D-Link Forums
The Graveyard - Products No Longer Supported => D-Link Storage => DNS-321 => Topic started by: _RT_ on February 13, 2009, 08:51:50 AM
-
I've read through another post:
http://forums.dlink.com/index.php?topic=3652.0 (http://forums.dlink.com/index.php?topic=3652.0)
and am quite disappointed.
Based on my phone conversation with customer support when I couldn't get things to work properly, some tests I have done since, and the above thread, it would seem the DNS-321 is incapable of providing FTP over anything except port 21.
Considering this is the first port people check when hack attempts are made to access an FTP, D-Link should really fix this in the next firmware update.
Please?
-
The post you link to has nothing whatsoever to support your theory that only Port 21 is supported or can be used - and if you login to the DNS-321, select Advanced, then FTP Server and look about half way down the page you'll find the place to set the port of your choice.
I want to make one thing very clear - you may experience difficulty in getting ftp working on a port other than port 21 - this is more likely than not to be caused by client side issues and has nothing to do with the DNS-321 being able to support it.
-
Perhaps I interpret that thread differently than you.
Someone couldn't get the FTP to work on any port OTHER than 21 from what I read.
But I digress.
I'm well aware of where to change the post in the advanced settings.
I am also quite capable of forwarding ports correctly on my router.
I've also had other FTP's running on ports other than 21, so THAT isn't the problem.
Let's review.
I have an FTP on my laptop. It works on any port I want it to - not just 21.
I couldn't get the FTP on my 321 to work on the ports I wanted.
I spent over 1 hour on the phone with tech support trying to figure out why.
Finally, we decided to try port 21 and what do you know. It worked.
Since then, I've tried making the port change various times hoping I could chalk it up to the Gods. It never works. It ONLY works (at least for me) on port 21.
Now, so that we can keep things VERY clear. Are YOU running an FTP on the D-Link? Are YOU using a port other than 21?
If not, that I would ask that you try it. And if you don't feel so inclined, than I would ask that you consider that there just may be an issue.
All of the above has been said in a friendly nature. ;D
-
Did you notice where I said you may experience difficulty and that the problem is most likely client side?
Are you using the exact same client (same computer, same software, same internet connection) as the last time you used an ftp server on a port other than 21?
I'll take a bet - your client is now behind a NAT router/firewall - connect it directly to the internet, or put it in the DMZ of the router/firewall and try again.
The reason you're having problems is NOT the DNS-321.
-
Are you using the exact same client (same computer, same software, same internet connection) as the last time you used an ftp server on a port other than 21?
Same computer: Yes
Same software: Yes
Same internet connection: Yes
Out of curiosity... are you running an FTP on the 321?
If yes, on a port other than 21?
-
Were you using active or passive ftp?
-
Were you using active or passive ftp?
To be honest, I don't recall choosing one or the other when I was setting it up.
If you have suggestions on something I should try, please fire away. While I don't claim to be a networking guru, I can read and follow direction/suggestions.
Also.....again, I'll ask the quesiton.
Are you running the FTP on the DNS-321?
If the answer is yes, are you running on a port OTHER than 21?
-
You might want to check that - active ftp on a non-standard port (ie, anyting other than 21) can be difficult because of client side issues, which passive ftp will resolve, however, as far as I'm aware, the ftp implementation on the DNS-321 does not fully support passive ftp.
-
You might want to check that - active ftp on a non-standard port (ie, anyting other than 21) can be difficult because of client side issues, which passive ftp will resolve, however, as far as I'm aware, the ftp implementation on the DNS-321 does not fully support passive ftp.
"client" referring to my provider?
"client" referring to my router?
-
DNS-321 is the ftp server, the computer (or other device) you are uploading from or downloading to is the ftp client.
The term client side issue is used to indicate that the problem is cause by something at the client side of the connection.
ftp transfers are different (I'm inclined to say unique) from others (eg. http, telnet, etc.) in that they use two distinctly separate connections, a control connection and a data connection (in contrast, http etc. use a single connection, or series of connections, from the client to the server). With active ftp, the control connection is established from the client to the server and the data connection is established from the server to the client - the problem with this is consumer type NAT firewall/routers, by default allow outgoing connections (established from the inside) and block all incoming connections (established from the outside).
Most consumer type NAT firewall/routers are smart enough to know that an outgoing connection on port 21 to ip address a.b.c.d is ftp, and so they will look for an incoming connection from ip address a.b.c.d and allow it through, forwarding it to the appropriate host - BUT - they don't recognise that your connection on port 2121 (or whatever you use) is ftp, so when the server tries to establish the data connection, they block it.
Because of this, passive ftp was developed - with passive ftp the client establishes a control connection on whatever port (default is 21) - and the server tells it to establish the data connection on a specific port, so, since the data connection is established from the client to the server, this removes the client side issue - BUT - if the server is also behind a consumer type NAT firewall/router, this results in a server side issue.
