Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[tranmansd]

Up until December 2013, my home network was setup as follow:
Router: DLink-655
NAS: DNS-323
In the configuration for port forwarding I was able to forward port 21 to support FTP.
Everything works great until I upgrade my router.
My new configuration:
Router: Netgear R7000
NAS: DNS-323
The Netgear router default port 21 to support USB FTP so I configured the port forwarding for the NAS
at 1025.
When I'm at home, I tested the ftp using filezilla and FireFTP and were able to see the two drives in my NAS.
However, when I'm at work using the same tools (filezilla and FireFTP) I am not able to connect to the NAS.
I can see it connect to my router, continue to my NAS but can't seems to find the NAS directories and time out.
This is the log from filezilla when tested within my home network

Status:    Resolving address of xxx.xxx.xxx.xxx
Status:    Connecting to xxx.xxx.xxx.xxx:1025...
Status:    Connection established, waiting for welcome message...
Response:    220---------- Welcome to Pure-FTPd [TLS] ----------
Response:    220-You are user number 1 of 10 allowed.
Response:    220-Local time is now 18:23. Server port: 1025.
Response:    220-This server supports FXP transfers
Response:    220 You will be disconnected after 2 minutes of inactivity.
Command:    USER xxxx
Response:    331 User xxxx OK. Password required
Command:    PASS ****************
Response:    230 OK. Current restricted directory is /
Command:    SYST
Response:    215 UNIX Type: L8
Command:    FEAT
Response:    211-Extensions supported:
Response:     EPRT
Response:     IDLE
Response:     MDTM
Response:     SIZE
Response:     REST STREAM
Response:     MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:     MLSD
Response:     ESTP
Response:     PASV
Response:     EPSV
Response:     SPSV
Response:     ESTA
Response:     AUTH TLS
Response:     PBSZ
Response:     PROT
Response:    211 End.
Status:    Connected
Status:    Retrieving directory listing...
Command:    PWD
Response:    257 "/" is your current location
Command:    TYPE I
Response:    200 TYPE is now 8-bit binary
Command:    PORT 192,168,1,2,197,85
Response:    200-FXP transfer: from xxx.xxx.xxx.xxx to 192.168.1.2
Response:    200 PORT command successful
Command:    MLSD
Response:    150 Connecting to port 50517
Response:    226-ASCII
Response:    226-Options: -l
Response:    226 2 matches total
Status:    Directory listing successful

Now this is the log when I'm at work

Status:    Resolving address of xxx.xxx.xxx.xxx
Status:    Connecting to xxx.xxx.xxx.xxx:1025...
Status:    Connection established, waiting for welcome message...
Response:    220---------- Welcome to Pure-FTPd [TLS] ----------
Response:    220-You are user number 1 of 10 allowed.
Response:    220-Local time is now 13:49. Server port: 1025.
Response:    220-This server supports FXP transfers
Response:    220 You will be disconnected after 2 minutes of inactivity.
Command:    USER xxxx
Response:    331 User xxxx OK. Password required
Command:    PASS ****************
Response:    230 OK. Current restricted directory is /
Command:    SYST
Response:    215 UNIX Type: L8
Command:    FEAT
Response:    211-Extensions supported:
Response:     EPRT
Response:     IDLE
Response:     MDTM
Response:     SIZE
Response:     REST STREAM
Response:     MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:     MLSD
Response:     ESTP
Response:     PASV
Response:     EPSV
Response:     SPSV
Response:     ESTA
Response:     AUTH TLS
Response:     PBSZ
Response:     PROT
Response:    211 End.
Status:    Server does not support non-ASCII characters.
Status:    Connected
Status:    Retrieving directory listing...
Command:    PWD
Response:    257 "/" is your current location
Command:    TYPE I
Response:    200 TYPE is now 8-bit binary
Command:    PASV
Response:    227 Entering Passive Mode (192,168,1,3,217,31)
Status:    Server sent passive reply with unroutable address. Using server address instead.
Command:    MLSD
Error:    Connection timed out
Error:    Failed to retrieve directory listing

