D-Link Forums
The Graveyard - Products No Longer Supported => D-Link Storage => DNS-323 => Topic started by: jorbit1 on June 30, 2010, 11:29:18 AM
-
Hi All,
I've been trying to work through some ftp problems I've been having with my nas (dlink 323). I'm able to use filezilla or any ftp program to connect to my nas via IP (local 192.168.x.x) from within my LAN no problem. I registered a domain entry with dlink dynamic dns and have it pointing at my wan ip (IP address giving to me by ISP 96.250.xxx.xxx). I then entered my ddns setting for the nas (tools-->ddns). On my router I've added a port forwarding rule which sends all requests on port 21 to my nas. Now from within my LAN I am unable to connect to my nas via any ftp program through the dlink dynamic dns entry (xxx.dlinkddns.com). Which I've read through the forums and they've mentioned some routers are not able to loopback, which is perfectly fine I really don't want ftp access from within my LAN via ddns entry, IP works great. Now I would like access from outside my network via ddns entry. Everytime I try to connect I get the following error message
Status: Resolving address of xxx.dlinkddns.com
Status: Connecting to 96.250.xxx.xxx:21...
Status: Connection attempt failed with "ECONNREFUSED - Connection refused by server".
Error: Could not connect to server
I've read through many threads trying to figure this one out and I'm completely stumped, any would be appreciated.
Thanks,
Jimmy
-
There are several possible causes for this problem and you need to check them all one by one.
First - have you tested from OUTSIDE your LAN - if not - then do that as the first step - do not proceed beyond this point unless you have tested from a remote location.
Second - is your ftp client configured for active or passive ftp?
Third - if your ftp client is using passive ftp - is your router configured to forward the selected passive ftp ports?
Fourth - if your ftp client is using passive ftp - is your ftp server configured to return a public ip address, and is that address correct?
Fifth - is your ftp server using a DHCP reservation or a static ip address?
Sixth - if your ftp server is using a static ip, has a default gateway setting been configured?
Seventh - if your ftp client is using active ftp - is it behind a NAT router - not all NAT routers will properly allow active ftp.
Eighth - does your ISP permit the hosting of servers - if not they may block port 21.
-
Hi Fordem,
I didn't realize I missed that many steps. I've completed the first step and that's when I got the error message. I'll work on 2-8 and reply again. Thank you for your thorough response.
Jimmy
-
Ok so here's what I've done.
2. FTP client is in passive mode.
3. I just added another rule to my router limiting the port usage to match that of the ftp server.
4. The ftp server is configured to use a public ip and I've confirmed that is correct.
5. The ftp server is currently using DHCP.
6. N/A
7. N/A
8. I did a quick google and got to many different answers, so I changed it to 1025 but still no luck (I also added 1025 to my port forwarding rules).
-
Did you also tell your ftp client to use 1025?
-
Yup, no luck... :(
Status: Resolving address of xxx.dlinkddns.com
Status: Connecting to 96.250.xxx.xxx:1025...
Status: Connection attempt failed with "ECONNREFUSED - Connection refused by server".
Error: Could not connect to server
I wish there was a way to bypass the router all together, this way I could remove that variable. I have this suspicion that its the culprit.
Verizon actiontec model MI424-WR
Thanks,
Jimmy
-
Have you ever used the Windows native ftp client? It's very primitive, uses a CLI interface, and does not support passive ftp - BUT - it gives error messages that make sense, at least to me. Try it, even if only for diagnostic purposes.
-
I just tried the native ftp client and from within my local LAN all is well. When I try to connect from my local LAN via WAN DNS entry (xxx.dlinkddns.com) I wasn't able to connect. Now I wasn't able to test outside my LAN because I left my pc at work, but tomorrow when I go in I'll try it and see.
Thanks again Fordem, I'll keep you posted with any results.
Jimmy
-
I think this page may help you to test the response on the port from internet:
http://www.canyouseeme.org/
You can see the effect immediately after any setting you change to the router.
My advise: disable all firewalls (router and your computer), put the NAS in dmz, wok like this until you get it working, otherwise these may create confounding factors.
P.s. Make sure the DNS points to your IP. Even better, don't use the hostname you registered in dlink, use directly your IP (coz it may change and the DDNS service is not updated).
P.p.s. The router may need a rule simply to accept connections on port 21. It is different from port forwarding, but may be necessary. In my modem/router is under Firewall -> Filter rules. There you can also restrict the IP's that access your ftp. This is a later thought though.
