Using an Airport Extreme Base Station at home, Setup FTP to browse files at work using a Windows machine.

Follow the instructions here:  http://theappleblog.com/2009/05/05/how-to-port-forwarding-on-a-airport-extreme-time-capsule/ and forward TCP port 21 from your router to your Mac. You will then be able to FTP to the Mac from the PC by using the WAN IP address of the AEBS.

The setup for your Hercules router is explained here:

ftp://ftp.hercules.com/wifi/manuals/HWGADSL2P-54V2/01-eng_Hercules_HWGADSL2P-54V2.pdf

Page 94.

Check services and then FTP servers then you need to pont to the IP address of your port-extreme-time-capsule

Cheers,
K

Thank you for your responses. I'm going through all the information right now and will get back to you all on how it works out.

Regards,
Tino

strung: I followed the instructions from the URL you provided. Transmission is showing that the needed ports are now open. I'll see if I can connect to the FTP tomorrow from my work computer. I'll let you know what happens.

Tino

It's 6:50 AM here in Germany. I was excited to see if everything would be working from my office, but I'm still getting the "Internet Explorer cannot display the webpage" message in IE7. I was able to connect to the FTP site from within my home network last night. I was even able to browse my external hard drive conneted to my AEBS for the first time. Transmission also showed the necessary ports as open. It seems like everything should be working. Any ideas why I can connect from my Windows Vista computer at work?

Regards,
Tino

I downloaded FileZilla 3.2.6.1 in an attempt to troubleshoot. FileZilla is reporting an error: "Could not connect to server."

Regards,
Tino

What are you using as the URL to connect? It should be the WAN address of your router, not the LAN address of your target computer.

I'm using the WAN address of the router to connect. I tried connecting on a computer outside of my network and one not at my work and I get the same results. I was thinking it was my work computer, but I get the same error at any computer I try.

Are you sure you forwarded the port to the correct IP address for the target computer? If the target computer is set for DHCP, its IP address may change.

Also, if the energy saver on your Mac is set to put the Mac to sleep after a period of time, you won't be able to connect to it unless you wake it first. See:

http://www.macosxhints.com/article.php?story=20050118192723153

I'm able to connect here at home to my FTP, but not somewhere outside my local network. Any ideas?

Maybe by the time you get to work, your Mac has gone to sleep. You will not be able to connect if it is asleep.

Strung: Great idea. I checked my System preferences and my iMac was set to sleep after 15 minutes. I set it to never. Do you think this was restricting my access?

Without a doubt. You cannot connect to a sleeping computer without waking it first. But see the link in my earlier post of 12:21 on how to wake a sleeping computer remotely.

Strung: Inside my routers setup I've reserved the IP address of my AEBS. The ports that I have forwarded from the routers setup are 548, 21 and 80. In Airport Utility I have a DHCP reservation for the IP address of my iMac. Also, in port mapping I have ports 80 and 21 mapped. IPv6 firewall has port 548 open. Does this sound right? On all the screens from the Airport Utilty when it calls for an IP address I'm using the iMac's. Is this right?

Tino

I think you need to forward only port 21 or FTP. 548 is AppleTalk and 80 is HTML. Also IPV6 should be turned off.

I came into this with 548 forwarded because of this article: http://guides.macrumors.com/Using_Remote_File_Access_to_Save_Disk_Space_on_Your_MacBook_Air
Also, the link from above showed some steps inside of IPv6 that I followed: http://theappleblog.com/2009/05/05/how-to-port-forwarding-on-a-airport-extreme-time-capsule/

Should I remove port forwarding of 548 and 80 from my routers setup screen? Also, remove port 80 from the Airport Utility port mapping? How about the IPv6? It's set to tunnel. That opened the IPv6 firewall option which I entered 548 into. Should I remove 548 from IPv6 firewall?

Thanks,
Tino

Hi,

did you do as I suggested? AS you could remember I had told you accutaly how the protocol works. But you don't seem like you did as I suggested.

Cheers,
K.

Hi KaremE,

Honestly your post was hard for me to follow. I appreciate you taking you time to enlighten me, but it was just a little difficult to understand and apply. I appreciate the link to the manual. I read page 94 and 95. It told me what I understood from the beginning. That I need to open the ports from my router and how to do that. From the research I've done prior to posting here I read that different ports should be open. Now I understand that only port 21 should be open. Is that right strung?

Regards,
Tino

Yes.

It is wrong. First of all 21 should be open this is correct. But depending on passive or active FTP you have an application proxy and must check inside the response packet and then allocate the correct port to your FTP session. It was what I'd tried to tell you in the beginning. The problem is no the FTP because it is already running inside. The problem is how your router NATs the FTP. This is where your comms stall at the outside.

