• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1687
  • Last Modified:

Need Help Setting Up FTP Server - Can't Ping Own Modem from Outside

I've installed FileZilla FTP Server on my local PC (runs Win XP SP3).  The PC is ethernet wired directly to a D-Link DIR-655 router.

I have no problems connecting out to various FTP sites but am trying to set up an FTP server.

Outside remote computers are unable right now to ping my PC using the router's IP address (for example the IP address returned if I go to www.whatismyip.com).

I can ping my router from inside the LAN.

If this was a Windows Firewall problem, presumably Windows Firewall would prevent access (if this was a firewall problem) only to my PC but the router should still ping back?  In any case, outside PCs still can't ping my router after I've disabled Windows Firewall as well as the anti-virus running (not that I expected that to make a difference to the router).

I'm guessing this could be a number of issues likely related to some incorrect or incomplete config settings or possibly AV (I used AVAST home).

Not sure what my next move is here to get this working.
  • 12
  • 10
  • 9
10 Solutions
You need to map a firewall policy on your D-Link DIR-655 that forwards traffic from the internet on port 21 to the internal IP address of your PC hosting the FTP server.  Additionally, unless you want to open additional ports up on your firewall (and forward them as well), you should force your FTP software to only allow FTP connections on Port 21 (and make sure you disable passive FTP).
I'm not sure which is more important to you, having computers outside your network be able to connect to your FTP server, or having computers outside your network be able to ping you.  These are two completely different issues.

I'll assume that getting your FTP server working is more important.  In your scenario you'll want to make sure that you have a static IP setup on the Client Computer that is running FileZilla FTP Server. Setup static IP (example: Login to your router; forward port 21 to  If you or the people connecting to your FTP server are using FTP Passive mode, then you'll also want to setup FileZilla FTP Server to use only a specific range of ports for passive mode.  For this example we'll use ports 20000-21000.  Then you would need to login to your router and forward the range of ports 20000-21000 to  FileZilla FTP Server may allow you to disable passive mode.  However, you cant force everyone to disable passive mode in their FTP clients so it's a good idea to setup passive mode properly.  To understand why all this is neccessary its really a good idea to fully understand how FTP clients/servers work.  For example, most people do not know that FTP servers to not transfer data on port 21.  They talk to each other on port 21, exchanging commands, and then actually exchange data on other ports (port 20, or a range of ports if passive mode is used)

It's a good idea to read this article before proceeding

You'll also want to check with your ISP and make sure that they're not blocking the default FTP port (21).  Many ISPs do block this.  If that's the case you'll need to change the port that FileZilla FTP Server uses.  
qengAuthor Commented:
Thx for reply.
I'm generally following but not certain how to implement.  Should I be using the Virtual Server option or Port Forwarding option.  The former seems to be indicated in the DIR-655 messaging for FTP server setup.  I've attached a couple of screen grabs of the options this router provides me with.
I only have a need (that I'm aware of) to open up port 21 for the moment. However, do any of the IM, Skype, or common screensharing apps (which are presently running) need anything done to keep the running securely once I've mapped port 21 inwards.
I'm not sure which of the parameters to set and to what values.
Can you offer some guidance on that?

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

You want to set it up in Port Forwarding.  As for Skype,etc - they use Universal Plug'n'Play so they will open their necessary firewall ports automatically when you launch them.  You won't need to do anything there.

So, for your Port Forwarding Rules:

Name: FTP
IP Address: Address of your statically assigned address of your PC (assign a static address if you haven't already)
Application Name: (can't see what is in the drop down, so I don't know what to tell you for the list, probably DON'T need to pick anything here)
Ports to Open: TCP: 21, UDP: leave blank
Schedule: Always

Then from the internet, someone can connect to your FTP server by visiting your internet IP address on port 21.  Make sure Passive FTP is disabled, or if you want to use it, repeat the above settings and open the ports you want to use for the Passive FTP ports - set the same ports you assign in here to be used in your FTP server for its serving ports.  IE: if you picked ports 20000-21000 to be forwarded for Passive FTP, then you would assign those same ports to be used by the FTP server.

