D-Link Forums
The Graveyard - Products No Longer Supported => D-Link Storage => DNS-323 => Topic started by: ttmcmurry on November 05, 2008, 07:12:10 AM
-
I've been reading up on other posts about this subject:
http://forums.dlink.com/index.php?topic=2263.0
http://forums.dlink.com/index.php?topic=2319.0
Here's what I see:
Status: Resolving address of my.dns323.box
Status: Connecting to x.x.x.x:21...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [TLS] ----------
Response: 220-You are user number 2 of 10 allowed.
Response: 220-Local time is now 01:08. Server port: 21.
Response: 220 You will be disconnected after 2 minutes of inactivity
Command: USER User
Response: 331 User User OK. Password required
Command: PASS ********
Response: 230 OK. Current restricted directory is /
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (192,168,0,196,131,93)
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: LIST
What I understand is the FTP server is going to use a passive port range. But what is the port range Pure-FTPd will use? There's no chance I'm going to forward all ports to the 323. I could always use ffp and download another ftp daemon, but would much rather have this built-in feature working on its own.
Oh, and I do have port 21 forwarded properly on my dir-655.
When inside the private network, things work great. Across the internet, there is only one FTP client that works, Microsoft's FTP. For some broken reason it works while filezilla doesn't.
Travis
-
Hi 'ttmcmurry',
Few things to check:
1) Port 20 & 21 must be forwarded to the internal DNS-323 for Active FTP to work
2) Some Web Browsers (ex: IE 7) have an 'Advanced' feature enabled for Passive FTP; you need to disable Passive as Active is only supported
3) Some Web Browsers (ex: IE 7) have an 'Advanced' feature enabled for FTP Folder View; you may need to disable this feature
HTH,
-
Hi 'ttmcmurry',
Few things to check:
1) Port 20 & 21 must be forwarded to the internal DNS-323 for Active FTP to work
2) Some Web Browsers (ex: IE 7) have an 'Advanced' feature enabled for Passive FTP; you need to disable Passive as Active is only supported
3) Some Web Browsers (ex: IE 7) have an 'Advanced' feature enabled for FTP Folder View; you may need to disable this feature
HTH,
You only need to foward port 21 for active ftp.
ftp differs from most other protocols in that it uses two communication channels - a control channel on port 21 and a data channel on port 20 (these are the well known ports for active ftp, passive ftp is a different).
Consumer routers uses a process known as NAT (Network Address Translation) to share a single public ip address between several hosts using private ip addresses - communication requests originating on the inside of the router are allowed out and when the reponses are received they are directed to the originating host. Communication requests originating from the outside of the router are discarded because the NAT mechanism would not know which host the request was meant for - the way around this is port forwarding, a mechanism through which any reguest arriving on a particular port is forwarded to a specified host.
With active ftp - the request is made on the control channel (port 21) which, because it originates on the outside of the firewall has to have the port forwarded, but, after the initial communication, the data channel is established by the server from the inside of the firewall so port forwarding is not required at the server side.
-
You need to forward Port 20 traffic to the DNS if you intend to write to the DNS from outside your NAT'ed LAN.
-
You need to forward Port 20 traffic to the DNS if you intend to write to the DNS from outside your NAT'ed LAN.
I installed my first ftp server as part of a Y2K project - it's behind a Cisco SOHO91 NAT firewall/router and it's been running all this time without port 20 forwarded - I've also used the ftp server on my DNS-323 from time to time for both upload and download (ie writing and reading) and port 20 is not fowarded through my firewall.
In short - I've been doing this for the better part of a decade and I have NEVER, EVER forwarded port 20 - it's not required.
Here's why ....
Port forwarding is ONLY required to permit a connection request originating outside the NAT router to be made, if the port is not forwarded, the router does not know which of the private hosts the request is destined for and will discard it - all connection requests originating inside the NAT router are allowed by default.
With ACTIVE ftp - port 21 MUST be forwarded to allow the inbound control channel to the DNS-323 be established - once the control channel has been established, when the time comes to establish the data channel - if active ftp is being used, the connection request originates with the DNS-323 which is on the inside of the NAT router and which will be allowed through by default.
Port forwarding for port 20 is NOT required when ACTIVE ftp is used.
With PASSIVE ftp - port 21 MUST be forwarded to allow the inbound control channel to the DNS-323 be established - once the control channel has been established, when the time comes to establish the data channel - if passive ftp is being used, the connection request originates with ftp client which is on the outside of the NAT router and a second port has to be forwarded to the ftp server - this second port is usually above 1024 - port 20 is not normally used as the data channel with passive ftp.
Port forwarding for port 20 is NOT normally required when PASSIVE ftp is used.
