D-Link Forums

The Graveyard - Products No Longer Supported => D-Link Storage => DNS-323 => Topic started by: pc-addict on March 21, 2011, 07:01:21 AM

Title: DNS-323 behind 3 routers how to FTP ?
Post by: pc-addict on March 21, 2011, 07:01:21 AM
Hi, I'm having trouble trying to connect to my DNS-323 via ftp since adding a 3rd router to my domestic network. I've totally reconfigured all routers I cant remember how I had set it up for 2 routers, this is how I've currently set it up:

Router 1
wan        = xx.x.xx.77 (from isp)
Gateway = xx.x.xx.1
Lan        = 192.168.1.1
DMZ       = 192.168.1.50
Port forward 21 - 192.168.1.50

Router 2
wan        = 192.168.1.50
gateway  = 192.168.1.1
lan          = 192.168.2.1
DMZ        = 192.168.2.100
port forward 21 - 192.168.2.100

Router 3
wan         = 192.168.2.100
gateway   = 192.168.2.1
lan           = 192.168.3.1
port forward 21 - 192.168.3.2

D-link address  = 192.168.3.2

dhcp start  = 192.168.3.100

I'm using fireFTP plugin for firefox and entering ftp.(isp address) I've tried anonymous and secure without any success, I would really appreciate any help......
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: fordem on March 21, 2011, 08:49:52 AM
Getting rid of the routers 2 & 3 would be a good place to start.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: pc-addict on March 21, 2011, 09:18:24 AM
Thank you for your input, but removing two routers is not the solution to the problem. I have had it working for a long time with two routers now my house needs 3 routers.

I'm able to connect within the 3rd lan but not from internet side, and must be to do with the ip and port forwarding addressing.


Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: fordem on March 21, 2011, 11:18:29 AM
The chances of any residential network needing more than one router is slim to non-existent - you may have more than one router, but that's more likely to be a matter of poor network design and/or inexperience than one of need.

Routers are used to keep networks separate from one another - do you really need three separate networks, from my point of view, all you're doing is creating an unnecessary headache for yourself.

The only circumstances under which separate multiple networks would be desirable in a residential environment is when one line is being used to supply multiple residences or apartments in a complex - that is a design exercise I will not get into here, and especially not using the NAT routers that you are using.

If you don't want to get rid of the additional routers, consider connecting the NAS to the first router.

For what it's worth - I design & implement networks for small & medium businesses, and I've done a few "country-wide WANs" for financial institutions, and never had more than two routers on any one location.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: MJBURNS on March 21, 2011, 12:09:40 PM
Has something changed with NAT routers? It used to be that you could not nest NAT routers and have them work, particularly for things like active FTP.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: fordem on March 21, 2011, 01:10:12 PM
You can nest NAT routers and have ftp work (using the DMZ is the key), but it's just a royal pain in the butt to get working - I've done it with telnet and active ftp, I've never tried it with passive ftp, but I see no reason why it shouldn't work.

ftp itself is a pain in the butt to get working if you lack the understanding or experience, and trying to do it through multiple nested NAT routers just makes it worse - I've seen the licks of lisbon helping novices get ftp on a DNS-323 up & running with just one router, I'm not going to even try with three.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: chriso on March 21, 2011, 02:33:59 PM
Most likely a couple of routers were used when a couple of switches should have been used.

In the past where I had a time when I had an old router and didn't want to buy a new switch and I was lucky enough that the router could be configured that it actually acted like a switch.  This is the only reason I could think of using a router when a switch is what is really needed.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: dosborne on March 21, 2011, 02:59:09 PM
Even if there isn't a specific option to configure a router as a switch, in most cases you can simply just use the LAN ports and leave the WAN port unused to simplify your setup. Of course if you need the extended range of the wireless or for a number of other features, it may be necessary to configure multiple subnets, but technically, if properly configured, there are no reasons why you can't nest them.

