download (ie writing and reading) and port 20 is not fowarded through my firewall.

In short - I've been doing this for the better part of a decade and I have NEVER, EVER forwarded port 20 - it's not required.

Here's why ....

Port forwarding is ONLY required to permit a connection request originating outside the NAT router to be made, if the port is not forwarded, the router does not know which of the private hosts the request is destined for and will discard it - all connection requests originating inside the NAT router are allowed by default.

With ACTIVE ftp - port 21 MUST be forwarded to allow the inbound control channel to the DNS-323 be established - once the control channel has been established, when the time comes to establish the data channel - if active ftp is being used, the connection request originates with the DNS-323 which is on the inside of the NAT router and which will be allowed through by default.

Port forwarding for port 20 is NOT required when ACTIVE ftp is used.

With PASSIVE ftp - port 21 MUST be forwarded to allow the inbound control channel to the DNS-323 be established - once the control channel has been established, when the time comes to establish the data channel - if passive ftp is being used, the connection request originates with ftp client which is on the outside of the NAT router and a second port has to be forwarded to the ftp server - this second port is usually above 1024 - port 20 is not normally used as the data channel with passive ftp.

Port forwarding for port 20 is NOT normally required when PASSIVE ftp is used.

[hilaireg]

Hi fordem,

Correct ... however, the DNS does not support Passive FTP unless you 'fun_plug' the device. 

Connections originating from 'outside' will be able to connect over FTP to the DNS with Port 21 forwarded from the router to the DNS.  Write errors and timeouts will occur unless Port 20 is also forwarded ... and that's from first-hand experience troubleshooting DNS FTP connectivity issues.

Cheers,

[jrbilodeau]

I'm using the integrated ftp server on the DNS-323 and i only forwarded port 21, and i use filezilla without any configuration for active or passive and everything works fine for upload and download. btw i have fw 1.5

[fordem]

I'm using the integrated ftp server on the DNS-323 and i only forwarded port 21, and i use filezilla without any configuration for active or passive and everything works fine for upload and download. btw i have fw 1.5

Thanks for chipping in with your experience - my experience is similar to yours, except that I use the Microsoft ftp client from the CLI, which as far as I know does not support passive ftp.

[hilaireg]

FTP sessions initiated from the Internet (from behind a NAT'ed router) to the DNS (that is behind another NAT'ed router) required Port 20 be forwarded so as to permit FTP in Windows Folder View (Explorer) mode.

FlashFXP & CuteFTP have also generated 'write errors' with file uploads to the DNS where Port 20 had not been forwarded as well.

Configuring FTP on the DNS to respond over another TCP port has also necessitated that Port 20 be forwarded.

In short, if you have Port 21 forwarded and it's still not working ... forward Port 20 and inform the other party that you can only provide Active FTP.

Cheers,

[ttmcmurry]

That's great information, and it's all true. 

I don't have a problem using either active or passive FTP transfers and do intend on accessing FTP over the internet.  However...

No one has answered the part of the question "what is the passive FTP port range" the 323 uses... it has to use a specific range (even if it's a broad range).   It would be great if it were possible to specify a range of my own.. big wish. 

The second question I have is why is the 323 sending a private IP address back to the computer I was using to connect to it?  It should have looked more like:

Response:    227 Entering Passive Mode (63,128,49,119,131,93)

But it used 192.168.0.196 instead across the router.  Shouldn't the 323 be using the public IP from the DIR-655 router?  This way it would route internally and externally.   Has anyone else noticed this or can verify this is a problem?

Travis

[hilaireg]

Hi 'ttmcmurry ',

The DNS only supports Active mode if you're coming in from the Internet through a firewall.  The DNS supports Passive from inside the NAT'ed LAN.

Have a look at the DNS-323 modding site wiki; there's a section in their HOWTO browser tree pertaining to FTP (open ports ftpd) and the folks there provide an excellent explanation as to what is happening - they also provide a 'workaround' method if you decide to implement the modding aspects - I have not tried the mod.

Google: wiki dns323 info

Cheers,

[ttmcmurry]

I understand the philosophy concerning the DNS-323 as a consumer device. 

Having said that, there are some features that should "work out of the box" and not require someone to mod their DNS-323.  So I don't appear to be a hypocrite, yes I do have ffp 0.5 installed on my 323 and it serves its purpose to the extent that I don't modify the original programming provided via 1.05 firmware.

IMHO, the 323 was advertised has having FTP capability didn't state it is not able to route across the internet even if port forwarding is used on the corresponding router.  I would expect to be able to specify passive port range & choose between host ip address and/or auto ip on local/wan. 

I would *love* to be proven totally wrong and that things actually work and it's really me that doesn't understand it.  Reality is I manage 3 Microsoft FTP servers at my workplace behind a Cisco router + NAT Traversal or direct IP mapping and don't have this kind of difficulty.

[hilaireg]

I spent a considerable amount of time researching and session logging before I was discovered that Active FTP was the only way to reach the DNS over the Internet between two NAT'ed LANs.  How I discovered it was purely by chance reading.

I was in the process of putting the product back in the box for return - since I couldn't get FTP to work as expected - when I noticed the little asterisk and footnote stating that it was recommended that a VPN session be established when connecting to the DNS using FTP from the Internet - that's when it occurred to me that *maybe* that both TCP Port 20/21 needed forwarding.

In short, I don't believe your understanding (and that of 'fordem') are incorrect; what you expected to occur should ... it just doesn't when it comes to the DNS - at least with the current f/w releases.

Cheers,

[ttmcmurry]

Yeah, that validates my point.  I don't know anyone who hooks up directly to the internet anymore, and for that reason most FTPs are NATted. 

That takes me back to my point about passive ftp: 

1) Give us control over the passive port range so it can be port forwarded a la router
2) Give the 323 the ability to determine its external IP address* for WAN transfers
3) Give the 323 the ability to use the LAN IP for local tranfers

* http://www.whatismyip.org/ is a good start.

[ECF]

Port 21 is the only port that needs to be open for the FTP server in your firewall for proper use. opening port 20 does not affect the use of the FTP server.