Good luck.
-
So I've just verified from work...still no luck. I tried by IP address as well just to be certain is wasn't the DNS.
ftp> open xxx.dlinkddns.com 1025
> ftp: connect :Unknown error number
This link is definitely helpful...thank you.
I think this page may help you to test the response on the port from internet:
http://www.canyouseeme.org/
I'm going to try this tonight and I'm now confident that I'll be able to eliminate/troubleshoot my router issues.
Jimmy
-
Mh, I might be wrong, but there are some points which makes me "huh?"
You said you use DHCP for the LAN IP adress of the NAS. So chances are your NAS will get different IP adresses every time it connects to your router. Does your "Port Forwarding" rule know this and can handle it? If not, give your NAS a static IP adress, provide it with your router's LAN IP as "DNS server" & "Default Gateway" and check your Port Forwardings if they match the (new) IP adress of your NAS.
You try to connect to your FTP via ftp://yourddnsadress:1025. So your forwarding rule has to forward the incoming WAN port 1025 to the NAS port 21.
To be on the safe side, does your router also provide a FTP server? If yes, turn it off (temporary) so the router won't interfere.
And there's a mistype in the command line of the FTP client:
wrong: open xxx.dlinkddns.com 1025
correct: open xxx.dlinkddns.com:1025
I hope I could help a bit :) .
//HSishi
-
Hi HSishi
After I spent some time clicking around I went with your suggestion of setting a static IP, I think that's one step in the right direction for me, thank you.
As far as the ftp cmd line goes I'm using win 7 which doesn't use the ":". Its possible that older version of ftp can use it though.
I'm still on the hunt for a solution, I'm focusing on the router next. I'm updating the firmware as I type this, I'll keep everyone posted with my progress.
Jimmy
-
I checked a similar port forwarding rule in my router (web port 1025 to NAS port 21) and it didn't work for me neither. So I tried something and got a result:
You have to forward TWO ports: The FTP server doesn't respond on port 21, it uses port 22 for the reply.
So your port forwarding rule must be like this:
-WAN Ports- 1025-1026 -to- your NAS IP or device -ports- 21-22 .
So your FTP client calls at port 1025 (waiting for a reply on port 1026) -> your router converts to port 21 -> your ftp server replies on port 22 -> your router converts to port 1026 -> your ftp client gets his response.
A check with http://www.canyouseeme.org/ successed.
//HSishi
-
I checked a similar port forwarding rule in my router (web port 1025 to NAS port 21) and it didn't work for me neither. So I tried something and got a result:
You have to forward TWO ports: The FTP server doesn't respond on port 21, it uses port 22 for the reply.
So your port forwarding rule must be like this:
-WAN Ports- 1025-1026 -to- your NAS IP or device -ports- 21-22 .
So your FTP client calls at port 1025 (waiting for a reply on port 1026) -> your router converts to port 21 -> your ftp server replies on port 22 -> your router converts to port 1026 -> your ftp client gets his response.
A check with http://www.canyouseeme.org/ successed.
//HSishi
You have an incorrect understanding of both how ftp works, and why port forwarding is required - I have been running ftp servers for the past decade with just port 21 forwarded - port forwarding of port 22 is NOT required under any circumstances, and I have run the DNS-323's ftp server with just port 21 forwarded.
Port forwarding first - when a single public IP address is shared using a NAT router, the norm is to allow all outgoing connections, and block all incoming connections, unless these connections correspond to a previous outgoing connection in which case the NAT router will forward the traffic to the host from which the request originated. Any incoming connection without a corresponding outgoing connection is discarded because the router does not what to do with it. Unsolicited incoming connections can be allowed through, provided the router is told where to send it - for a connection on port a, forward the request to ip address 1.2.3.4 - a process commonly known as port forwarding.
Port forwarding is ONLY required for incoming connections - NEVER for outgoing ones.
With an ftp server running traditional or active ftp on the default port 21, the incoming connection to the server is made on port 21, and if the ftp server is behind a NAT router, the router MUST be told which host the connection is to be forwarded, otherwise it will be discarded - the ftp server then establishes an outgoing data connection - since this connection is outgoing, no port forwarding is required.
In this specific case - where passive ftp has been configured - port 22 would not be used, if he were using the default port 21, and port 1026 will not be used when he uses the non standard port 1025 - when passive ftp is used, the user configures the ports on which the data connection will be made, and those port are required to be forwarded.