Hope that makes sense!
Oh, 1 more thing!  Secure your FTP server!  Make sure that only an authenticated user with a strong password can connect and write data!  If you allow anonymous users to connect and write data, you might find yourself in virus H3LL!
qengAuthor Commented:
Thx for that reminder.  I had already set the FTP server to allow only a specific username/password access as well as setting it to be active only when I enable it (my application doesn't require it to run the rest of the time).
If you can have a look at my last post here and offer any help in that direction, it would be much appreciated.  I'm slowly making my way through the Dlink KB but not sure if that will address all of my questions.
Which last post?  If you mean the one with the screen shots, I already did answer it?  Or did I misunderstand something you asked?
qengAuthor Commented:
Yes you had answered and well (just checking this out now) but your post somehow wasn't showing before mine (odd).  My screen refreshed with my post in it but yours only showed up a few minutes later and inserted itself above mine.
No worries, I'm trying a few things out.
I think my router is set up to dynamically assign the IP addresses but I set a DHCP reservation to keep the IP address the same for the computer I'm using as the FTP server.  Hope that makes sense.
Will report back shortly..
Yep, a reservation will work for you :).
qengAuthor Commented:
I'm still not having any luck being able to ping my modem/router unfortunately.
Shouldn't I be able to ping the modem/router (subject to its settings being correct e.g. it being configured to pingback) regardless of whether I have forwarded the port internally to my pc.  I realize this then announces the presence of the modem/router to the net but am just trying to troubleshoot this one step at a time.
Right now, configured as per your suggestions (as far as I can tell) a ping request originating from some remote IP should presumably be forwarded through the router to my PC which should then ping back but there is no reply.
Before trying to ping it from the remote computer (with which I am screensharing) I double check my IP address via 'www.whatismyip.com', so it should be correct.
Any ideas?
qengAuthor Commented:
OK, making some progress though still not sure about the ping back.  I'm guessing the router is configured not to ping back perhaps as a security measure.  Technically I don't need to enable that, I was just trying to use that to see if I could at first even 'see' the router externally.  I can confirm that the router is findable from the internet side.
I can get a remote client to log into my ftp server but keep getting a Response:  '425 Can't Open Data Connection' which generates error: 'Failed to Retrieve Directory Listing' which leads to a time out error.  See attached screengrab from remote client.
I've tried to set the Active and Passive config parameters as suggested in FileZilla documentation but can't seem to connect properly to the ftp server.  See attached FTP Connect Test Log from http://www.g6ftpserver.com/en/ftptest
I have my AV and Windows Firewall disabled during this test just to check.  Also note that my external IP address is not static (that will be another topic for another day) but I do check it immediately prior to testing (obviously that part is fine since I can get into the router and through to the server host apparently).
Any ideas how to get past this last hurdle?

Yep, remember when I said make sure to disable Passive mode on your FTP server?  You forgot to :).  Your FTP server is attempting to initiate data connections on ports 70,24,17,152,19 and 142 (on the attempt you took the screenshot on.  Your router isn't allowing traffic through on those ports (as it SHOULDN'T).  You need to configure your FTP server to only server traffic in active mode on port 21.  If it tries to send data on any other port, the traffic won't get through.

As I said before, you have 2 options - turn off passive mode and use port 21 only (should be the easiest way to do it, almost all FTP server software have this as an option)


All passive mode to work, specifying which ports you want the FTP server to use for passive mode - again an option in the FTP server software which you will need to define - and duplicating those entries in an additional firewall rule for those ports in the port forwarding section of your firewall.
PING echo requests and FTP Server connectivity are different issues.

PING uses ICMP (Internet Control Message Protocol)
FTP uses TCP ports 20 & 21 (and others)

It is possible that your router is blocking, or not responding to ICMP traffic.  Many routers block ICMP by default.  This is usually referred as "stealth mode".  

Even if your router is blocking ICMP you could allow TCP traffic thru by forwarding the appropriate ports to the machine that is running your FTP server.  This is how you solve your FTP problem.  You would need to forward ports 20, 21, and a passive mode port range.