When I log into my router I can see the router acknowledge the NAS is physically connected to the router and assigned
192.168.1.3

My intention is just setup the NAS so that I could connected to it from anywhere to able to retrieve files.
Thank you
LT

[fordem]

Command:    PASV
Response:    227 Entering Passive Mode (192,168,1,3,217,31)
Status:    Server sent passive reply with unroutable address. Using server address instead.
Command:    MLSD
Error:    Connection timed out
Error:    Failed to retrieve directory listing

The above quote was taken from the last few lines of your log - what it shows is that the NAS is not correctly configured for passive ftp, because it is sending it's own LAN address - you may also need (if you haven't already done it) to forward a range of ports for the passive connection.

One of the quirks of ftp is that it uses two separate connections, the first is a control connection that is made from client to server on port 21, the second is a data connection from the server to the client - consumer router/firewalls typically allow all outgoing requests, and block all incoming - this is why you need to forward port 21 to the NAS.

It is now common practice for most consumer router/firewalls, on detecting an outgoing ftp connection on port 21 to expect an incoming connection request from the same ip address and to allow that connection through, redirecting it to the host that sent the outgoing ftp request - if this was not done, the user would have to forward ports on the client side of the connection.

The problem is that when you use a non standard port - your router/firewall does not recognize this as an ftp request, and discards the incoming data connections.

The solution to this is passive ftp, in which both connections are made from the client to the server, first the control connection is made and then the ftp server will tell the client what address and port to use for the data connection, so port forwarding is only required at the server end.

[tranmansd]

Thank you for the response. 
Let me see if I understand ..... In order to configure the forwarding correctly I would need to set a set of ports?
Currently I'm setting the DNS-323  as follow:
Max user: 10
Idle Time: 2
Port: 1025
Passive Mode: Select "Use the default port range (55536-55663)
Client Language: WEstern European
Flow Control: Unlimited

That's it.
Do I need to take the port 1025 out and it would default to the range 55536-55663?

On the weird side, when i configured my work machine to be able to VPN into my router, I was able to ftp to the NAX
using FireFTP but not Filezilla.  Once I disconnect the VPN, I'm no longer able to download even though i can still log in.

[fordem]

First - passive ftp - you need to set the router to forward BOTH the control port on 1025 AND the passive port range (55536-55663) to the NAS.  You may also need to get the NAS to send it's public (WAN) address, but I believe filezilla will work around that.


Second - VPN - there's nothing weird about what you're experiencing, although it does suggest that you are not familiar with the how/what/why of VPNs.

That VPN creates an encrypted connection from your work computer to your router - it's as if your work computer is connected directly to your LAN, by a very long, slow Ethernet cable - so whatever works on the LAN should also work over the VPN - because the tunnel "bypasses" the firewalls, connections that the firewalls would block are permitted.

[tranmansd]

I rarely ever use VPN.
So on my netger router, I did the following:
Service Type: TCP
External Starting Port: 1025
External Ending Port: 1026
Check "Use the same port range for internal port
Internal Starting Port: 1025
Internal Ending Port: 1026
Internal IP address: 192.168.1.3

That's the only thing I could do for the router port forwarding.
On the NAS, I select Static IP 192.168.1.3 to make sure this IP is dedicated to the NAS
At the NAS FTP setting, I set Port 1025
Check the box "Use the default port range (55536-55663)"
Report external IP in Passive mode External IP To my dns ip (is this correct?)

Not sure if I'm doing it correct?