Personally, I have 3 switches and 3 wireless routers in my home network, but to keep it relatively simple, all devices are connected to a central router so at most they are 2 deep, no third tier.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: fordem on March 21, 2011, 06:11:34 PM
You can connect routers as switches and access points without splitting the network into different subnets, it's not difficult - but - unless you have a good grasp of what you're upto, it's easy to find yourself in trouble - and given the cost of a switch nowadays, well, what's your time worth??
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: pearljam45 on March 21, 2011, 06:25:21 PM
Try disabling DHCP on the two routers that are not connected to your modem.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: fordem on March 22, 2011, 04:26:33 AM
Try disabling DHCP on the two routers that are not connected to your modem.


That IS a key factor - but if that is done without a "rewiring" of the network, all that will happen is there will be no connectivity on any computer configured for DHCP, beyond the first of the LANs, and if he does that and assigns static addresses, he's still back at square one.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: billb on March 22, 2011, 04:45:11 AM
Hi, I'm having trouble trying to connect to my DNS-323 via ftp since adding a 3rd router to my domestic network. I've totally reconfigured all routers I cant remember how I had set it up for 2 routers, this is how I've currently set it up:
......


I'm quite interested in your network if you "need" to nest 3 routers? What are you doing that requires this? (purely out of interest)
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: pearljam45 on March 23, 2011, 02:11:09 PM
fordem, you are absolutely right.

The WAN port on two routers not connected to the modem should no longer be used after disabling DCHP.
Just the regular LAN ports 1-4 should be used.

It was late, my apologies.

PJ
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: pc-addict on March 30, 2011, 12:40:59 PM
Thank you all for your ideas and response.....

The reason for me to have 3 routers is because I live in a large 3 floor house and loft conversion, with multiple tenants and connected users.

Router No: 1 is the main router that I’ve added to the network solely for Mr landlord, as previously he was wirelessly sharing with everyone in the house (except me) and a lucky authorised neighbour across the street, the previous position of the router and the amount of wireless users cloaked his download speed which meant Mr Landlord sometimes was only getting a paltry 3mb download speed but is paying for 50mb, plus Mr Landlord's laptop always used to disconnect causing inconvenience for everyone after having to reboot the modem and router to get reconnected, all Mr Landlords issues have now been resolved by adding this new router and positioning it in Mr Landlords lounge with a password only known by and for his Laptop, Mr Landlord is now getting the full 50mb download speed wirelessly and is extremely happy with me <wide grin>

Router No: 2 is located upstairs for everyone else in the house and the lucky authorised neighbour,

Router No: 3  is for me as I am a pc and network technician who currently works from home and understandably needs a separate network.

As you can now see no matter how odd it may seem to other professionals who have designed networks with only 1 or 2 routers utilising hubs and switches, having 3 routers in a residential establishment is entirely practical to design and implement. What isn’t practical is having my ftp raid backup drive on Mr Landlords router No:1 downstairs physically unsecure.

I’ve still not figured it out yet as I’ve been too busy fixing other people’s computers and websites, but I know It can be done as I had it already set up for two routers so it can’t be impossible.

I will post upon success......

Thanx
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: D-Link Multimedia on March 30, 2011, 03:01:01 PM
If it works for two routers then just put a switch inbetween Router #1 and router #3 instead of going through another router. Put a cheap 5 port gig switch from Router #1 LAN to Switch. Then run one wire from switch to Router #2 WAN and a second wire down to WAN on Router #3. That should cut out one NAT and put you back at 2 routers. Yours and your land lords.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: chriso on March 30, 2011, 03:12:24 PM
Well now that we have all been reminded that people some times have very good reasons for doing things, which might look funny without context...

I was curious why you went with DMZ instead of just setting up a "Virtual Server" for ftp?

Given that everyone can already talk to the Internet from each of these routers I think the problem with breaks down to one of two problems, firewall or routing.  