As I've explained you open a conection to port 21 of your FTP server and then it opens another connection from his port 20 to one of your ports and sens the port it will try to connect over Port 21. Then you should open that port from your FTP servers port 20 if it is an active session and from any port to your any port.

Since it requires so many different ports both you Firewall at your work and your router must allow all these ports and since it is dynamically allocated they should both check inside the specified port. This is why it is very hard to implement FTP via Firewalls and NAT.

KeremE I don't know how to do the things your telling me to do. You have to know who your audience is. I'm a technical expert in explosive safety and when I give briefings to soldiers I condense my knowledge and emphasize the important aspects. I can use theory when my audience understands, like when I brief fellow experts in my field. Please, enlighten me with your knowledge but tone it down a bit with some practical steps.

I understand that port 21 needs to be open. How do I check if I'm using passive or active FTP? How do I check inside the response packet to allocate the correct port? How can I get my router to correctly NAT the FTP? Do you see where I'm going here? You leave a lot of open questions.

Tino

You can set your FTP client to Passive Mode (PASV).

It should work with only port 21 open. At most you have to open port 21 as well. Despite what Kerem says, it is not rocket science. If you  have port 21 open and set your computer not to go to sleep, it should work.

First of all you need to clarify this:

- What modem connects you to the internet ? Hercules or AEBS?
- Where is your FTP server located? Since AEBS does not have a FTP facility it must be over your Apple iMac, MacBook or Windows XP. What are theri IP addresses.
If you have your Hercules router connecting you to hte internet for you are using the AEBS only as a WiFi Access Point. In this case unless you need to configure AEBS it is transparent to you becasue in this mode it is just acting a Switch with both Wireless and Wired connections.
 
If this is the case you need to setup your network such as this::

Home > Your Internet firewall parameters > Port Forwarding > Select Your Computer (Pick your FTP server IP address) > Select the type of service provided: > Servers > Select the rule to apply > FTP Server.

I'll be able to send you the info about the rest when you've answered all my questions above.

Cheers,
K.

> It should work with only port 21 open. At most you have to open port 21 as well. Despite what Kerem
> says, it is not rocket science. If you  have port 21 open and set your computer not to go to sleep, it
> should work.

This is completely incorrect. No FTP server could work when only Port 21 is active. Whether in active or passive mode. It is the moral responsibility of an expert to be sure before directing an asker. Please learn about the protocol before commenting first.

Some useful info for through understanding of the protocol:
http://en.wikipedia.org/wiki/File_Transfer_Protocol

The problem here has nothing to do with AEBS itself becasue it seems that the asker use it rely as a WiFi Access Point. But the link you've previously sent to the asker is about configuring an AEBS when used as an ADSL router which is quite irrelevant with the askers question. Noramlly I don't argue with other experts but here you're sending misleading and incorrect information and it is obvious that you don't even understand the topology.  

It is also quite wrong  that it is no rocket science. FTP is an ancient protocols, trying to use large port ranges and it creates an security risk itself for lots of reasons. Another problem is it requires an Application Proxy to correctly NAT it. Even after that there can be lots of problems such as the proxy expecting the FTP server to be in active FTP while the server behind uses passive FTP or vice versa.

Last month I've been commissioned for a consultancy job which involved some 2 millon $ IBM p-Series hardware behind a firewall that could not communicate with another application application that client had and it required lots of configuration and different FTP daemons to fix and it is really a rocket science once an FTP server is behind a firewall.

Karem: to answer your questions - I connect to the internet via my Hercules modem/router. My FTP server is located on my Apple iMac (192.168.1.3). I've correctly forwarded port 21 and 80 on my Hercules modem/router by adding "ftp server" and "web server" to the IP address of my iMac (192.168.1.3).

strung: out of desperation I signed up for an account with DynDns.com, and opened both port 21 and 80 to my iMac's IP address. I'm able to get the Apache web server page via my externat IP address, so port 80 is forwarding correctly. I still can't connect via port 21 though. I can at home though on my local network using Cyberduck or Firefox.

Thanks,
Tino

> Karem: to answer your questions - I connect to the internet via my Hercules modem/router. My FTP
> server is located on my Apple iMac (192.168.1.3). I've correctly forwarded port 21 and 80 on my
> Hercules modem/router by adding "ftp server" and "web server" to the IP address of my iMac
> (192.168.1.3).