[tranmansd]

Hi,
  After configured my NAS to support 1025-1026 I was able to use filezilla to log into my NAS.
However, I'm still having issue with accessing the file.  I can see there are two volumes in my
NAS (Volume_1 & Volume_2)...I tried to open a file in Volume_2 and received the log error below
This is the log from filezilla (I'm not on VPN)

Status:   Resolving address of xxx.xxx.xxx.xxx
Status:   Connecting to xxx.xxx.xxx.xxx:1025...
Status:   Connection established, waiting for welcome message...
Response:   220---------- Welcome to Pure-FTPd [TLS] ----------
Response:   220-You are user number 1 of 1 allowed.
Response:   220-Local time is now 12:25. Server port: 1025.
Response:   220-This server supports FXP transfers
Response:   220 You will be disconnected after 2 minutes of inactivity.
Command:   USER tran
Response:   331 User xxxx OK. Password required
Command:   PASS ****************
Response:   230 OK. Current restricted directory is /
Command:   SYST
Response:   215 UNIX Type: L8
Command:   FEAT
Response:   211-Extensions supported:
Response:    EPRT
Response:    IDLE
Response:    MDTM
Response:    SIZE
Response:    REST STREAM
Response:    MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:    MLSD
Response:    ESTP
Response:    PASV
Response:    EPSV
Response:    SPSV
Response:    ESTA
Response:    AUTH TLS
Response:    PBSZ
Response:    PROT
Response:   211 End.
Status:   Server does not support non-ASCII characters.
Status:   Connected
Status:   Retrieving directory listing...
Command:   PWD
Response:   257 "/" is your current location
Command:   TYPE I
Response:   200 TYPE is now 8-bit binary
Command:   PASV
Response:   227 Entering Passive Mode (192,168,1,3,4,2)
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Response:   150 Accepted data connection
Response:   226-ASCII
Response:   226-Options: -l
Response:   226 2 matches total
Status:   Directory listing successful
Status:   Retrieving directory listing...
Command:   CWD Volume_2
Response:   250 OK. Current directory is /Volume_2
Command:   PWD
Response:   257 "/Volume_2" is your current location
Command:   PASV
Response:   227 Entering Passive Mode (192,168,1,3,4,2)
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Response:   150 Accepted data connection
Response:   226-ASCII
Response:   226-Options: -l
Response:   226 19 matches total
Status:   Directory listing successful
Status:   Resolving address of xxx.xxx.xxx.xxx
Status:   Connecting to xxx.xxx.xxx.xxx:1025...
Status:   Connection established, waiting for welcome message...
Response:   421 1 users (the maximum) are already logged in, sorry
Error:   Could not connect to server
Status:   Delaying connection for 5 seconds due to previously failed connection attempt...
Status:   Resolving address of xxx.xxx.xxx.xxx
Status:   Connecting to xxx.xxx.xxx.xxx:1025...
Status:   Connection established, waiting for welcome message...
Response:   421 1 users (the maximum) are already logged in, sorry
Error:   Could not connect to server
Status:   Delaying connection for 5 seconds due to previously failed connection attempt...
Status:   Resolving address of xxx.xxx.xxx.xxx
Status:   Connecting to xxx.xxx.xxx.xxx:1025...
Status:   Connection established, waiting for welcome message...
Response:   421 1 users (the maximum) are already logged in, sorry
Error:   Could not connect to server

[fordem]

You need to set the router to forward BOTH the control port on 1025 AND the passive port range (55536-55663) to the NAS.

[tranmansd]

Wish i could attach the image to show you the netgear configuration for port forwarding.
I could only configure as follow:
Service Name: DNS-323
Service Type: TCP
External Starting Port: 1025
External Ending Port: 1026
Check box on "use the same port range for internal port"
Internal Starting Port: 1025
Internal Ending Port: 1026
Internal IP address: 192.168.1.3
Those are the only choices I have.
Where can I set both control port to 1025? AND passive port range?

[fordem]

You create two SEPARATE port forwards to the same ip address.

#1 - ftp control - 1025 to 192.168.1.3
#2 - ftp data - 55536-55663 to 192.168.1.3

[tranmansd]

Awesome...It works
Thank you for being patient and helpful.