D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-655 => Topic started by: coderforlife on November 14, 2012, 10:32:25 PM
-
I have been struggling with this all day, and finally find some "answers" that explain the problem but give no acceptable solutions... so let me explain and see if anything new will come up.
Problem
Basically I am trying to setup an FTP / FTPS server. I have it working pure locally (LAN -> LAN) OR outside in (WAN -> LAN) but cannot get it to work LAN -> WAN -> LAN. I have a dynamic DNS address (which a subdomain of mine points to, say files.example.com). I want to be able to use this as the FTP server's address regardless if I am inside or outside the local network. Right now using "files.example.com" only works from outside the local network. "files.example.com" always resolves to the WAN IP address of the router and then port forwarding will only work then if the request is coming from the WAN but not from the LAN.
"Solutions"
The solutions that have been posted elsewhere are all unacceptable. I am listing them below, starting with the worst one and working up.
- Modify the FTP client's settings or the system's hosts file every time you enter or leave the local network (this is incredibly OBNOXIOUS)
- Convert the FTP port forwarding rules to virtual server rules (works well for the main ports, but in passive mode the FTP server needs 50+ random ports to be usable which cannot be done with virtual server)
What May Work
Well, if the router just applied the port forwarding rules like it applied virtual server rules or the virtual server rules allowed ranges that would be a solution, but that isn't going to happen anytime soon.
Can I tell the router to map "files.example.com" to a specific IP (like I would with the hosts file on computer)? This way when the computers are trying to resolve my domain name they could be given the local address and all would be fine. It should not map the rest of the subdomains (*.example.com) since these could all be hosted elsewhere.
Specs
Router: DIR-655
Hardware Version: B1
Firmware Version: 2.10NA (also true with 2.07NA, and reported on 2.04NA)
References
http://forums.dlink.com/index.php?topic=50408.0 (http://forums.dlink.com/index.php?topic=50408.0)
http://forums.dlink.com/index.php?topic=50150.0 (http://forums.dlink.com/index.php?topic=50150.0)
http://forums.dlink.com/index.php?topic=38542.0 (http://forums.dlink.com/index.php?topic=38542.0)
Thanks for any input anyone may have!
-
Wouldn't it just be easier to use an http server which only needs one port and use port forwarding via virtual servers page?
-
What region are you located?
What ISP Service do you have? Cable or DSL?
What ISP Modem do you have? Stand Alone or built in router?
What ISP Modem make and model do you have?
If this modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems.
Double NAT (http://www.practicallynetworked.com/networking/fixing_double_nat.htm)
To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged.
If the modem can't be bridged then see if the modem has a DMZ option and input the IP address the router gets from the modem and put that into the modems DMZ.
Some things to try: - Log into the routers web page at 192.168.0.1.
Turn off ALL QoS (http://vonage.nmhoy.net/qos.html) or Disable Traffic Shaping (DIR only) GameFuel (DGL only and if ON.) options. Advanced/QoS or Gamefuel.
Turn off Advanced DNS Services if you have this option under Setup/Internet/Manual.
Turn on DNS Relay under Setup/Networking.
Setup DHCP reserved IP addresses for all devices ON the router. Setup/Networking. This ensures each devices gets its own IP address when turned on and connected, eliminates IP address conflicts and helps in troubleshooting.
Ensure devices are set to auto obtain an IP address.
Set Firewall settings to Endpoint Independent for TCP and UDP under Advanced/Firewall.
Enable uPnP and Multi-cast Streaming under Advanced/Networking. Disable uPnP for testing Port Forwarding rules.
WAN Port Speed set to Auto or specific speed? Some newer ISP modems support 1000Mb so manually setting to Gb speeds can be supported by the router. Advanced/Advanced Networking/WAN Port Speed
-
@nicknml - Only if it were that easy. First this isn't an HTTP server, its FTP. And you can do FTP via 2 ports, however it just defers the router setup issue to the client instead of the server, resulting in the same issue for the client. See http://wiki.filezilla-project.org/Network_Configuration#Setting_up_and_testing_FileZilla_Server (http://wiki.filezilla-project.org/Network_Configuration#Setting_up_and_testing_FileZilla_Server).
@FurryNutz - This really had nothing to do with ISP and highly unlikely the modem. This is a common problem, as reported in at least 3 other posts in this forum. There are probably many more posts, those are the ones I found quickly.