You can also break down the testing into sections.  For instance can you ftp from a machine on Router #2 to a machine on Router #3.  If that works you can setup a ftp server in a machine on Router #2 and see if you can get to it from Router #1, ... and same from the Internet to the Router #1

You can test the firewall part by disabling the firewall on Routers #2 and #3.  The only security whole there is that someone on Router #1 if they know Router #2 and #3 are there and they know the sub net, they can access downward, but of course this only needs to be opened up for the test, and actually isn't very likely that people would know to do it.

If the firewalls are not the problem then it is the routing, and your port forwarding is probably the problem.
One of the reasons for asking about the "Virtual Server" setup is that it should understand both to punch through the firewall and to do the proper routing.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: fordem on March 30, 2011, 06:22:28 PM
Thank you all for your ideas and response.....

<SNIP>

As you can now see no matter how odd it may seem to other professionals who have designed networks with only 1 or 2 routers utilising hubs and switches, having 3 routers in a residential establishment is entirely practical to design and implement. What isnít practical is having my ftp raid backup drive on Mr Landlords router No:1 downstairs physically unsecure.

If it were practical to design & implement - we wouldn't be having this discussion now would we?

The first point I want to make deals with ISP Acceptable Usage Policies - which I'm almost certain Mr Landlord is in violation of, and the second is to point out that Mr Landlord still does not have the full 50mb download speed - not if you're still sharing a single ISP circuit - share means he gets part of it, and the tenants get the rest - so if that's the sole purpose for adding the third router, well ... the mere fact that you can post says he doesn't have it all.

There are different approaches to providing internet connectivity to multi-tenant housing, wireless is the easiest approach, and a single router with multiple wireless access points would have been a more manageable implementation than the one you have chosen - this by the way, is how it's done, in different forms, in the hospitality industry across the entire United States - if you want to see a really large scale version of this concept, just visit your nearest University and take a look at the residence halls - trust me, they don't put routers in every apartment & dorm room.

Anyway - since I doubt Mr Landlord really wants to invest in a proper system, let's see how we can get you where you need to be.

Start by connecting to router #2 and see if you can reach the ftp server behind router #3 - if it doesn't connect, take a look at the ip addressing on the DNS-323, paying specific attention to the default gateway setting.

Chriso - using the DMZ is a fast & nasty way of exposing the "inner router" to the internet - strictly speaking the port forwarding on routers #1 & #2 aren't necessary because setting the DMZ effectively fowards all incoming traffic on all ports to the DMZ address.

This is something you would NOT want to do under normal circumstances as it has security implications, but in this case, since the DMZ host is another firewall, which would normally be exposed, the risk is mitigated.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: chriso on March 30, 2011, 06:39:51 PM
I know what DMZ is, what I meant is, why use DMZ which opens up the firewall to everything, instead of just the one port. If you are going to open it that way then you just opened up the DNS-323 (or whatever machine you are using for ftp) to any one of the computers on router #2, not very good security.

BTW On the original speed problem, it most likely would have been better served by having a router with the proper settings for bandwidth allocation.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: fordem on March 31, 2011, 04:32:55 AM
chriso - you missed the point.

Since the device he is putting as the DMZ IS a firewall/router ...

1) Placing it in/as the DMZ avoids the need to have to forward the ports individually.
2) The risk is minimal, as the device would normally be completely exposed anyway.

Go back to his original post ...

a) - on router #3 he has forwarded only port 21 to the DNS-323 - the 323 has not been configured as the DMZ, only incoming traffic on port 21 will be forwarded to it.

b) - Router #3 is the DMZ for router #2, so any incoming traffic on the #2 WAN port will reach router #3 (the forwarding of port 21 on router #2 is completely unnecessary)

c) - Router #2 is the DMZ for router #1, so any incoming traffic on the #1 WAN port will reach router #2 (again, the forwarding of port 21 on router #1 is unnecessary).