-
Hi fordem,
Correct ... however, the DNS does not support Passive FTP unless you 'fun_plug' the device.
Connections originating from 'outside' will be able to connect over FTP to the DNS with Port 21 forwarded from the router to the DNS. Write errors and timeouts will occur unless Port 20 is also forwarded ... and that's from first-hand experience troubleshooting DNS FTP connectivity issues.
Cheers,
-
I'm using the integrated ftp server on the DNS-323 and i only forwarded port 21, and i use filezilla without any configuration for active or passive and everything works fine for upload and download. btw i have fw 1.5
-
I'm using the integrated ftp server on the DNS-323 and i only forwarded port 21, and i use filezilla without any configuration for active or passive and everything works fine for upload and download. btw i have fw 1.5
Thanks for chipping in with your experience - my experience is similar to yours, except that I use the Microsoft ftp client from the CLI, which as far as I know does not support passive ftp.
-
FTP sessions initiated from the Internet (from behind a NAT'ed router) to the DNS (that is behind another NAT'ed router) required Port 20 be forwarded so as to permit FTP in Windows Folder View (Explorer) mode.
FlashFXP & CuteFTP have also generated 'write errors' with file uploads to the DNS where Port 20 had not been forwarded as well.
Configuring FTP on the DNS to respond over another TCP port has also necessitated that Port 20 be forwarded.
In short, if you have Port 21 forwarded and it's still not working ... forward Port 20 and inform the other party that you can only provide Active FTP.
Cheers,
-
That's great information, and it's all true.
I don't have a problem using either active or passive FTP transfers and do intend on accessing FTP over the internet. However...
No one has answered the part of the question "what is the passive FTP port range" the 323 uses... it has to use a specific range (even if it's a broad range). It would be great if it were possible to specify a range of my own.. big wish.
The second question I have is why is the 323 sending a private IP address back to the computer I was using to connect to it? It should have looked more like:
Response: 227 Entering Passive Mode (63,128,49,119,131,93)
But it used 192.168.0.196 instead across the router. Shouldn't the 323 be using the public IP from the DIR-655 router? This way it would route internally and externally. Has anyone else noticed this or can verify this is a problem?
Travis
-
Hi 'ttmcmurry ',
The DNS only supports Active mode if you're coming in from the Internet through a firewall. The DNS supports Passive from inside the NAT'ed LAN.
Have a look at the DNS-323 modding site wiki; there's a section in their HOWTO browser tree pertaining to FTP (open ports ftpd) and the folks there provide an excellent explanation as to what is happening - they also provide a 'workaround' method if you decide to implement the modding aspects - I have not tried the mod.
Google: wiki dns323 info
Cheers,
-
I understand the philosophy concerning the DNS-323 as a consumer device.
Having said that, there are some features that should "work out of the box" and not require someone to mod their DNS-323. So I don't appear to be a hypocrite, yes I do have ffp 0.5 installed on my 323 and it serves its purpose to the extent that I don't modify the original programming provided via 1.05 firmware.
IMHO, the 323 was advertised has having FTP capability didn't state it is not able to route across the internet even if port forwarding is used on the corresponding router. I would expect to be able to specify passive port range & choose between host ip address and/or auto ip on local/wan.
I would *love* to be proven totally wrong and that things actually work and it's really me that doesn't understand it. Reality is I manage 3 Microsoft FTP servers at my workplace behind a Cisco router + NAT Traversal or direct IP mapping and don't have this kind of difficulty.
-
I spent a considerable amount of time researching and session logging before I was discovered that Active FTP was the only way to reach the DNS over the Internet between two NAT'ed LANs. How I discovered it was purely by chance reading.
I was in the process of putting the product back in the box for return - since I couldn't get FTP to work as expected - when I noticed the little asterisk and footnote stating that it was recommended that a VPN session be established when connecting to the DNS using FTP from the Internet - that's when it occurred to me that *maybe* that both TCP Port 20/21 needed forwarding.
In short, I don't believe your understanding (and that of 'fordem') are incorrect; what you expected to occur should ... it just doesn't when it comes to the DNS - at least with the current f/w releases.
Cheers,
-
Yeah, that validates my point. I don't know anyone who hooks up directly to the internet anymore, and for that reason most FTPs are NATted.
That takes me back to my point about passive ftp:
1) Give us control over the passive port range so it can be port forwarded a la router
2) Give the 323 the ability to determine its external IP address* for WAN transfers
3) Give the 323 the ability to use the LAN IP for local tranfers
* http://www.whatismyip.org/ is a good start.
-
Port 21 is the only port that needs to be open for the FTP server in your firewall for proper use. opening port 20 does not affect the use of the FTP server.