You may be able to enable ICMP traffic and get PING to work.  However, this wont solve your FTP issue since they communicate on completely different protocols and are therefore completely different issues.
To enable ICMP echo, there should be an option on the router directly to enable it - look through its config screens.  If not, you can create a port forwarding rule that forwards TCP port 7 to your PC which is the port that ICMP echo requests function on.
I would recommend that you ENABLE passive mode and configure you router properly.  Here's why.

in active mode FTP connections, the client connects to the FTP server on port 21.  The server then replies to the client and says i'll send you data on this port (random port).  The FTP Client then opens that port and waits for the data connection to be initiated by the server.

in passive mode in active mode FTP connections, the client connects to the FTP server on port 21.  The server then replies to the client and says please connect TO ME on this port (a random port)

If both client and ftp server are behind firewalls, then active mode is nearly impossible to get working.  Here's why, when the server responds and says "i'll connect back to you on this port (random port) it would require that every client connecting to you have a properly configured router with port forwarding setup correctly.  This would require you to teach everyone connecting to you how to setup their router.  Not fun.

You have obviously correctly configured port 21 (otherwise you would not be able to login)  Passive mode is much easier to get working.  Client initiates on 21, server says great you're logged in NOW CONNECT TO ME ON THIS PORT.  All you have to do is forward that PORT RANGE from your router to the computer that is running the FTP Server.  How do you know the port range?  You set it up yourself in the FTP Server.  For example, if you specify passive ports 5000-5100 (100 total ports) then you would login to your router and forward ports 5000-5100 to the computer running the FTP Server.

Unfortunately ecsrd gave you incorrect information.  Neither the client or server are opening any of the following ports (70,24,17,152,19, 142).  This series of numbers are not ports.  It is formatted as a series of six numbers separated by commas. The first four octets are the IP address while the last two octets comprise the port that will be used for the data connection. To find the actual port multiply the fifth octet by 256 and then add the sixth octet to the total. Thus in the example below the port number is ( (14*256) + 178), or 3762.  (this is random and will change on every connection)

A highly detailed example of how FTP clients and SERVERS talk to each other is available here.

You're almost done with your setup.  You just need to specify a passive port range, and then forward that range in your router.  Done.
Correction,  the example example calculation ( (14*256) + 178), or 3762  was derived from the logs at http://slacksite.com/other/ftp.html  ( PORT 192,168,150,80,14,178)

This is not an example of a port calculation from the logs in your screen shot
qengAuthor Commented:
ecsrd, TheChemic,
Thx for the clarification on the ICMP.  I suspected as much without knowing the details.  I also agree that I don't need this function to get my FTP server working.  In fact I would prefer frankly that it keep operating in stealth mode as it presently is.
(ecsrd ... see at the bottom of this post, I reply to something in your second to last post which doesn't quite seem right)
I think the log I sent earlier shows that this is not the problem anyways since the remote client and the ftp connection test both connect through to the host.  Before this I was getting no connection at all.
I tried to configure the FileZilla Server to operate both on active or passive mode as per the wiki at http://wiki.filezilla-project.org/Network_Configuration ... of course I may have missed something in the process or gotten it wrong.
On the router, I had specifically forwarded ports 20, 21 and 50000-51000 to the PC which host the FTP server (see attached screengrab).  But I must have forgotten to save the port 20 forwarding because when I went back in to check, it wasn't set.  It is now reset and saved (see attached screengrab).  I double check after logging back out of the router and logging back in to make sure they have stuck.
What's odd is that when I run the FTP test at http://www.g6ftpserver.com/en/ftptest it seems to try first on active mode with the current IP address that I give it and succeeds in logging in (that's fine).  Here's the relevant section from the attached test log:
* About to connect() to port 21
* Trying connected
* Connected to ( port 21
< 220 Welcome, you're connected to my ftp server.