An incoming connection request on port 21 of router #1 will be sent to router #2's WAN port because of the DMZ, router #2 will then send it to router #3's WAN port, which in turn will forward it to the DNS-323, all other incoming requests on router #1's WAN port will make it to router #2's WAN port, and then router #3's WAN port, where they will be discarded.

My suspicion is that the DNS-323 does not respond, because it does not know how to - one possible cause if the default gateway entry that I have suggested he look at.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: Sneak on April 01, 2011, 10:23:33 AM
This makes no sense to me.  Are you saying router 1 is connected to router 2 via ethernet cable, and router 2 is likewise connected to router 3 via ethernet cable?  If not, and you're trying to wirelessly daisy-chain, then give up and run some cable.

If so, why?  It makes no sense.  If you really think you MUST have 3 routers (which it sounds like you don't), run a separate longer cable from router 1 to router 3, then manage routers 2 and 3 independently.  Or you could put a wired switch between router 1 and router 2 to accomplish the same thing (as suggested by "D-Link Multimedia"), but that's additional cost and another moving part.  Either way, get router 2 out of router 3's way and your life is much easier. 

In my opinion, your best bet is to turn router 2 into a wireless access point (turn off DCHP, keep it on router 1's subnet), unplug it from router 3, then leave it alone.  Wire router 3 directly to router 1 and do your best at your "pc and network technician" work stuff.

This is of course assuming that you are ok helping your landlord violate his ISP's usage policies by sharing his connection with his tenants (I agree with fordem 100%) , and that you are ok using that (stolen) connection for your work.

Of course, the right thing to do is to pick up the phone, call the ISP, and ask them to turn on new service for you in your loft, pay for your own connection, and use it however you want.

Look forward to seeing your post upon success either way.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: chriso on April 01, 2011, 11:46:53 AM
BTW my point with DMZ and such is this.  There is only one reason to use so many routers, and that is that you want to isolate the different networks.  You don't want machines on router 1 to see the machines on the router 2 network.  You don't want to let the machines on router 2 to see the machines on router 3.  Please note the opposite is not true (machines on router 3 can see the machines on all the other routers).  If that is not the reason for using multiple routers, then the purpose could have been achieved without the complications of so many routers.  And if isolation is the purpose then using DMZ when you should be forwarding just the ports that are needed is defeating the purpose.

If the purpose is to just to get more bandwidth back for the landlord, this is certainly not the best way to do it.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: fordem on April 01, 2011, 02:31:27 PM
Chriso

See if you follow me here - one step at a time...

Router#3 has only port 21 forwarded to the DNS-323 - a host connected to it's WAN port can access only the DNS-323 - it cannot access any other hosts connected to the LAN side of router#3, or any other port on the DNS-323.  This is how things would be in a typical "one router" environment

Is that clear?

Router#3 has it's WAN port wired to a LAN port on router#2 and configured so that it is in the DMZ of router#2.  A host on router#2's WAN port cannot access anything on router#2's LAN side EXCEPT router #3, which will only accept a connection on port 21, and which it will pass to the DNS-323.  Router#2 will pass all incoming connection requests on it's WAN port to router#3 and router#3 only - there is no security risk for any other host connected to the LAN side of router#2.

Are you still with me?

Router#2 has it's WAN port wired to a LAN port on router#1 and configured so that it is in the DMZ of router#1.  A host on router#1's WAN port cannot access anything on router#1's LAN side EXCEPT router #2, which will pass the connection request to router#3, which will only accept a connection on port 21, and which it will pass to the DNS-323.   Router#1 will pass all incoming connection requests on it's WAN port to router#2 and router#2 only - there is no security risk for any other host connected to the LAN side of router#1.  Router#2 will pass these requests on to router#3, and router#3 only - there is no security risk to any other host on the LAN sides of either routers #1 or #2.

Still following?

