Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[chriso]

Well now that we have all been reminded that people some times have very good reasons for doing things, which might look funny without context...

I was curious why you went with DMZ instead of just setting up a "Virtual Server" for ftp?

Given that everyone can already talk to the Internet from each of these routers I think the problem with breaks down to one of two problems, firewall or routing.  

You can also break down the testing into sections.  For instance can you ftp from a machine on Router #2 to a machine on Router #3.  If that works you can setup a ftp server in a machine on Router #2 and see if you can get to it from Router #1, ... and same from the Internet to the Router #1

You can test the firewall part by disabling the firewall on Routers #2 and #3.  The only security whole there is that someone on Router #1 if they know Router #2 and #3 are there and they know the sub net, they can access downward, but of course this only needs to be opened up for the test, and actually isn't very likely that people would know to do it.

If the firewalls are not the problem then it is the routing, and your port forwarding is probably the problem.
One of the reasons for asking about the "Virtual Server" setup is that it should understand both to punch through the firewall and to do the proper routing.

[fordem]

Thank you all for your ideas and response.....

<SNIP>

As you can now see no matter how odd it may seem to other professionals who have designed networks with only 1 or 2 routers utilising hubs and switches, having 3 routers in a residential establishment is entirely practical to design and implement. What isn’t practical is having my ftp raid backup drive on Mr Landlords router No:1 downstairs physically unsecure.

If it were practical to design & implement - we wouldn't be having this discussion now would we?

The first point I want to make deals with ISP Acceptable Usage Policies - which I'm almost certain Mr Landlord is in violation of, and the second is to point out that Mr Landlord still does not have the full 50mb download speed - not if you're still sharing a single ISP circuit - share means he gets part of it, and the tenants get the rest - so if that's the sole purpose for adding the third router, well ... the mere fact that you can post says he doesn't have it all.

There are different approaches to providing internet connectivity to multi-tenant housing, wireless is the easiest approach, and a single router with multiple wireless access points would have been a more manageable implementation than the one you have chosen - this by the way, is how it's done, in different forms, in the hospitality industry across the entire United States - if you want to see a really large scale version of this concept, just visit your nearest University and take a look at the residence halls - trust me, they don't put routers in every apartment & dorm room.

Anyway - since I doubt Mr Landlord really wants to invest in a proper system, let's see how we can get you where you need to be.

Start by connecting to router #2 and see if you can reach the ftp server behind router #3 - if it doesn't connect, take a look at the ip addressing on the DNS-323, paying specific attention to the default gateway setting.

Chriso - using the DMZ is a fast & nasty way of exposing the "inner router" to the internet - strictly speaking the port forwarding on routers #1 & #2 aren't necessary because setting the DMZ effectively fowards all incoming traffic on all ports to the DMZ address.

This is something you would NOT want to do under normal circumstances as it has security implications, but in this case, since the DMZ host is another firewall, which would normally be exposed, the risk is mitigated.

[chriso]

I know what DMZ is, what I meant is, why use DMZ which opens up the firewall to everything, instead of just the one port. If you are going to open it that way then you just opened up the DNS-323 (or whatever machine you are using for ftp) to any one of the computers on router #2, not very good security.

BTW On the original speed problem, it most likely would have been better served by having a router with the proper settings for bandwidth allocation.

[fordem]

chriso - you missed the point.

Since the device he is putting as the DMZ IS a firewall/router ...

1) Placing it in/as the DMZ avoids the need to have to forward the ports individually.
2) The risk is minimal, as the device would normally be completely exposed anyway.

Go back to his original post ...

a) - on router #3 he has forwarded only port 21 to the DNS-323 - the 323 has not been configured as the DMZ, only incoming traffic on port 21 will be forwarded to it.

b) - Router #3 is the DMZ for router #2, so any incoming traffic on the #2 WAN port will reach router #3 (the forwarding of port 21 on router #2 is completely unnecessary)

c) - Router #2 is the DMZ for router #1, so any incoming traffic on the #1 WAN port will reach router #2 (again, the forwarding of port 21 on router #1 is unnecessary).

An incoming connection request on port 21 of router #1 will be sent to router #2's WAN port because of the DMZ, router #2 will then send it to router #3's WAN port, which in turn will forward it to the DNS-323, all other incoming requests on router #1's WAN port will make it to router #2's WAN port, and then router #3's WAN port, where they will be discarded.

My suspicion is that the DNS-323 does not respond, because it does not know how to - one possible cause if the default gateway entry that I have suggested he look at.

[Sneak]

This makes no sense to me.  Are you saying router 1 is connected to router 2 via ethernet cable, and router 2 is likewise connected to router 3 via ethernet cable?  If not, and you're trying to wirelessly daisy-chain, then give up and run some cable.