For what it's worth - I have also - for the purpose of particular exercise - configured and successfully accessed the ftp server on my DNS-323 on port 1025, without forwarding 1026.
-
Well, the behaviour jorbit11 and I experienced is, simply forwarding incoming port 1025 to NAS port 21 just didn't work.
My router has a port forwarding with incoming :21 to NAS :21, and this works. So with STANDARD ports my router and NAS are fine.
The problem with timeout occured when trying NON-STANDARD ports. Just forwarding :1025 to :21 and a connection try using ddns_adress:1025 resulted in timeouts.
After I extended the forward rule (1025+1026 to 21+22) I got instantly a connection when trying ddns_adress:1025.
I had the same results with the tests with the "canyouseeme" tool: just forwarding :1025 to :21 ended in timeouts, adding :1026 to :22 does the trick.
It might not be the correct technical description why it works ... and normally it should work without the second port. Call it a "workaround" wich does the trick ::)
//HSishi
-
I only port forward port 21 to run the FTP server on my DNS-323 externally, so I have no idea what you guys are doing to break it.
-
I only port forward port 21 to run the FTP server on my DNS-323 externally, so I have no idea what you guys are doing to break it.
There seems to be a lot of misunderstanding here and where and blind attempts to make things work :-).
First of all, as it has already been said there should be clear understanding how ftp works, what is active and passive mode and which ports are used.
1. FTP uses 2 channels at the same time for its work and needs 2 independent connections - command-and-control and data-transfer. Using c&c connection ftp client gives instructions to server and listens to replies, while using data connection server sends (or receives) actual data. TCP port 21 is a standard (well known) port used for command-control. If this is the only port opened both directions on firewall then to actual data transfer can take place.
2. Term active or passive FTP determines FTP SERVER behavior - who initiates data-transfer channel. If it is client, then this is passive mode, if this is server - active one.
In active mode client connects to the server on port TCP/21 using some random source TCP port above well-known range (1024 and up). For example TCP/2000. This is how it establishes c&c connection.
Then the client sends to the server its data port which is =current_port+1. In our case TCP/2000+1=TCP/2001.
After that FTP server initiates the data connection to the client using TCP/20 as source port and TCP/2001 (in our case) as a destination port and transfers the data.
In passive mode both connections are initiated by the client. Instead of sending port number to the server the client sends PASV command. In response the FTP server itself opens random TCP port (say TCP/3000) and sends it back to the client. After that the client connects to this port using again c&c port + 1 (TCP/2001 in our case) to received server port (TCP/3000) in our case and the server uses this established connection to send data to the client (or receive from it).
Now what happens if we put one way firewall between client and server which allows all the traffic in one direction and only returning traffic from the opposite side?
1. FTP server is outside and the client is inside.
In case of passive FTP we are fine and no ports are needed to be opened, as all outgoing (and returning) traffic is permitted. FTP clients first establishes c&c connection from inside to outside (client:2000 -> server:21), receives port number from the server and establishes data connection (client:2001 -> server:3000).
In case of active FTP we are in big trouble, because we need to allow data connection initiated from server using port 20 AS A SOURCE PORT to the client using random port + 1 (TCP/2001 in our case, i.e. server:20 -> client:2001). Unless we have some sophisticated firewall which can preform deep inspection of packets, detect FTP connection, derive dynamic port from it and dynamically open it, we have to wide open traffic from any source using port 20 to the client on port range 1024 - 65535, which is a big security hole.
That is why passive mode is mostly used to access FTP servers on the internet from behind firewalls.
Now if we put the FTP server behind firewall and FTP client on the outside network, we get completely different picture.
First we need to open (forward) port TCP/21 to the FTP server. Otherwise there will be no ftp connection established.
Now if the ftp client uses ACTIVE mode to connect to FTP server, we are fine:
1) The client connects to the FTP server and tells it which port to use for data (TCP/2001 in our example). This c&c connection works, if port forwarding was configured properly.
2) The server initiates data connection from inside firewall (all traffic is allowed!) using obtained port number as a destination and TCP/20 as a source - server:20 -> client:2001 (in our case)
But if the FTP client tries to use Active mode it will fail (if our firewall is not capable for deep packet inspection) because the client will try to establish connection from outside to inside using dynamic destination port supplied by the FTP server - client:2001 -> server:3000.
To make the long story short - in case of "simple" one way firewall passive ftp mode should be used to connect to FTP servers on the internet and active mode should be used to connect from the internet to the servers behind such firewalls with only port 21 permitted in inbound direction.