The reason to use the DMZ is ease of use - if necessary, the user can then make port forwarding changes at router#3 only, completely ignoring routers #1 & #2 - as an example, he could decide to use a non standard ftp port, perhaps 2121 - and all he would need to do is change the port forwarding at router #3 - router#1 will pass an incoming connection request on port 2121 onto router #2 because it's in the DMZ, and in the same fashion, router#2, will pass it on to router #3, which will then either forward or block based on it's configuration.

Get the idea now?

Yes - a host on the LAN side of router#3 will have access to any hosts on the LAN side of router#2, and also router#1, and hosts on the LAN side of router#2 will have access to hosts on the LAN side of router #1 - so whilst Mr Landlord is protected from the outside world, he really has no protection from any of his tenants, and if - by chance - Mr pc & network technician, working from home, were to connect a virus infected computer to the LAN side of router#3, it's entirely possible for every computer on LANs #1, #2 & #3 to become infected, depending of course on the anti-virus package in use at the time, and it's "state of currency".

Not a nice concept at all - and it can be avoided using the appropriate network design.

As far bandwidth goes - this provides no bandwidth control whatsoever - and if the three routers are all capable of the 50mb/sec WAN/LAN throughput mentioned, then it would be possible to start an ftp download from the DNS-323 and completely saturate the uplink channel to the ISP thereby choking the downlink.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: chriso on April 01, 2011, 03:50:07 PM
Yeah I get it.

I wonder if Landlord knows, that he is not isolated from tenants, and that tenants can still take up to half of the overall bandwidth (they will actually get 100% if he isn't using any).  There is no bandwidth control of course, but if you have two computers (in this case computer and other router) on a switch/router competing for the bandwidth the router should give half of it to each of them.  I guess you could force "bandwidth control" by just making sure router #2 wan port is set 10 Mbps.

Of course the tenants will be happy to know that Landlord is blocked from accessing their computers.  ;)
Then again, I wonder how I would feel about the ISP connection provided if I knew that other tenants can access my machine.  I would think if you went to the tenant's apartment's you would find that they have firewalls (at least software) in place.

Anyway certainly not how I would have setup the network.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: dosborne on April 01, 2011, 03:53:00 PM
Face it guys, this is obviously not an ideal setup, nor is the OP very well versed in networking topology. It works for him and he thinks it meets his needs. Let it go. :)
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: fordem on April 01, 2011, 09:08:11 PM
Yeah I get it.

I wonder if Landlord knows, that he is not isolated from tenants, and that tenants can still take up to half of the overall bandwidth (they will actually get 100% if he isn't using any).  There is no bandwidth control of course, but if you have two computers (in this case computer and other router) on a switch/router competing for the bandwidth the router should give half of it to each of them.  I guess you could force "bandwidth control" by just making sure router #2 wan port is set 10 Mbps.


Not exactly - and you can try this for yourself - assuming you have a router and multiple computers - start a download from one site on one computer, wait about 30 seconds or so and then start a second download from a different site on the second computer, wait another 30 seconds and then start a third download on a third computer - watch and see how long the download speeds take to equalize - if they ever do.

You can also run a bt download on one system and try to simply browse the net from a second - the computer running the download will invariably hog the bandwidth, making the browsing experience pure frustration.

As far as forcing bandwidth control goes - how many routers do you know which allow you to set the port speed on any of the ports, WAN or LAN?

As far as the other tenants go - consider this - if you travel on business, you probably carry a laptop, and have probably used the free wifi that most hotels offer (if a hotel doesn't offer free high speed internet, it doesn't get my business), this setup offers no more (and no less) protection.  The same goes for free wifi at coffee shops, colleges etc.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: HSishi on April 04, 2011, 12:26:56 PM
I won't discuss about the nesting of routers or if it's a good idea. Some weeks ago past I found out, just forwarding Port 21 for passive FTP, is not enough.

Let me explain ...