This is what I was thinking. Will you please connect to FTP from you XP and when connected post here the output of the command from the command line:

netstat -anp tcp

I'm trying to determine wheter your FTP server is in active mode or passive mode from the ports it's working. You might as well use FileZilla client and post the communication Dialog Window here. You can right Click to the communication Dialog window and copy the contents to the clipboard. It is located at the top part just under the menu and Fast Connection.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\JuNico>netstat -anp tcp

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1026         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1026         192.168.1.4:3646       ESTABLISHED
  TCP    127.0.0.1:1027         127.0.0.1:5354         ESTABLISHED
  TCP    127.0.0.1:1028         127.0.0.1:5354         ESTABLISHED
  TCP    127.0.0.1:1032         127.0.0.1:27015        ESTABLISHED
  TCP    127.0.0.1:1045         127.0.0.1:5354         ESTABLISHED
  TCP    127.0.0.1:1071         127.0.0.1:1072         ESTABLISHED
  TCP    127.0.0.1:1072         127.0.0.1:1071         ESTABLISHED
  TCP    127.0.0.1:1073         127.0.0.1:1074         ESTABLISHED
  TCP    127.0.0.1:1074         127.0.0.1:1073         ESTABLISHED
  TCP    127.0.0.1:5354         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5354         127.0.0.1:1027         ESTABLISHED
  TCP    127.0.0.1:5354         127.0.0.1:1028         ESTABLISHED
  TCP    127.0.0.1:5354         127.0.0.1:1045         ESTABLISHED
  TCP    127.0.0.1:27015        0.0.0.0:0              LISTENING
  TCP    127.0.0.1:27015        127.0.0.1:1032         ESTABLISHED
  TCP    192.168.1.4:139        0.0.0.0:0              LISTENING
  TCP    192.168.1.4:139        192.168.1.3:61180      ESTABLISHED
  TCP    192.168.1.4:3605       209.85.129.99:80       TIME_WAIT
  TCP    192.168.1.4:3606       74.125.43.106:80       TIME_WAIT
  TCP    192.168.1.4:3607       209.85.129.102:80      TIME_WAIT
  TCP    192.168.1.4:3608       74.125.43.138:80       TIME_WAIT
  TCP    192.168.1.4:3609       209.85.129.102:80      TIME_WAIT
  TCP    192.168.1.4:3610       209.85.129.99:80       TIME_WAIT
  TCP    192.168.1.4:3627       74.125.43.83:80        ESTABLISHED
  TCP    192.168.1.4:3634       207.115.86.98:443      TIME_WAIT
  TCP    192.168.1.4:3636       207.115.86.98:443      TIME_WAIT
  TCP    192.168.1.4:3637       72.21.211.161:443      TIME_WAIT
  TCP    192.168.1.4:3638       74.125.39.97:443       TIME_WAIT
  TCP    192.168.1.4:3641       216.137.61.206:80      TIME_WAIT
  TCP    192.168.1.4:3642       74.125.43.83:80        TIME_WAIT
  TCP    192.168.1.4:3644       74.125.43.101:80       TIME_WAIT
  TCP    192.168.1.4:3646       192.168.1.3:21         ESTABLISHED
  TCP    192.168.1.4:3648       192.168.1.3:21         ESTABLISHED

C:\Documents and Settings\JuNico>

Status:      Connecting to 192.168.1.3:21...
Status:      Connection established, waiting for welcome message...
Response:      220---------- Welcome to Pure-FTPd [TLS] ----------
Response:      220-Local time is now 22:22. Server port: 21.
Response:      220-IPv6 connections are also welcome on this server.
Response:      220 You will be disconnected after 15 minutes of inactivity.
Command:      USER Celestino S Salinas Jr
Response:      331 User Celestino S Salinas Jr OK. Password required
Command:      PASS ********
Response:      230-User Celestino S Salinas Jr has group access to:  admin    _appserv com.appl
Response:      230- _appserv com.appl _lpadmin staff  
Response:      230 OK. Current directory is /Users/tinosalinas
Command:      SYST
Response:      215 UNIX Type: L8
Command:      FEAT
Response:      211-Extensions supported:
Response:       EPRT
Response:       IDLE
Response:       MDTM
Response:       SIZE
Response:       REST STREAM
Response:       MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:       MLSD
Response:       ESTP
Response:       PASV
Response:       EPSV
Response:       SPSV
Response:       ESTA
Response:       AUTH TLS
Response:       PBSZ
Response:       PROT
Response:       UTF8
Response:      211 End.
Command:      OPTS UTF8 ON
Response:      200 OK, UTF-8 enabled
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/Users/tinosalinas" is your current location
Command:      TYPE I
Response:      200 TYPE is now 8-bit binary
Command:      PASV
Response:      227 Entering Passive Mode (192,168,1,3,82,37)
Command:      MLSD
Response:      150 Accepted data connection
Response:      226-ASCII
Response:      226-Options: -l
Response:      226 11 matches total
Status:      Directory listing successful

The IP used for the above connection was the IP address for my iMac. There is also an external IP provided by my ISP, A router IP and an IP for the AEBS. I hope I am using the right IP address to connect with. I tried using the external IP, but when prompted for a username and password, nothing worked. I don't know the username and password for the external IP address. Thanks again for your help.