-
I spent a considerable amount of time researching and session logging before I was discovered that Active FTP was the only way to reach the DNS over the Internet between two NAT'ed LANs. How I discovered it was purely by chance reading.
I was in the process of putting the product back in the box for return - since I couldn't get FTP to work as expected - when I noticed the little asterisk and footnote stating that it was recommended that a VPN session be established when connecting to the DNS using FTP from the Internet - that's when it occurred to me that *maybe* that both TCP Port 20/21 needed forwarding.
In short, I don't believe your understanding (and that of 'fordem') are incorrect; what you expected to occur should ... it just doesn't when it comes to the DNS - at least with the current f/w releases.
Cheers,
What I "expect to occur" has already been stated - and my DNS-323 DOES work this way with both 1.04 & 1.05 versions of the firmware, as in fact does every other ftp server I have setup.
-
Well ... your DNS-323 must be magical; cause unless I forward Ports 20/21 to the DNS-323 there's no way a file write happens from an external NAT'ed LAN to the DNS-323 via FTP when in Active mode. And it doesn't happen at all if the external client FTP is set to Passive.
All my other FTP servers & clients work as I would expect.
Cheers,
-
Well ... your DNS-323 must be magical; cause unless I forward Ports 20/21 to the DNS-323 there's no way a file write happens from an external NAT'ed LAN to the DNS-323 via FTP when in Active mode. And it doesn't happen at all if the external client FTP is set to Passive.
All my other FTP servers & clients work as I would expect.
Cheers,
I don't know if you have read the responses in this thread - but - just in case you haven't, please allow me to point out that there appear to be two persons, other than myself, that have indicated that the DNS-323's ftp server works with just port 21 forwarded.
Statistically that's three for, one against - the prople have spoken - you're out voted.
-
at least you guys have it working,
I have tried everything here in the thread and still nothing.
I have changed so many setting now I think I have to reset everything and start over.
I have set user access in DNS-323
started the ftp server
port forward my router both 20 and 21 for both TCP and UDP
I'm using fire ftp
I have unticked the box "Passive mode"
I have dyndns set up
and I still can not get in from another location
-
Troubleshoot in a systematic fashion ...
the first step is to verify that you can access the ftp server locally
the second step is to verify that your dyndns resolves correctly (if you're going to use dyndns)
the third step is to verify that port forwarding has been correctly configured
It should be noted that some routers require more than just the actual port forwarding - I've seen Netgear routers that need a schedule set before they would allow access, and if you're using Cisco, you'll also need to verify that your ACL allows ftp access.
It is also possible that your ISP may block port 21 inbound - especially if the TOS forbids the hosting of servers.
-
thanks for the fast reply.
Ok, the first thing that I'm unsure of is;
I have a modem (billion bi-pac 7300) and a wireless router (Linksys WRT-350N)
Internet
|
__________________
|billion 192.168.1.XXX|
|
|
________________
|Linksys 192.168.2.1|
/ \
/ \
________________ ________________
|PC1 192.168.2.XX1| |PC2 192.168.2.xx2|
Do I port forward(PF) on the Billion or the Linksys, because I'm unsure I have PF both, but I have a feeling this is wrong (I have tested all configurations of this and none work eg: PF billion only, no go.... PF Linksys only, no go....... so at this moment both are PFed).
I hope you understand my bad diagram.
-
I understand your excellent diagram, and it shows why you're having a problem at first glance - you have two routers, an almost guaranteed way to cause problems in your situation.
The first thing I would suggest is that you get rid of one - I can understand your reluctance to do that, since which is probably not an option, since the Billion also your modem and I suspect does not have wireless capability, were I in that situation I would have added wireless capability using an access point and not a router, but we'll come back to that later.
There should be a way to put the billion in to "bridge mode" so it acts only as a modem and not as a router - in which case the Linksys will get a public ip address and you can then port forward on that.
Another option would be to configure the Linksys at a static address (WAN) side and then configure the Billion so that it places the Linksys in the DMZ - port forwarding would then be done on the Linksys - and the final option would be to configure the Linksys to act as a wireless access point only (configure both routers to use the same private subnet, Billion at 192.168.1.1, Linksys at 192.168.1.2, disable DHCP on the Linksys, configure DHCP on the Billion to start it's DHCP range at 192.168.1.3 (or later) and then link the two routers LAN port to LAN port.
-
Yes you are correct, I bought the billion before I needed wireless then when I needed wireless I bought the Linksys thinking I could do away with the billion but I could not, the Linksys does not have a ADSL line in. I choose the Linksys WRT350N because of the attached storage USB slot (which is in use to do backups of one of the DNS-323)
I tried to configure them on the same private subnet but had no luck getting on the internet (Linksys also over the phone tried to help configure with the same results), so that is why it is configured the way it is.