Modern routers support not only forwarding single ports or a port range, they can also forward services. What means, it's a difference between forwarding to "Port 21" or forwarding to a "FTP Server".
I experimented a bit with this and found out, I have either to set a port forwarding to a "FTP server" or forward at least two ports, beginning at Port 21. I still don't know why this works and just port 21 won't.

So you can try 3 things (in "cleanest way" order):
1. Forward "FTP Server" (may be called different in your routers) from router to router to router to NAS.
2. Forward more than one port (I suggest 5), beginning from Port 21, from WAN router 1 to router 2 to router 3 to NAS.
3. Forward in the following way, using different ports, to keep the route clean if more than one FTP server is involved:
Router 1: Forward Ports 21..25 (WAN) to (e.g.) 121..125 (LAN -> Router 2)
Router 2: Forward Ports 121..125 (WAN) to 121..125 (LAN -> Router 3)
Router 3: Forward Ports 121..125 (WAN) to 21..25 (LAN -> NAS)

Important: If one or more of your routers have own FTP server/s (some AVM Fritz! Boxes, for example, do that), disable these server/s or choose and forward different ports to access from the internet.

//HSishi
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: fordem on April 04, 2011, 03:03:37 PM
I won't discuss about the nesting of routers or if it's a good idea. Some weeks ago past I found out, just forwarding Port 21 for passive FTP, is not enough.

If you're going to host a passive ftp server behind a NAT router, you will need to forward a range of passive ports in addition to the control port (default 21) - the default range of passive ports used by the DNS-323 ftp server is 55536~55663.

It is not just an issue of the number (quantity) of ports forwarded, so simply forwarding a range of five ports (21~25) is not enough, you also need to tell the ftp server which ports you have opened - personally, I forward the default range, it makes life easier, one less custom setting to remember.

I have had people tell me that ports 21 & 22 need to be forwarded for an ftp server - which is basically what you are saying now - BUT - I have NEVER had to that, ALL of my active ftp servers have worked with port 21 alone, and I've been doing this for over a decade - Belkin, Cisco, D-Link, Linksys, Netgear - all have worked for me with just 21.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: OlegMZ on April 06, 2011, 06:44:21 AM
Guys, do not forget, that normally FTP server, which is behind firewall MUST BE ABLE to work in passive mode. The reason to this is that FTP clients are very likely (90%) to be hidden behind their own firewalls and can only INITIATE connection themselves, so incoming FTP DATA connection from ACTIVE FTP server will be dropped by firewall rule. And you do not want to open incoming connection from random remote IP address with source port TCP/20 (FTP-DATA) and destination port RANDOM (1024-65534) to inside your network.

In order for ACTIVE PASSIVE FTP server to work behind firewall it is NOT enough to just open TCP/21 (FTP-CONTROL) to this server. You have to open the wide range of ports 1024-65534 (in general case) to your FTP server for incoming FTP-DATA connection from the client, which is very bad idea.
Luckily virtually all modern routers (even home ones) support APPLICATION INSPECTION for many services, including FTP. When they see incoming FTP connection they inspect the TCP packet payload  (to FTP server on port 21) and derive from it the information about source and destination ports for DATA connection.
After that they DYNAMICALLY create temporary rule for this connection and remove it as soon as FTP session is ended.

So in the case of any FTP connection troubleshooting there are 2 steps which should be inspected.
1) Initial connection to TCP/21 port itself. This is very easy. Just go to command prompt of you PC and issue following command telnet x.y.w.z:21 where x.y.w.z is the IP address of your FTP server.
If you see the reply from the FTP server ( 220 - Welcome to ftpd blah blah blah.), go to step 2 - port forwarding works fine.