Tino

Hi

The external address does not matter here. In fact it wont work for you because the NAT will not work here this way.

But from what you've sent me I see that your connection is is PASSIVE. Here:
Response:      257 "/Users/tinosalinas" is your current location
Command:      TYPE I
Response:      200 TYPE is now 8-bit binary
Command:      PASV
Response:      227 Entering Passive Mode (192,168,1,3,82,37)
Command:      MLSD
Response:      150 Accepted data connection
Response:      226-ASCII
Response:      226-Options: -l

The problem here is your FTP client wants to get into passive mode while your NAT over your Router do not support passive mode.


Will you please try tihs at your work place:

Launch Filezilla FTP Client
File > Site Manager > General (enter your Router IP credentilas etc) > Transfer Settings  > Transfer mode: Active > OK

File  > Site Manager > Connect

Let me know the result.

BTW are you sure that your workplace Firewall settings allow FTP ? HAve you tried to connect another FTP site from your workplace?

Cheers,
K.

Status:      Connecting to 192.168.1.3:21...
Error:      Connection timed out
Error:      Could not connect to server
Status:      Waiting to retry...
Status:      Connecting to 192.168.1.3:21...
Error:      Connection timed out
Error:      Could not connect to server

I'm not sure about the work place firewall settings. I don't have admin rights, but I have connected to an FTP site at work to verify and I was able to connect with no problems. I was really hoping your last suggestion to use active mode instead of passive would work.

Regards,
Tino

Are there any other things you'd like me to try?

Hi,

It seems that your company has blocked FTP but only allowed some sites. The Pasv thing would work only if you had access to port 21. Now I am not sure if it is a setup problem orr your company just blocks it since the output is:

 Status:      Connecting to 192.168.1.3:21...
Error:      Connection timed out
Error:      Could not connect to server

It can not reach the FTP server. Can you try it elsewhere such a s a friends house or an public Internet spot ?

ok, i'll look for a place to try it and get back with you.

I'm still getting a "Page Cannot be Displayed" error from every computer I've tried. Nothing has worked so far. I feel this issue cannot be fixed. Any other tips would be appreciated.

Regards,
Tino

yeah since it does not work from anywhere here's the checklist:

- You've previously enabled FTP Port redirection to your modem. As I've described in my note ID:{25083736}
-  Now it seems that you need to add a firewall rule to enable access to your port 21 to allow connection from outside.

As you see  we'll need to get Port Mapping up and allow connection to port 21. You can only get your prompt when you've accomplished that.

You see the solution has two parts:
Part 1
- Reverse NAT (port redirection of FTP Control Port 21)
- Allow external access to the port

Part2
-  FTP that your Router supports must agree with your internal FTP servers.

Tell me if you don2t know how to allow access to your router I'll check with your modem documentation and send you instructions about it.

Cheers,
K.

Thanks for getting back to me. I've already opend port 21 on my modems firewall. Also on the Airport Extreme Base Station. Is there a third place to open port 21?

Regards,
Tino

You need to open port 21 only on your intenet router. As far as I remember Airport Express is only used as an Acces point now and your router is hercules. Is it the case??

Can you send a drwaing of your internal net with IP adresess ??
 

Ok, I have port 21 open on the router for my iMac's ip address. I'm not sure what your asking me to send. Can you tell me again what you need? Thanks.

Tino

I haven't gotten a response back, so I'm guessing you're asking what IP addresses my components have?????

My Hercules router is assigned IP: 192.168.1.1 - That's connected to my AEBS which has an IP address of 192.168.1.2 - That provides a wireless connection to my two computers. My iMac has an IP address of 192.168.1.3 - Port 21 is open for that IP address on both the hercules router and the AEBS. My windows computer has an IP address of 192.168.1.4. Hope this helps....

Tino

Sounds like your problem is you are doing double NAT. You should have your AEBS set to bridge mode.

In Airport Utility on the Internet Tab, I have Connection sharing set to Off (Bridge Mode).