Do you see a bit of a problem here? If we have a client behind such a firewall trying to connect to the FTP server behind such a firewall IT WILL NEVER WORK as they need different FTP modes to operate!
At least one of firewalls should be smart enough to support both FTP modes, or there should be one-to-one NAT translation to the FTP server with all ports allowed (which is not good, as all ports on the server are exposed to the internet). Check your router documetation regarding FTP processing capabilities.
One more hint how to check if port forwarding is actually working. Forget about any FTP clients. Just go to command prompt and use 'telnet x.x.x.x 21' where x.x.x.x is IP of your FTP server.
If FTP server works and port forwarding is configured properly you should see FTP server response on your screen like: 220 blah blah blah FTP server is ready.
If you see 'connection failed' it means something is wrong.
-
Mh, didn't know the telnet tool can be used for such a test too. So again I played around with my router.
First, I have a software firewall on my PC to avoid outgoing connections initiated from malware's.
Second, I have an AVM 7390 VDSL router with firewall for incoming connections.
So I have the setup "FTP Client and server are behind separate firewalls".
In my router I can configure forwarding rules for common applications: "FTP-Server", "HTTP-Server", "eMule UDP" & "TCP", "Remote Desktop" and "Exposed host" (aka "DMZ"). And I have an option "Anything else".
I can configure non-standard ports with the "anything else" option only, all other options use predefined standard ports.
For standard ports, the router seems to be able to inspect the packages and handles the traffic in the correct way(s).
And here's the catch: If an application needs more than one non-standard port for the connection, you have to define more than one port in the forwarding rule, or, if the ports are spread into different ranges, even more than one forwarding rule.
Instead of multiple small forwarding rules you can define one very large range but you shouldn't because of security risks; you might include ports which you do NOT want to make accessible.
I have a FTP server on my NAS which should be accessible from web, using the default port(s). So the forwarding rule simply is: "Make the FTP-Server on the NAS accessible". With this, my router handles all incoming and outgoing FTP traffic to and from the NAS.
I modified the forwarding rule to "Make port 21 on the NAS accessible". See the difference? The router didn't know it's an FTP server anymore, it just translated the ports and didn't bother with inspecting the data packages.
Result: I got timeouts because the router discarded the replies of my server.
Another modification to "Make ports 21+22 on the NAS accessible" made the FTP connection working again.
Now we have a non-standard setup: jorbit1 wants to make an FTP server accessible but not with the standard setup (port 21+), he/she (?) wants to use port 1025. So the router doesn't know it's an FTP server connection the router can manage, it's "anything else" and, as we now know, just translating 1025 <-> 21 isn't enough, you need the additional translation 1026 <-> 22.
So the forwarding rule for this non-standard setup is "Make the ports 21+22 on the NAS accessible as ports 1025+1026."
@ Jorbit1: I checked the MI424-WR manual. Unfortunately the PDF manual I found just shows "empty" configuration forms, no further examples. Anyway, you should be able to define this two-ports forwarding rule. If you cannot define more than one port in the same rule, use a second rule for the second port.
Hope this helps.
//HSishi
-
Mh, didn't know the telnet tool can be used for such a test too. So again I played around with my router.
First, I have a software firewall on my PC to avoid outgoing connections initiated from malware's.
Second, I have an AVM 7390 VDSL router with firewall for incoming connections.
So I have the setup "FTP Client and server are behind separate firewalls".
In my router I can configure forwarding rules for common applications: "FTP-Server", "HTTP-Server", "eMule UDP" & "TCP", "Remote Desktop" and "Exposed host" (aka "DMZ"). And I have an option "Anything else".
I can configure non-standard ports with the "anything else" option only, all other options use predefined standard ports.
For standard ports, the router seems to be able to inspect the packages and handles the traffic in the correct way(s).
And here's the catch: If an application needs more than one non-standard port for the connection, you have to define more than one port in the forwarding rule, or, if the ports are spread into different ranges, even more than one forwarding rule.
Instead of multiple small forwarding rules you can define one very large range but you shouldn't because of security risks; you might include ports which you do NOT want to make accessible.
I have a FTP server on my NAS which should be accessible from web, using the default port(s). So the forwarding rule simply is: "Make the FTP-Server on the NAS accessible". With this, my router handles all incoming and outgoing FTP traffic to and from the NAS.