I have AT&T U-verse. The modem has a built-in router which is barely being used at all. It is a HomePortal 3801HGV. It is set up to DMZ to the DIR-655 router, however it is a bit more than just a DMZ since the router gets the external IP address of the modem (so more like a bridge, they call is DMZplus). The WAN IP of the DIR-655 router is 99.10.x.x which is the IP reported to all Internet traffic (for example, when asking Google what my IP is).
This problem exists either when QoS is on or off. DNS relay is checked and grayed out (unable to uncheck). Most computers have reserved IP addresses and there are no conflicts or problems with computers / devices getting their IPs. UPnP is enabled. Modem does not support 1000Mb. Router and modem are set to auto-detect speeds between each other.
Will try:
- Turning off Advanced DNS Services
- Changing firewall settings to endpoint independent
- Disabling uPnP (since this is a port forwarding issue)
-
Anything is possible with ATT Uverse or any Mfr modems with built in routers. I don't see this issue since I don't have this particular modem. Usually when using ISP modems with build in routers, it does and will cause certain connection issues if not configured correctly. There has been some people saying that the DMZ on the Uverse modems doesn't fully allow ALL traffic to pass.
If you think you can reproduce this problem on a constant basis and can provide details on how to reproduce it, then we might be able to get this up to D-Link for review. This will need to be reproduce by others here if possible.
Have you tried disabling uPnP? I though someone once said that this needs to be disabled if any PF is being configured.
-
It has been reproduced on these forums, I gave 3 links in my original post to people having the same exact problem. There are probably many more, I found these with a couple minute search. They all have "poor" solutions (the ones I listed).
The problem is that port-forwarding from inside the network does not when using the router's WAN IP. However virtual server does work, using the WAN IP from outside the network works, and using the local computer address works from inside the network. Using a URL that resolves to the WAN IP causes problems inside the network.
I don't think this is an AT&T issue or a modem issue since the virtual server settings always work, just not port-forwarding. It may still be an AT&T/modem issue if the router is doing something funny like monitoring for the WAN IP while outgoing vs incoming depending on if it is a virtual server or port forwarding.
I will test the modem issues by placing a computer on the modem's router and trying to FTP. The modem itself has port-forwarding abilities (calls them pinholes). I may try these too. First to try the other settings you listed before.
-
Seems like all those links resolved there PF problem using VS. I wonder if this is a preferred method of getting external ports to connect with LAN ports and applications on the LAN side for platforms needed this.
-
And I would be happy to use VS instead of PF except I need a 50+ IP range! Besides being tedious in VS, there aren't enough spaces.
-
I'll check this out this evening. I had FTP server and Filezilla configured last year for a time on my DIr-825. I still have those settings, I'll check them out on a DIR-857 then the 655. It was working well on the 825 when I had it running. Been wanting to get the FTP going again. I didn't have a need for 50+ IPs though.
-
Tried turning off Advanced DNS Services, changing firewall settings to endpoint independent, and disabling uPnP to no avail. Resetting them to defaults (on, address/address and port restricted, enabled).
Note: I had this working somehow before. It was only working for FTP without any security. I tried to get it working with SLL/TLS and everything went haywire (first time I ran into the bug in my other post). After restoring the same exact settings, it no longer worked even without SSL/TLS.
-
Was this with the same ISP and modem?
One thing you could try maybe, downgrade to v2.03 maybe and test.
-
I just reviewed the DIR-825s config file I have saved. At the time I was using the following configuration:
port_forward_both_01=0/FZ/#.#.#.2/50117/50117/Always/Allow_All
port_forward_both_02=0/FZ2/#.#.#.2/20,21/20,21/Always/Allow_All
.2 was the IP address of my Pc server at the time and it was working with FZ.
NAT I believe is EndPoint Independent. I always use this.
uPnP is disabled however i'm looking at a config file after I turned the 825 into an AP so I disabled uPnP. I think I had it ON before.
-
I just set up or had already set up these same PF values that are currently on the DIR-857 and FZ is running and I was able to connect to the WAN IP address of the router from work here and I received the log in window and saw the following on FZ Server:
(http://i1195.photobucket.com/albums/aa396/furrynutz740il/DIR857PFrulesforFZ.png)
(000001)11/15/2012 14:15:30 PM - (not logged in) (.254)> Connected, sending welcome message...