Are you forwarding port 21 on the Hercules to 192.168.1.2 or to 192.168.1.3? You should be forwarding it to 192.168.1.3. If the AEBS is in bridge mode, it doesn't need port forwarding set at all.

I have port 21 forwarded to IP 192.168.1.3, which is port 21 to my iMac.

I'll delete port 21 on the AEBS. Would that cause the FTP problems I'm having?

I wouldn't have thought so, but it is worth a try.

Sorry, but this thread is getting long and I am getting confused. Is your FTP server on your home Mac at 192.168.1.3 or is that the computer you are trying to use to connect to an FTP site at the office?

If the latter, you don't need port forwarding on your home LAN at all. You only need to forward the port to the FTP server (not to the FTP client). If you are trying to connect to an FTP site at your office, the the only port forwarding that need be done is from you office router to the office FTP server.

Your right about it getting long. I'll try to clear up the confusion. My FTP server is on my home Mac at 192.168.1.3

I'm trying to connect to my home Mac (192.168.1.3) from work. Ideally I'd like to access a library of references I've accumulated. That library is on my home Mac. I used to have it on a portable hard drive that I would bring to work, but USB devices are no longer authorized at my work place. I was trying to set up an FTP as a work around.

What FTP server are you using?

I wonder if for security reasons, your office has blocked all FTP traffic. Can you connect to any other FTP sites from your office? For instance, can you connect to ftp://ftp.apple.com/ from your office?

Also, can you connect to your FTP server at 192.168.1.3 from your PC at 192.168.1.4 on your local network?

What do you mean by what FTP server am I using? I've used firefox and cyberduck to access the 192.168.1.3 site. I've connected to it from my Windows computer (192.168.1.4) on my local network using firefox.

What URL are you using to connect to 192.168.1.3 from 192.168.1.4?

Also, what services do you have turned on in the Mac's Sharing Prefernces Panel?

on 192.168.1.4 I'm connecting to 192.168.1.3 via this link in Firefox: ftp://my username@192.168.1.3/

I'm then prompted for my password.

I have File Sharing and Web Sharing on.

Okay. Do you also have "Share files and folders using FTP" turned on after clicking on the options button in the sharing prefs panel?

Yes, FTP, AFP and SMB are checked.

It sounds like you have everything set up right locally assuming that you have port 21 properly forwarded on the Hercules.  

Please double check to make sure you are using the right WAN IP address. You can check this by going to http://www.whatismyip.com from your home computer. The address you get from this site is your WAN IP address. That is the address to use when connecting from outside your LAN.

If you are using the right IP address and still can't connect, it may be that your ISP is blocking port 21. Many ISP's prohibit the use of servers on home accounts and enforce this by blocking port 21.

Go to this page and check to see if port 21 is blocked:  

http://www.canyouseeme.org/

Ok, this may be what I'm doing wrong. I went to the site you posted and that is my WAN IP address. I need to use that IP address to connect to when I'm outside my local network? What format does it need to be in? I'm assuming ftp://username@ipaddress then hopefully I get the prompt for my password.

I went to http://www.canyouseeme.org/ on both machines (192.168.1.3 and 192.168.1.4) and I get this message which is good: Success: I can see your service on port (21) Your ISP is not blocking port 21

Great! I will try that! This may be the solution I've been waiting for. I'll see if I can get to a hot spot tomorrow to test it out. I'm out of my office this week.

One thing though. I'm trying to access the WAN IP address from my local network. I'm being prompted for my password and the one I've been using for 192.168.1.3 does not work. The password for my router also doesn't work.

You can't access the WAN IP from inside the LAN unless your router supports "loopback". Generally speaking only expensive commercial grade routers support loopback. Home routers usually do not.

So. unless you have an expensive commercial grade router, using your WAN ip address from inside your LAN won't work.

Ok, I'll try it from outside my local network and get back to you. Thanks.

> One thing though. I'm trying to access the WAN IP address from my local network. I'm being prompted for > my password and the one I've been using for 192.168.1.3 does not work. The password for my router
> also doesn't work.

I was on my vacation and still am :) I just could find the opportunity to connect :)

When you FTP to your WAN IP and your get your modems prompt instead it means that your modem is responding to the FTP directly. Try to change your Hercules Modems default FTP port to soemething else then 21.

I've been away a few days. I tried to connect this morning from my work computer and I still get the "Page cannot be displayed error message." Strung posted an FTP address for Apple. I will try that tomorrow to see if I can at least connect to it. If not, then I'm thinking that I'm behind a firewall at work. I'll see if a friend can connect to it from his house and post tomorrow.

Tino

Are you sure your home computer was not asleep at the time you tried to connect?