> USER bcvsegal
< 331 Password required for bcvsegal

> PASS *****
< 230 Logged on
Then it doesn't seem to be able to complete the connection (presumably something wrong with the path, directory or file setting in the server config) and defaults to the passive transfer mode (that's fine I think, i believe it's what it is supposed to do).
What's odd per the log is that when it does that, instead of trying to execute the passive transfer on the current IP address of , it uses the router's IP address from the last test I ran over 20 minutes ago (almost as though the last IP address in the http://ip.filezilla-project.org/ip.php database is stuck there or really slow to update).
If you check the attached log from http://www.g6ftpserver.com/en/ftptest you'll see on the first attempt, it takes the IP I explicitly type in, IP (which is the current one just obtained from www.whatismyip.com) and successfully logs on to the ftp server as mentioned above.  But then something doesn't seem to work beyond that trying to connet to the directory or something.  The client then seems to try the passive transfer mode, and according to the FileZilla Server Settings (see attached screengrab) the server should return the current IP address obtained from http://ip.filezilla-project.org/ip.php (as per the FZ server settings) but instead of returning the current IP address of , http://ip.filezilla-project.org/ip.php seems to return the IP address I was using on the previous test attempt which in this case is  Here's the pertinent section from the test log:
* Connect data stream passively
< 227 Entering Passive Mode (70,24,23,217,195,86)
* Trying Timed out
The FileZilla Server, states on their settings page (attached screengrab) that it can take up to 5 minutes after a failed attempt for their DB to get updated but even 20 minutes later, I still have a failed test from http://www.g6ftpserver.com/en/ftptest.
Note for ecsrd:
You wrote:
Your FTP server is attempting to initiate data connections on ports 70,24,17,152,19 and 142 (on the attempt you took the screenshot on.  Your router isn't allowing traffic through on those ports (as it SHOULDN'T).  You need to configure your FTP server to only server traffic in active mode on port 21.
I don't think that's how to read the log.  I think the log is saying that the client (in this case the http://www.g6ftpserver.com/en/ftptest site) is trying to connect to the ftp on IP address on port 19*256+142 or in other words on port 5006 at that IP address.
My router was configured to allow traffic on port 21 (and as I mentioned, I thought I'd set it to also allow traffic on port 20 for for answer back in passive mode but I must have forgotten to save the port 20 forwarding on my first try ... it's ok now).
I found this article helpful: http://wiki.filezilla-project.org/Network_Configuration
I'll retest momentarily ... maybe it's just a very very slow database update on the  http://ip.filezilla-project.org/ip.php site.

qengAuthor Commented:
Sorry I was writing my last post while your two posts were coming in.
It looks like my problem was caused by a slow DB update on the  http://ip.filezilla-project.org/ip.php site.
I re-ran the test from the http://www.g6ftpserver.com/en/ftptest site just now (having changed nothing since the last attempt) and got a successful log on.  See attached test log.
I'll read over your last two posts and see if I can improve my setup.
Thx for the input.  I'll be back shortly to award points.

Yes, you're correct in your note to me :).

Try restarting the FTP Server service.  See if that causes the system to update to the correct IP.

In your second screen shot, what does "Default" refer to?  I've never used Filezilla to FTP serve, so I'm not sure what the options equate to.  Using the "Retrieve external IP address from" field seems to be an unnecessary step - I'm guessing Default is probably to use UPnP which would probably work much better.  What are the options though?
We're almost there...  there is one more thing you need to do

Look at your screen shot here: http://www.experts-exchange.com/images/t126772/FZ-Server-Settings-Passive-Mode.png

The port range looks great.  Active mode will almost always fail, and yes, its supposed to fall back to passive mode when it does.  What's happening is that you're asking the FTP Server to let another service resolve your external IP for you.  It even says on that screen shot that there could be delays.  If it were me, I would check the radio checkbox that says "Use the following IP" and manually type in your EXTERNAL ip address (not your internal IP)

If you have a dynamic IP you'll need to update this yourself occasionally.  However, that may be more reliable than your server not working at all from time to time.  If you have a static IP then you'll never need to update this