(000001)11/15/2012 14:15:30 PM - (not logged in) (.254)> 220-FileZilla Server version 0.9.41 beta
(000001)11/15/2012 14:15:30 PM - (not logged in) (.254)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000001)11/15/2012 14:15:30 PM - (not logged in) (.254)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000001)11/15/2012 14:15:30 PM - (not logged in) (.254)> USER anonymous
(000001)11/15/2012 14:15:30 PM - (not logged in) (.254)> 331 Password required for anonymous
(000001)11/15/2012 14:15:30 PM - (not logged in) (.254)> PASS *******
(000001)11/15/2012 14:15:30 PM - (not logged in) (.254)> 530 Login or password incorrect!
(000001)11/15/2012 14:15:30 PM - (not logged in) (.254)> disconnected.
(000002)11/15/2012 14:15:31 PM - (not logged in) (.254)> Connected, sending welcome message...
(000002)11/15/2012 14:15:31 PM - (not logged in) (.254)> 220-FileZilla Server version 0.9.41 beta
(000002)11/15/2012 14:15:31 PM - (not logged in) (.254)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000002)11/15/2012 14:15:31 PM - (not logged in) (.254)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000002)11/15/2012 14:15:31 PM - (not logged in) (.254)> USER anonymous
(000002)11/15/2012 14:15:31 PM - (not logged in) (.254)> 331 Password required for anonymous
(000002)11/15/2012 14:15:31 PM - (not logged in) (.254)> PASS *******
(000002)11/15/2012 14:15:31 PM - (not logged in) (.254)> 530 Login or password incorrect!
(000002)11/15/2012 14:15:31 PM - (not logged in) (.254)> disconnected.
I'll need to reconfigure the log in as I don't remember at the moment. Seems to be working as far as establishing the connection.
This is using a Cable modem: Motorola SB 6180>DIR-857>24pt Gb switch>Server PC(HP)
-
@nicknml - Only if it were that easy. First this isn't an HTTP server, its FTP. And you can do FTP via 2 ports, however it just defers the router setup issue to the client instead of the server, resulting in the same issue for the client. See http://wiki.filezilla-project.org/Network_Configuration#Setting_up_and_testing_FileZilla_Server (http://wiki.filezilla-project.org/Network_Configuration#Setting_up_and_testing_FileZilla_Server).
My point was that you can use an http server in a similar way. If you want to simply make files available for download for anybody it's pretty trivial to set that up using an http server. How are you planning to use your ftp server, is it for personal use, sharing files with other people, etc.?
-
I'm using it as a backup server. So lots of writing by a couple of people. I also have an HTTP server on that computer, setup in the router a VS and works just fine.
-
I'm using it as a backup server. So lots of writing by a couple of people. I also have an HTTP server on that computer, setup in the router a VS and works just fine.
If it's just being used by a couple of people how about something such as SSH
A VPS is another solution as you don't have to worry about any NAT issues, such as this one that I have:
http://www.host1free.com/free-vps/ (http://www.host1free.com/free-vps/)
Note that with their free tier you only get 1Mbps up/down.
-
Had one idea, why not set the PC that you want directly connected to the ISP modem for ease of set up and then connect everything else to the DIR-655? Kind of a last resort plan of action if you can seem to get the configuration set up with the DIR-655:
ATT Uverse - >< FTP/BACKUP PC
| - ><DIR-655<>All other devices connected to 655.
-
I really wish I could just do this:
Can I tell the router to map "files.example.com" to a specific IP (like I would with the hosts file on computer)? This way when the computers are trying to resolve my domain name they could be given the local address and all would be fine. It should not map the rest of the subdomains (*.example.com) since these could all be hosted elsewhere.
-
I really wish I could just do this:
Can I tell the router to map "files.example.com" to a specific IP (like I would with the hosts file on computer)? This way when the computers are trying to resolve my domain name they could be given the local address and all would be fine. It should not map the rest of the subdomains (*.example.com) since these could all be hosted elsewhere.
Perhaps you could via DHCP reservation on the network settings page.
-
If that doesn't work you can set up a separate DNS server (you could do it on the same host as your ftp server).
-
Update: tried plugging the client side into the AT&T modem with the server inside the router. This worked, presumably since I was using the WAN IP of the router outside of its network.
