Solved

ftp server behind a router (DHCP-Linksys wireless router)

Posted on 2004-04-30
18
15,856 Views
Last Modified: 2012-06-27
I've been tinkering with my DSL router for days and have not gotten it to work. I need some help.

I have an ftp server on a linux box which works great if connecting to it from behined the linksys router. I have verizon as my ISP--residential account, so the router gets a dynamic IP address.

I have enabled port forwarding on the router. I've never done this before, I think I did it right. Basically you link a port from the <external dynamic IP address given by the ISP> to one of the <router's internal static IP addresses>?

When I try to connect to it using
<external dynamic IP addressgiven by the ISP>:port
it doesn't work.

However, when I try to connect to it using
<router's internal static IP address>:port
it works!

I'd like to access my ftp server from outside my router. Can anybody help me to do this.

Thanks,
Carlos
0
Comment
Question by:cvillegas
  • 6
  • 6
  • 4
  • +1
18 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 250 total points
ID: 10961529
Hello Carlos, did you only forward port 21? if so it sounds live an active/passive problem

Passive and Active FTP

There are two types of FTP (File Transfer Protocol) these are Active and Passive

Active FTP

Pros (good for network administrators)
Cons (not so good for the client)

The FTP server will try and make a connection on a lot of high port numbers (these could well be blocked on the clients side Firewall)


Passive FTP

Pros (good for the client)
Cons (Not good for the network administrators)

The client makes the connection to the FTP server, and one will be a high port number that will almost certainly be blocked by the network firewall (server side)


Solution

To strike a happy medium, administrators can make their FTP servers available to many clients by supporting passive FTP; reserving a range of port numbers does this, in this way all other ports can be firewalled, thus decreasing the security risk

Luckily, there is somewhat of a compromise. Since administrators running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. Specifying a limited port range for the FTP server to use can minimize the exposure of high-level ports on the server. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously. See Appendix 1 for more information.

*****Links*****
http://slacksite.com/other/ftp.html
http://www.cisco.com/en/US/about/ac123/ac147/ac174/ac199/about_cisco_ipj_archive_article09186a00800c85a7.html
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10961678
Active/Passive only comes into play when you try to transfer data, be that with a put/get or even just "ls."

When you say it doesn't work, do you mean you can't even log in, or after you log in you can't do anything? The first is port 21 only and is a normal tcp connection from client to serve, nothing to do with the kind of client you have.
0
 

Author Comment

by:cvillegas
ID: 10961966
Pete & Mike:

First of all thank you for your quick response.

Pete, I've been forwarding an arbitrary port, not port 21! Perhaps this is my problem. So, I should forward port 21 on the router to <the computer's static IP addres hosting the ftp server> ?

Mike,
>When you say it doesn't work, do you mean you can't even log in
i meant I can't even log in.

0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 250 total points
ID: 10962014
Yes, then forward port 21. This is the ftp control connection (login, etc.) then see how it goes- it will likely work fine, because the data connection (port 20) is outbound to your PC and your router should allow it.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10962052
To clarify about port 20, I mean that active FTP should work as well as passive. Active/passive really only matters to the client side, not the server side- passive just means that the client tells the server what port to make the data connection on instead of using port 20. Either way the server makes an outbound connection to the client.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10962231
Agree, outbound communication is implicilty allowed back through the firewall hence mikes port 20 comment above :)
0
 
LVL 7

Expert Comment

by:pedrow
ID: 10966098
This is a really good webpage that illustrates the order of the port connections made with both passive and active FTP:

http://slacksite.com/other/ftp.html

you'll see that passive ftp is good for clients, but bad for firewalled servers, because it is the client that after making the initial connection to the ftp server on port 21, initiates a data channel to a random high-order port on the server that the server has agreed to. Problem is that the firewalls protecting the ftp server aren't often notified of that expected connection, thus it fails.

Regular FTP, you'll notice, the ports on the server will be pre-ordained, so if the client is behind an application-aware firewall, active ftp shouldn't be a problem. Its those clients that sit behind access-lists that get horked because tcp-established isn't expecting a new, server-initiated connection sourced from tcp20.

So, when you're an ftp client, are you using passive or active mode?

What you'll need to make sure is that ports 20 and 21 get translated to ports 20 and 21 on the outside and use active ftp transfers as a client outside your network.

Hope that helps.

0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10966624
pedrow I allready posted that m8 :)
0
 
LVL 7

Expert Comment

by:pedrow
ID: 10989001
doh! so you did!

I guess I was trying to illustrate that using passive ftp from outside his firewall to his ftp server might be very difficult with the 'dsl router' that is being used. Active FTP might be a better choice and just map ports 20 and 21 from inside to outside.

Most of the DSL routers I've seen don't seem to support fancy port-range features.

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 57

Expert Comment

by:Pete Long
ID: 10989027
Yes, sadly you are correct, happily my linksys does :)
0
 

Author Comment

by:cvillegas
ID: 10995582
It worked!!! By forwarding port 20 to 21, and for passive cases 50000 to 60000 to the internal IP address of the computer, my FTP server worked!

Mike and Pete you both deserve credit. How should we procede with the earned points.

Thank you both.

Carlos :)
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10997235
Glad we could help. According the FAQ:
Scroll down to the bottom of the question, just above the text box, and click the "Split Points" link. Select the radio button of the comment who you want to Accept as the Accepted Answer. Only one button can be selected. Set the point value (a text box above the comment) of how much you want this person to receive of the points. Then set the point values for each of the experts comments to whom you want to allocate points and these will be considered Assisted Answers in helping you resolve the issue. Double check your information and then click the Submit button at the bottom of the page. One note: the total points of the splits must equal the amount you asked the question for itself, and no person can receive fewer than 20 points.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10997253
The split points link is just above the upper left corner of the field where you add comments. Don't click on the Accept Answer button next to a comment in the main window or only one of us will get points.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10997464
More than one Expert helped solve my problem. What do I do?
http://www.experts-exchange.com/help.jsp#hi69
0
 

Author Comment

by:cvillegas
ID: 10997742
Hopefully I did this right? Did I?
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10997778
Yup!
0
 

Author Comment

by:cvillegas
ID: 10997788
Thanks guys. :)
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10999042
ThanQ
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now