What this setting does...    
Client connects to Server on port 21.  Enters passive mode,  Server says okay connect to ME on this PORT (5000) using this IP xxx.xxx.xxx.xxx (It sends the IP it gets from filezilla-project.org.  This may not be the correct IP)   If you manually type in your IP then the server will send the correct IP back to the client.
qengAuthor Commented:
The Chemic,
Thank you very much for your clear answer.  It cements what I had learned and deduced earlier today trying to troubleshoot this (wish I could have come to your answer earlier ... it took me the better part of a day to get this finally working right).
I had also spotted the errors in ecsrd's suggestions but in fairness to him, he did initially start me off on the right track of forwarding ports in the router.  So I'll give him some of the points.
I was able to piece the rest together after ferreting through a handful of forums and the FZ site (per the reference I gave in my previous post).
I will consult and save the link you gave me for future reference.
Before I close this off, I'll try to re-enable my Windows Firewall and AV which I'd disabled to troubleshoot this and come back here if I run into a problem.
One thing which is confusing me though from the http://wiki.filezilla-project.org/Network_Configuration > Setting Up FileZilla Server > Passive Mode example and in the earlier example on their page pertaining to setting up a Client to limit ports in Active Mode is that they show a port range of 50000 to 51000, yet we talk about (and I think they do) a range of 100 ports being sufficient.  Yet their examples show opening up 1,000 ports.
Is that a typo (it's an order of magnitude higher than the 5000 to 5100 range we're discussing).  The setup I used with the 50000-51000 range worked but maybe I'm opening up 900 extra ports for nothing.
Can you clarify while I try this with Windows Firewall and AV enabled?
Thx again, great help.
You can specify whatever range of ports you like.  You do not want to specify a range of ports that other services may be using.  For example, remote desktop uses port 3389.  You would not want to use a range of 3000-4000.  In the random chance that the FTP server says, "ok this time connect to me on port 3389" you would likely have a connection failure because the FTP traffic would really be talking to the remote desktop server.

In setting up my own FTP servers, I use a range of ports very high 50000+.  I make sure the port range does not conflict with other applications.   I try to enable as many ports as I might have simultaneous connections.  For example,  if you're expecting 500 simultaneous users or connections at one time, then you should open up 500 ports.  If it's just a few people now and then, 100 ports (or even less) would work just fine.  
qengAuthor Commented:
OK, I've enabled my AV (Avast) and Windows Firewall and I seem to have FileZilla Server working properly (as far as I can test from the ftp test site ... not sure if I can actually do an upload/download test from inside my lan which validates external use).
I had previously manually added ports 20 and 21 to the Windows Firewall as exceptions but removed them and added the FileZillaServer.exe as an execption instead (and removed the prior two port exceptions after confirming it worked).  Seems to work.
My IP is in fact dynamically assigned so every time there is a power failure, router reset or my ISP provider updates it (which happens periodically) any statically inputted IP address would fail.  Generally, I don't think it changes all that often and it seems the third party 'give me my external ip address' service at http://ip.filezilla-project.org/ip.php is working although it took a bit longer to update than I would have liked.  
My sense is to leave the passive mode set this way to retrieve the external IP address (unless one of you advises otherwise) since it should then work most of the time and in the rare instances it was fetching an outdated IP address and I needed to get an FTP transfer done in a hurry, I'd just go in and set it manually in the FileZilla Server > Edit > Settings > Passive Mode Settings > Use the following IP (sorry I'm being explicit here for my future reference in case I have to do this after I've long forgotten where to find it).  I think today was particularly bad because I was tweaking the router ports on and off all day.
The http://whatismyip.com/ site seemed to return a correct IP address instantly right after it was changed but this data is embedded in a bunch of html.  I'm not sure if they have some similar page (service) which returns just the ip address the way http://ip.filezilla-project.org/ip.php.  If either of you know another service I could check it out for update speed.  
The other thing which is a bit disturbing is the way the http://ip.filezilla-project.org/ip.php site updates.  They state (in their GUI ... as per my earlier screen grab)  "If your external IP address changes it might take up to 5 minutes after the next failed transfer until FileZilla Server recognizes the changed IP.  In most cases the IP address is updated within 30 seconds after a failed transfer".  In other words, if I understand this correctly, the FileZilla Server will only update itself after a failed transfer.  I hope that's not the case since it suggest a client has to first try to connect, be told it might fail, then have to wait anywhere from a few seconds to 20 minutes, as my experience showed today, before they can successfully connect (or I happen to be sitting at the computer and manually set FileZilla Server's IP passive mode IP address myself).
There must be a better way to implement a more stable/predictable FTP Server when someone has a dynamic IP address (which is quite common).
Happy to have gotten this far mind you.
Did you find out what the "Default" setting does yet?  It may work better for you if it does indeed use UPnP to check your router for your external IP address.  Like I said, I don't know FileZilla so I don't know if thats what default does, but I did confirm that your router DOES support UPnP so that might be an option.
There is a way to implement a more reliable solution with dynamic IPs. On my home network, I use http://www.dyndns.com/.   Dyndns is a free DNS solution specifically tailored to people with dynamic IPs.  You would choose a URL (example: qeng.my-dns.com)  DynDns has a list of domains to choose from.  (maybe you want to use geng.iscool.net instead ?)