VPS: I have a VPS, but that won't really work since they are "limited" in size (the one you have is 2GB, the one I already have is 50GB). Many backups being "local" make it not so bad to be backing up 200GB of data per machine. This is why a local solution fits better, with ony a few remote backups being performed.
Running a custom DNS server is an interesting idea. The reserved name in the router did not work. I still have a few other ideas. Then I will try the custom DNS server.
Placing the FTP server on the modem and everything else on the router is also not probably going to work due to the wiring in my house (I could add another Ethernet wire to the wall, but that's a bit more effort than I want right now). Other computers share the current wire through a switch.
It seems silly for all these workarounds when the router seems to be able to work properly (when using VS). Just wish VS would accept ranges.
Thanks for all your inputs! I will update with any more information as I try other things.
-
Been able to configure FZ, DIR-655 RevB1, PF and getting connections using the following:
(http://i1195.photobucket.com/albums/aa396/furrynutz740il/Screenshot2012-11-16at52324PM.png)
(http://i1195.photobucket.com/albums/aa396/furrynutz740il/Screenshot2012-11-16at52406PM.png)
-
Throwing out another idea, does the host that you are running the ftp server on have multiple NIC's? if so, you could use that as the router and the DIR-655 as simply an access point.
-
@nicknml - No multiple NICs. Also I tried setting up a DNS on that machine but things did not work out. The DNS works: if on another machine on the network I set the DNS servers to 192.168.34.150 (the custom DNS) and 192.168.1.254 (the AT&T modem) it works great (the Internet is accessible and the FTP server is accessible via the domain name). However setting those same exact values on the DIR-655 router itself (for primary and secondary DNS) causes no domain name resolution. It seems as though the DIR-655 does not use the secondary DNS at all (or at least becomes confused when the first one is on it's own network). If the computer hosting the custom DNS was disconnected there was still no domain name resolution. I am quite confused by where the problem is actually happening with this custom DNS. I know it works at the computer level, but apparently not at the router level.
@FurryNutz - This is essentially my setup. I have it all as one rule, include 989/990 (for implicit SSL), and without the UDP ports.
The problem I see is if the WAN IP of the router is the same as the external IP and you use the external IP (or a domain name that resolves to it) port forwarding won't work. However, if your WAN IP is not the external IP or you don't use the external IP (or a domain name that resolves ot it), than it does work.
So, is your router's WAN IP the same as your external IP? And are you using the external IP / domain name to access the FTP server?
On this note, I am going to see if the AT&T modem will assign a private IP to the router while still doing DMZ, or just forward the necessary ports to the router. These setups should resolve the issues. Quick question though, when the router reports to the dyndns server, does it use it's WAN IP or the external IP?
Thanks again for your inputs!
-
My router receives a public external WAN IP address and i use this address to access the FTP server from external based clients.
List of NAT Loopback Supporting Routers (http://forums.dlink.com/index.php?topic=51256.0)
-
Yes, accessing through external clients is fine and always has been for my setup. It is internal clients that don't work. And the reason just switching from the external name to the internal IP isn't acceptable is the backup software sees that as switching backup destination, resulting in a re-scan which takes a whole heap of time (checking every files' file times in the backup).
So the problem (if you have any power to "escalate" issues to D-link) is that port-forwarding rules do not work when using the external IP address internally, however VS rules do work along with external/external and internal/internal IP address setups.
Will to see if I can get the modem to not set the router WAN IP to the external IP. Also, how does this effect dyndns?
-
Well, using selective port forwarding on the modem worked - mostly. It won't allow me forward any ports over 50000 (but everything from 1 to 50000 inclusive). So the passive data ports I am using are 49152-50000. However upon activating the rule with that range I can no longer access the modem service pages at all... Even with that problem it is still the best solution so far... the BEST solution would be for D-Link to fix the problem with port forwarding.
Funny how the cheapo, free, modem from AT&T can port-forward internal requests using the external IP but the D-Link router cannot. They already have the "technology" to do it (in Virtual Server setups), so it would be GREAT if they could get it working for port-forwarding.
Thanks for your time, and if you have any more ideas that would be great.
-
Sounds like your running into a loopback situation with the internal clients.
-
Speaking of loopback, has anyone tried turning OFF SPI? Lycan mentioned that SPI filters lookback traffic. ???