2) Make sure inspection works at all the routers. This is no very easy on SOHO routers, so primary way I guess is to treat each router as a "black box", put FTP client in from of each in the chain and try to access the FTP server. Probably it is one of the routers misconfiguration. But it also may be something else - for example destination port which FTP client has dynamically chosen for DATA is in use at on of the routers for PAT for dynamic connection from behind one of the routers.
Packet capture with wireshark would also help, however it is unlikely that any consumer grade router/switch provide capability for port mirroring. Any chance to grab some cisco switch for testing? :-)
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: fordem on April 06, 2011, 10:52:29 AM
Oleg you seem to be confused as to how ftp works.

First - it IS possible to run an active (ie not passive) ftp server forwarding just a single port (21) through a NAT firewall - I am doing exactly this in my office with a DNS-323 behind a Netgear firewall and also at a couple of customer locations with other ftp servers and other NAT firewalls.

In over ten years of implementing ftp servers for clients, I have yet to come across an installation where I could not get an active ftp server up and running on the default port 21, with just that single port forwarded.

Second - with active (ie not passive) ftp - the intitial (or control) connection is made from the client inbound to the server, traditionally on port 21, which is why it needs to be forwarded - the second connection, the data connection is made in the opposite direction, from the server to the client - this is why no additional port forwarding is needed at the server end.

It is with passive ftp that the data connection is made from the client to the server and if passive ftp is being used, that is when an additional range of ports needs to be forwarded to the server.  There is also no need to open the entire range from 1024~65534, most ftp servers will allow you to specify the range of ports that they will use, and with the DNS-323 that range defaults to 55536~55663.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: OlegMZ on April 06, 2011, 07:07:35 PM
Oleg you seem to be confused as to how ftp works.
Not exactly. I just made a typo at the beginning of my second paragraph and instead of PASSIVE wrote ACTIVE.
Quote
In order for ACTIVE PASSIVE FTP server to work behind firewall it is NOT enough to just open TCP/21  blah blah blah...
My bad. I was talking about passive mode as preferable for FTP server behind firewalls from the very beginning and my whole description was regarding it. Well, busy morning is not the best time for such essays - too many disruptions :-).

First - it IS possible to run an active (ie not passive) ftp server forwarding just a single port (21) through a NAT firewall - I am doing exactly this in my office with a DNS-323 behind a Netgear firewall and also at a couple of customer locations with other ftp servers and other NAT firewalls.

You did not get my point. I never stated that FTP server in ACTIVE mode would not work behind firewall. This is the easiest setup. Yet it has one huge drawback. In case the SERVER is in active mode, the client MUST NOT be behind firewall or it must be behind firewall which does support application inspection and is able to create temporary rules for data traffic initiated from FTP server to the client.
In other words - if both FTP server and client are behind their own firewalls at least one of firewalls must be able to inspect FTP control traffic and dynamically open appropriate ports for it. If it is done on client side, then active FTP will work. If it is on the sever side, passive FTP will work. So it makes a good sense to configure application inspection on the server firewall and allow passive FTP mode to guarantee that any client, behind any type of firewall (dumb or intelligent) will be able to access the server.

Quote
There is also no need to open the entire range from 1024~65534, most ftp servers will allow you to specify the range of ports that they will use, and with the DNS-323 that range defaults to 55536~55663.

I agree. It helps to overcome limitations of very basic firewalls, which are unable to inspect traffic,  however this is still not very secure solution. These ports are opened all the time and are exposed for everybody on the internet. And these are TCP. So it is very easy for attacker to scan, detect opened port and mount an attack. If server is busy and amount of ports is limited good chances it will succeed.


Неre are a couple of links in case someone wants to know about FTP modes better:
http://slacksite.com/other/ftp.html (http://slacksite.com/other/ftp.html)
http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html (http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html)
Much more is very easy to google.

P.S. Using SFTP is much better as it
1) provides secure connection
2) works through single TCP/22 port (SSH). So neither application inspection, nor dynamic port openings is necessary..
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: fordem on April 07, 2011, 04:21:07 AM

You did not get my point. I never stated that FTP server in ACTIVE mode would not work behind firewall.