After this is setup you would tell all the CLIENTS connecting to you to please connect using "qeng.my-dns.com" instead of your IP (since your ip changes)

After you establish an account with DynDns, then DynDns can solve you problem either one of two ways.  

1) you run an application (provided by dyndns) on the same computer that the FTP Server is running on.  This application will phone home to dyndns and say "Hey, I have a new IP address today, can you point qeng.my-dns.com to xxx.xxx.xxx.xxx instead of the old ip zzz.zzz.zzz.zzz"

2) Many routers (like my Netgear FVS338) have dyndns support built right into them.  I do not need to install a program on my computers to update my IP and DNS records when the change.  The router logs into my dyndns account everyday (automatically) and updates the IP associated with my domain.

If I need people to connect to my network at home then I give them my dyndns provided URL instead of my IP.

There are many other free DNS solution providers besides dyndns.  You may want to shop around.  I have been using dyndns for years without issue.
qengAuthor Commented:
Thanks again.
In FZ Server, I can set the maximum number of users (it's presently set to 0, their default for unlimited).  For security reasons I was thinking of limiting the number of users.  Do you know whether the server is counted as a user (my guess would be no but just guessing).
My primary use for this FTP Server is to facilitate large file transfers to and from my PC.  Limiting the number of users may be overkill since there is already a username/password and I haven't set FZ to run as a service, just on an as needed basis for xfrs.  I have FTP servers running full time on my websites for general public stuff.
One last thing I'm anticipating to run into from time to time is an interrupted transfer especially in the case of very large file transfers (e.g. several Gb ... video editing).  Do you know of an app or something which allows a file to be split into segments and recombined which can be combined with an FTP xfr.  I'm guessing FZ Server doesn't resume interrupted transfers but read this on a post somewhere pertaining to their FZ Client app 'FileZilla 3.2.0 Final is possible to interrupt the download or upload a file and then resume, if the FTP server where the file is hosted rioja support' (sic). I don't mind if this is a separate app that has to be run on the file first before it's made available for upload or download (e.g. the file splitter could be placed in the FTP directory for initial download and use by a client)
Time for me to wrap this up.  I'll wait for your last replies if you have time but in any case will award points.  You've been great.  
Thanks also for sticking with this and getting me started on the right track.

The default setting will send the IP of the local machine back to the client computer.  If you are behind a router this setting will not work.  Here's why.

A router holds the external ip address (example:  However, the FTP Server is running on a machine on the LOCAL network and that computer probably has an internal IP that's different (something like

If you use the "default" setting the FTP server will send instead of

here's what will happen.

Client connects to server on port 21.  server attempts to connect BACK to the client on a random port.  connection fails,  client enters passive mode.  server says "ok, connect to ME on THIS PORT 50000 using THIS IP ADDRESS (because default was checked).   The client will then attempt to connect to (which is the client computers own internal network) connection will obviously fail because the client needs to connect to
to split large files the industry standard (for windows users) is winrar (http://www.win-rar.com)

You're very welcome.  Thank you for the kind comments.  I'm off to do other things but will be back around next week.  Glad you got the FTP Server working.  

qengAuthor Commented:
Thanks again Luke,
Pleasant and very informative.  Be well.  Hope we reconnect at some point ... I seldom go more than a few days before snagging on something :)
qengAuthor Commented:
Folks, thanks tons for this.  I probably should have put up some new questions for some of the follow-up stuff but didn't want to lose your valuable input.  I would like to award more points put the system limits me to 500 per question.  Luke, your last references were equally useful I just had nothing left to distribute to them.  Cheers.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 12
  • 10
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now