Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[bklynkid]

Hi there,
Been trying to get this to work. Seems a bit bone-headed in my opinion to leave out passive port range configuration when most small business and home users (to who this device is targeted) will be behind a NAT of some sort and may still want to share files to people accessing remotely. Am I missing something or is this just not possible?


I looked at pFTPd config provided in the sourcecode and it seems passive ports are not enabled in that configuration files. If I knew how to build a firmware with my own settings, believe me I would but the instructions included are pretty pedestrian at best. Anyway, anything else I can do?

[fordem]

Passive ftp is not required to host an ftp server behind a NAT firewall - and my guess is you're missing something - because I have had no problems in accessing my DNS with it behind a NAT firewall, and the client also behind a NAT firewall.

[bklynkid]

Well, OK, I'll take that challenge.

I set DNS-321's FTP to run on port 2121 which I forwarded on my router. The forwarding itself is not an issue as I can connect to the FTP externally just fine. However, be it passive or active mode I get an error when trying to list/get/put.

Passive:
Command:   PASV
Response:   227 Entering Passive Mode (192,168,1,2,109,220)
Status:   Server sent passive reply with unroutable address. Using server address instead.

Active:
Command:   PORT 10,40,10,158,4,158
Response:   500 I won't open a connection to 10.40.10.158 (only to 65.51.69.130)


Either I open the DNS-321 on the router to DMZ or I setup a passive ports range. I am not going to open up DMZ just for an FTP server running on this thing.


How did you pull this off?

[fordem]

Why not learn to walk before you try to run.

Set up your ftp server at the traditional 20/21 port AND get it functional before trying to use non standard ports - also be aware that the client side firewall/router has a part to play in this.

Last but not least - do NOT do your testing from inside the same LAN as the DNS-323.

To answer your question - how did I pull it off?

Simple - enable the ftp server on the NAS and forward port 21 to it.

[bklynkid]

I am trying to use 2121 because 20/21 are blocked by my ISP. Yes, the testing and results were done from an external IP, one not on the network, i.e. over the internet.

Any other suggestions?

[fordem]

First - if 20/21 are blocked by the ISP - it means that you are probably not allowed to host an ftp server under the terms & conditions of your contract - and any attempt to circumvent that block will be a breach of contract.

Bear this in mind - if your ISP does not permit the hosting on an ftp server and chose to block ports in order to enforce the regulation, they will not block 20/21, but every other commonly used combination of ports - they may well have 2121 blocked.  It is also possible for your ISP to block content based on protocols regardless of the ports you choose.

It makes no sense fumbling with ftp in the dark and not know if your attempts have failed because of a misconfiguration or because the ISP has blocke the port you are attempting to use.  Find a friend whose ISP allows an ftp server and do the basic configuration there - get it functional on 20/21, change it to the desired port, make sure it works and then take it home - that way you know that if it doesn't work it's the ISP.

[bklynkid]

I have hosted FTPs on this connection before on port 2121, I don't think that my ISP is the issue.

Again referring back to my post above, I am able to connect via port 2121 just fine. It isn't until I try to LIST (which opens another connection, either passive or active), that's when it fails as it expects multiple other ports to be open.

Simply put, for Active to work I'd have to put my DNS-321 into DMZ or open all ports > 1023 which would leave me wide open to security risks and would take away from other ports I use for other things.

Or I could (theoretically of course, since DNS-321 doesn't allow for passive ports) define a range of ports for the ftp daemon to use via passive mode.

Read all about the FTP protocol standard (http://www.slacksite.com/other/ftp.html) and tell me how this could possibly work in my situation. It won't.

[fordem]

I want to remind you of where this thread started - which was with you suggesting that passive ftp was the only way to run an ftp server behind a NAT firewall - now you're suggesting that I go read up on ftp.

Here's what - I'm no stranger to ftp, I am running an active ftp server behind a NAT firewall, I've done it with Cisco, D-Link, Linksys & Netgear NAT firewalls, and three out of the four of those were with a bone standard DNS-323 - and - by forwarding ONE SINGLE port.

With a NAT firewall IF you're going to use passive ftp THEN you need to forward additional ports - however - IF you are using active ftp THEN the second connection is opened from the inside of the NAT firewall and no port forwarding is required.

Perhaps you need to do some research on how NAT works.

[bklynkid]

Regardless, I used a funplug to go in and run pftpd with a passive ports range and that works fine for me.

Thanks anyway.

[fordem]

Glad to hear that you got it working - however - the reason that it works has nothing to do with the NAT firewall at the NAS end.