Here's what you stated ...

Quote
Guys, do not forget, that normally FTP server, which is behind firewall MUST BE ABLE to work in passive mode

Does that not say in so many words - that an ftp server, behind a firewall MUST BE ABLE to work in passive mode?  Does it not imply that an ftp server, that does not support passive mode, will not work if it's behind a firewall?

Quote
This is the easiest setup. Yet it has one huge drawback. In case the SERVER is in active mode, the client MUST NOT be behind firewall or it must be behind firewall which does support application inspection and is able to create temporary rules for data traffic initiated from FTP server to the client.

In other words - if both FTP server and client are behind their own firewalls at least one of firewalls must be able to inspect FTP control traffic and dynamically open appropriate ports for it. If it is done on client side, then active FTP will work. If it is on the sever side, passive FTP will work. So it makes a good sense to configure application inspection on the server firewall and allow passive FTP mode to guarantee that any client, behind any type of firewall (dumb or intelligent) will be able to access the server.

The majority of consumer grade NAT firewall routers support, not a full application inspection, but what is termed "ftp fixup" (this is Cisco's name for it), they watch for an outgoing connection on port 21 and keep track of the destination ip, and will then allow an incoming connection on any of the high ports from that ip, forwarding it to the host from which the outgoing connection came.

This works very well - provided the standard ftp port is used - and it works with pretty much ALL of the router/firewalls out there.
Title: Re: DNS-323 behind 3 routers how to FTP ?
Post by: OlegMZ on April 07, 2011, 06:53:21 AM
Does that not say in so many words - that an ftp server, behind a firewall MUST BE ABLE to work in passive mode?  Does it not imply that an ftp server, that does not support passive mode, will not work if it's behind a firewall?
No it doesn't. I said must BE ABLE, not MUST WORK or CAN ONLY WORK. And explained why and what might happen if FTP server would be ABLE to work in ACTIVE mode ONLY - inability for some clients to transfer data.
OK, let's put it in other words. FTP server behind firewall must be able to work in BOTH passive and active mode to ensure that all the clients, no matter where they are located, could communicate with it and the firewall must be able to support such a connectivity.

Quote
The majority of consumer grade NAT firewall routers support, not a full application inspection, but what is termed "ftp fixup" (this is Cisco's name for it),

ftp fixup is just an old name for the same function - application inspection. It was used at old versions of PIX OS (prior to 7.x) and some other devices. For all IOS and PIX/ASA OS 7.x and above Cisco is using term application inspection which is a part of MPF. You will not find ftp fixup term in any more or less recent Cisco book or online document. May be just as a reference to the old alias.

Quote
they watch for an outgoing connection on port 21 and keep track of the destination ip, and will then allow an incoming connection on any of the high ports from that ip, forwarding it to the host from which the outgoing connection came.
This works very well - provided the standard ftp port is used - and it works with pretty much ALL of the router/firewalls out there.

Maybe, I did not check. I know that any cisco/checkpoint/juniper device "drills" very specific "hole", using source and destination IP addresses and ports for every FTP-DATA connection. It also tracks connection state, sequence numbers and FTP command used. And much more.
Of course one can hardly expect the same functionality from $100 device, so I can easily believe that it just opens high ports for everybody to the same destination (where NAT is configured to) without actually inspecting anything. But I still hope it does not :-). Anyway I prefer cisco router at my home network edge with all the firewall and IPS policies manually configured and tuned. Much easier to control what is going on. BTW Cisco has very interesting line of express 500 series products which is positioned between Linksys and 800 series. For example SR520 router. It runs real 12.3 IOS stripped of some enterprise faetures like OSPF, BGP, GET VPN, DMVPN. But all the rest, including firewall, VPN, IPS, QoS is in place. And a street price if I am not mistaken is around $250-300.
Certainly it is not for average home setup, but for some small offices or branches it is actually quite good.