Passive ftp shifts the problem from the client side to the server side, but, since most ftp servers are commercial installations, with certified administrators, and one server might accomodate a few thousand (or hundred thousand) clients, the overall result is that things are generally made easier for the larger number of people.
With passive ftp, if the ftp server is behind a consumer type NAT firewall/router, you would need to forward, not just the port for the control connection, but also a range of ports for the data connection, and this is what the DNS-321 is lacking - there is no way for you to tell it that you are going to forward, for example, ports 21000~21100 for passive ftp.
You cannot properly configure passive ftp on the DNS-321 - but - if your ftp client is using active ftp and is not behind a NAT firewall/router, active ftp on a non-standard port (one other than 21) will work because there will be no problem with the data connection being blocked.
-
Thank you. That all (although a bit complicated) makes sense.
But it still takes me back to my original statement.
In it's current state, for all intents and purposes, the DNS-321 will only work on port 21. Can it work on others? Possibly - if the gods are smiling on you.
But given D-Link tech support (and yes.... I realize it's probably outsourced) couldn't access my ftp on a port other than 21, the odds of me having a client that can access it are slim to none.
That frustrates me.
-
Yes. In th FTP there is an option to change the FTP port. Change the port to your desired port for FTP and create a firewall rule forwarding the port chosen to the same port at the IP address of your DNS-321 in your router.
Note: This device supports Active FTP. Passive FTP is not supported on the DNS-321, 323, or 343.
-
Thank you. That all (although a bit complicated) makes sense.
But it still takes me back to my original statement.
In it's current state, for all intents and purposes, the DNS-321 will only work on port 21. Can it work on others? Possibly - if the gods are smiling on you.
But given D-Link tech support (and yes.... I realize it's probably outsourced) couldn't access my ftp on a port other than 21, the odds of me having a client that can access it are slim to none.
That frustrates me.
The DNS-321's ftp server CAN be accessed on a port other than 21 provided the client is configured to allow it - look at my first reply - you may experience difficulty in getting ftp working on a port other than port 21 - this is more likely than not to be caused by client side issues and has nothing to do with the DNS-321 being able to support it.
Setup your DNS-321 on a custom port (2100 is good), send me the ip address, port, user name & password in a PM, and let's see if I can access it
-
The DNS-321's ftp server CAN be accessed on a port other than 21 provided the client is configured to allow it - look at my first reply - you may experience difficulty in getting ftp working on a port other than port 21 - this is more likely than not to be caused by client side issues and has nothing to do with the DNS-321 being able to support it.
Setup your DNS-321 on a custom port (2100 is good), send me the ip address, port, user name & password in a PM, and let's see if I can access it
PM sent.
Yes. In th FTP there is an option to change the FTP port. Change the port to your desired port for FTP and create a firewall rule forwarding the port chosen to the same port at the IP address of your DNS-321 in your router.
Note: This device supports Active FTP. Passive FTP is not supported on the DNS-321, 323, or 343.
Thanks, however you're reply has already been covered in the posts above.
-
Check your ftp server and your PMs.
My first attempt at access was successful, I could both read & write - this was made via a dialup connection (yes, I still have dial up), my second attempt, as I expected, failed - this one was done via DSL, and failed because of the client side NAT firewall/router.
-
Thank you.
So it all comes down to the active vs. passive problem?
Disappointing that I am not going to be able to use this NAS the way I had originally intended.
-
You're welcome.
And no - I would not describe it as coming down to the active vs passive problem. Active vs passive is why you have been able to use other ftp servers on non-standard ports without difficulty - the lack of full support for passive ftp is one of the reasons you're having problems, the other is that your client side configuration does not support active ftp on a non-standard port - you need one or the other.
For what it's worth - I don't own and have never used a DNS-321, but if I had told you that earlier, you'd just have shot me down, on the basis that because I'd never used one, I didn't know what I was talking about. I have the DNS-323 (which uses essentially the same code), and have run the ftp server in the DNS-323, both on port 21 as well as non standard ports (more to prove that it could be done, than because of a need to), and have also been running ftp servers on other platforms for the better part of a decade.
Last, but by no means least, ftp on port 21 is not as much of a risk as people would have you believe - the big problem is that the username & password are transferred in clear text, and anyone who can connect a sniffer in the appropriate place can capture these credentials - BUT - that sniffer would have to be located in very specific places - the LAN on which the ftp server resides and the ISP's network that feeds that LAN, and the same two locations for the ftp client. As you move further away from those locations the volume of traffic that would have to be filtered to trap the credentials increases exponentially.
During 2008 I ran an unsecured (as in anonymous, and no password required) ftp server on port 21 for over six months before I logged a single "unauthorised" attempt at access. Given the furore about ftp insecurity, I would not have thought it possible, I expected it to be discovered long before it was.