Ideally I would like to go with your first second option and put the billion in bridge mode.
I will look into this now and see if there is a way to do this.
-
I don't know if you have read the responses in this thread - but - just in case you haven't, please allow me to point out that there appear to be two persons, other than myself, that have indicated that the DNS-323's ftp server works with just port 21 forwarded.
Statistically that's three for, one against - the prople have spoken - you're out voted.
I have read the posts and have gone back and attempted to get the DNS-323 FTP to function in R/W with only Port 21 forwarded ... no luck.
WinXP (initiator) <-> NAT LAN #1 Router (everyone else) <-> Internet <-> NAT LAN #2 Router <-> DNS323
(IE Passive Enabled)
RESULT: No R/W
WinXP (initiator) <-> NAT LAN #1 (everyone else) <-> Internet <-> NAT LAN #2 (my fw) <-> DNS323
(IE Passive Disabled)
RESULT: R only, Fail on W
A subsequent follow-up call to D-Link Support yielded no success in getting FTP 'Writes' without forwarding Port 20. Same exercise with any *other* FTP server gives the desired result when only forwarding Port 21. Out-voted or not, I cannot get an initiator to write via FTP to DNS323 unless I forward Port 20 to the DNS323.
???
-
I just happen to be in Florida, and I uploaded some pictures to my DNS-323 - I have screen shots of the router configuration and the ftp session that I could show you, but this site does not allow images to be uploaded.
-
To confirm:
1) The workstation is behind a NAT'ed router in Florida and the DNS323 is behind a different NAT'ed router
2) FTP R/W are occurring from NAT'ed router A over the Internet to NAT'ed router B.
3) Only Port 21 is forwarded on the NAT'ed router in front of the DNS323.
4) The only changes to router rules are in the NAT'ed router in front of the DNS323.
5) The NAT'ed router in front of the workstation doesn't have FTP specific rules (pin-holes).
6) You can successfully R/W to the DNS323 using IE (or Explorer Folder View); i.e. not CMD line.
If so, I'm stumped; I'm able to successfully connect and perform R/W with only Port 21 forwarded to a non-DNS323 FTP. But unless I forward Port 20, I can't get W to occur on the DNS323 via FTP using the method.
Since if was DNS323 specific, I assumed it wasn't a router misconfiguration - now you've got me wondering ...
-
To confirm ...
1) The workstation (a Dell Latitude 420) is behind a NAT'ed router in Florida (a cheap $39 Dynex from BestBuy) and the DNS-323 is behind a different NAT'ed router in Guyana (a Netgear WNR2000).
2) ftp r/w is occurring between the workstation via the Dynex to Comcast, through 3000 odd miles of the Americas II submarine fibre to Guyane (French Guiana), through a few hundred miles of terrestrial fibre across Suriname (Dutch Guiana), into Guyana (British Guiana) and then through Lightening Fast DSL to the Netgear and the DNS-323.
3) Only port 21 is forwarded to the DNS-323, port 800 is forwarded to a D-Link ip camera, and port 1723 is forwarded to a Windows 2003 server.
4) The only changes to router rules are in the NAT'ed router in front of the DNS-323.
5) The NAT'ed router in front of the workstation has only the port forwarding rules.
6) I can successfully R/W to the DNS-323 using either Explorer Folder View or the command line - I haven't tried with IE, I'm not certain that I can write using IE.
Just so that you are aware of it, the Netgear WNR2000, by default, will forward both ports 20 & 21 for the ftp service - this one has had that rule changed so that it forwards 21 only - not that it makes a difference, I have also used a D-Link DI-504 and a Linksys BEFSX41 in this location, with the DNS-323 - it really does not need port 20.
-
Appreciate the response,
1) other than the router; match.
2) other than the route & router; match.
3) Port 21 to DNS323; Port 25 to an Exchange Server. Only difference here is that i'm having to forward Port 20 as well.
4) match.
5) in the test i've done, the router in front of the workstation has not been *touched*. Can I assume this is what you meant as well? With the caviat, that Passive FTP in IE Advanced had to be disabled on the workstation.
6) successful "Folder View" writes to the DNS323 without forwarding Port 20 at the router in front of the DNS323; the results on my end differ. Until I forward Port 20, I cannot successfully write a file to the DNS323.
I get the exact behaviors you and others have posted on any other FTP server behind the router (DGL-4100) - i.e. Port 21 only R/W. Always find it amazing how something that's quite simple to do becomes complicated.
???
-
5. The only changes on the NAT'ed router in front of the workstation are to set a WPA encryption key, change the default password and spoof the MAC address - NO port forwarding rules are set - no settings have been changed on IE