I modified the forwarding rule to "Make port 21 on the NAS accessible". See the difference? The router didn't know it's an FTP server anymore, it just translated the ports and didn't bother with inspecting the data packages.
Result: I got timeouts because the router discarded the replies of my server.
Another modification to "Make ports 21+22 on the NAS accessible" made the FTP connection working again.
Now we have a non-standard setup: jorbit1 wants to make an FTP server accessible but not with the standard setup (port 21+), he/she (?) wants to use port 1025. So the router doesn't know it's an FTP server connection the router can manage, it's "anything else" and, as we now know, just translating 1025 <-> 21 isn't enough, you need the additional translation 1026 <-> 22.
So the forwarding rule for this non-standard setup is "Make the ports 21+22 on the NAS accessible as ports 1025+1026."
@ Jorbit1: I checked the MI424-WR manual. Unfortunately the PDF manual I found just shows "empty" configuration forms, no further examples. Anyway, you should be able to define this two-ports forwarding rule. If you cannot define more than one port in the same rule, use a second rule for the second port.
Hope this helps.
//HSishi
You've missed the point made by two different people - the direction of the connection - incoming or outgoing - is critical, incoming connections need to have the port fowarded, outgoing connections, do not. Passive ftp has both connections made from the client to the server, port forwarding for both is required at the server side. Active ftp has one connection made from each end, port forwarding is required for one at the server side.
Additionally - even though port forwarding of both connections IS required when passive mode is used - the current_port + 1 rule no longer applies.
-
Hi All,
I'd like to thank everyone for there input on this issue. I've had some time to investigate all your suggestions and through that discovered that the router was faulty. I opened up every port I could find on the router and then put my nas in the DMZ (which from what I understand is completely exposed to outside networks). I then visited canyouseeme.org to verify and none of the ports I forwarded we're open. Since this was the first time I've ever used any type of port scanning tool I wasn't sure that my results were valid (I thought maybe I goofed something). I then download nmap which is a more complex network exploration tool but after a while I was able to figure that my ports were in deed closed. I then visited the manufactures website for the router and downloaded the latest firmware and reset the router to factory default. I then ran nmap again after forwarding port (21) on the router, Low and behold after all that I was able to connect to my nas via dlink dns entry (wan).
I'm very grateful for everyone's insight, I know this would've taken me a very long time to figure out on my own, now I can go and enjoy the rest of holiday weekend.
Happy 4th of July !!!
Jimmy
Final Setup
FTP server
-Status Started
-Port 21
-Max. User 1
-Flow Control Unlimited
-Idle Time 2
-Client Language Western European
-SSL/TLS connection Yes
-Passive Mode 55536~55663
Router
-Port 21 Forwarded for NAS IP
FTP Client (Filezilla)
-Active Mode
-- Send FTP keep alive command (not sure if makes a difference but its checked)
-- Limit ports used by Filezilla (55536-55663)
-- active IP mode - ask your operating system for external ip
PS I haven't had a chance to test passive mode nor any other ports (ex.1025), I'll continue to work on it and post my results at a later time.
-
Hi All,
I've been trying to work through some ftp problems I've been having with my nas (dlink 323). I'm able to use filezilla or any ftp program to connect to my nas via IP (local 192.168.x.x) from within my LAN no problem. I registered a domain entry with dlink dynamic dns and have it pointing at my wan ip (IP address giving to me by ISP 96.250.xxx.xxx). I then entered my ddns setting for the nas (tools-->ddns). On my router I've added a port forwarding rule which sends all requests on port 21 to my nas. Now from within my LAN I am unable to connect to my nas via any ftp program through the dlink dynamic dns entry (xxx.dlinkddns.com). Which I've read through the forums and they've mentioned some routers are not able to loopback, which is perfectly fine I really don't want ftp access from within my LAN via ddns entry, IP works great. Now I would like access from outside my network via ddns entry. Everytime I try to connect I get the following error message
I've read through many threads trying to figure this one out and I'm completely stumped, any would be appreciated.
Thanks,
Jimmy
It took me a while to get mine working. I could access my FTP from within my network using TLS encryption or SSL.
The only way I am able to access my FTP externally is without using any encryption and in passive mode.
You need to set up your DNS-323 on a static IP so that your router can hand off the FTP requests to it on port 21. Make sure you have the latest firmware.
I can't get WinSCP to work externally, but FireFTP works internally and externally.
-
I could never get encryption working externally either, don't know what the hangup was. Works fine locally on the LAN.