If so, why?  It makes no sense.  If you really think you MUST have 3 routers (which it sounds like you don't), run a separate longer cable from router 1 to router 3, then manage routers 2 and 3 independently.  Or you could put a wired switch between router 1 and router 2 to accomplish the same thing (as suggested by "D-Link Multimedia"), but that's additional cost and another moving part.  Either way, get router 2 out of router 3's way and your life is much easier. 

In my opinion, your best bet is to turn router 2 into a wireless access point (turn off DCHP, keep it on router 1's subnet), unplug it from router 3, then leave it alone.  Wire router 3 directly to router 1 and do your best at your "pc and network technician" work stuff.

This is of course assuming that you are ok helping your landlord violate his ISP's usage policies by sharing his connection with his tenants (I agree with fordem 100%) , and that you are ok using that (stolen) connection for your work.

Of course, the right thing to do is to pick up the phone, call the ISP, and ask them to turn on new service for you in your loft, pay for your own connection, and use it however you want.

Look forward to seeing your post upon success either way.

[chriso]

BTW my point with DMZ and such is this.  There is only one reason to use so many routers, and that is that you want to isolate the different networks.  You don't want machines on router 1 to see the machines on the router 2 network.  You don't want to let the machines on router 2 to see the machines on router 3.  Please note the opposite is not true (machines on router 3 can see the machines on all the other routers).  If that is not the reason for using multiple routers, then the purpose could have been achieved without the complications of so many routers.  And if isolation is the purpose then using DMZ when you should be forwarding just the ports that are needed is defeating the purpose.

If the purpose is to just to get more bandwidth back for the landlord, this is certainly not the best way to do it.

[fordem]

Chriso

See if you follow me here - one step at a time...

Router#3 has only port 21 forwarded to the DNS-323 - a host connected to it's WAN port can access only the DNS-323 - it cannot access any other hosts connected to the LAN side of router#3, or any other port on the DNS-323.  This is how things would be in a typical "one router" environment

Is that clear?

Router#3 has it's WAN port wired to a LAN port on router#2 and configured so that it is in the DMZ of router#2.  A host on router#2's WAN port cannot access anything on router#2's LAN side EXCEPT router #3, which will only accept a connection on port 21, and which it will pass to the DNS-323.  Router#2 will pass all incoming connection requests on it's WAN port to router#3 and router#3 only - there is no security risk for any other host connected to the LAN side of router#2.

Are you still with me?

Router#2 has it's WAN port wired to a LAN port on router#1 and configured so that it is in the DMZ of router#1.  A host on router#1's WAN port cannot access anything on router#1's LAN side EXCEPT router #2, which will pass the connection request to router#3, which will only accept a connection on port 21, and which it will pass to the DNS-323.   Router#1 will pass all incoming connection requests on it's WAN port to router#2 and router#2 only - there is no security risk for any other host connected to the LAN side of router#1.  Router#2 will pass these requests on to router#3, and router#3 only - there is no security risk to any other host on the LAN sides of either routers #1 or #2.

Still following?

The reason to use the DMZ is ease of use - if necessary, the user can then make port forwarding changes at router#3 only, completely ignoring routers #1 & #2 - as an example, he could decide to use a non standard ftp port, perhaps 2121 - and all he would need to do is change the port forwarding at router #3 - router#1 will pass an incoming connection request on port 2121 onto router #2 because it's in the DMZ, and in the same fashion, router#2, will pass it on to router #3, which will then either forward or block based on it's configuration.

Get the idea now?

Yes - a host on the LAN side of router#3 will have access to any hosts on the LAN side of router#2, and also router#1, and hosts on the LAN side of router#2 will have access to hosts on the LAN side of router #1 - so whilst Mr Landlord is protected from the outside world, he really has no protection from any of his tenants, and if - by chance - Mr pc & network technician, working from home, were to connect a virus infected computer to the LAN side of router#3, it's entirely possible for every computer on LANs #1, #2 & #3 to become infected, depending of course on the anti-virus package in use at the time, and it's "state of currency".

Not a nice concept at all - and it can be avoided using the appropriate network design.

As far bandwidth goes - this provides no bandwidth control whatsoever - and if the three routers are all capable of the 50mb/sec WAN/LAN throughput mentioned, then it would be possible to start an ftp download from the DNS-323 and completely saturate the uplink channel to the ISP thereby choking the downlink.

[chriso]

Yeah I get it.

I wonder if Landlord knows, that he is not isolated from tenants, and that tenants can still take up to half of the overall bandwidth (they will actually get 100% if he isn't using any).  There is no bandwidth control of course, but if you have two computers (in this case computer and other router) on a switch/router competing for the bandwidth the router should give half of it to each of them.  I guess you could force "bandwidth control" by just making sure router #2 wan port is set 10 Mbps.

Of course the tenants will be happy to know that Landlord is blocked from accessing their computers.  
Then again, I wonder how I would feel about the ISP connection provided if I knew that other tenants can access my machine.  I would think if you went to the tenant's apartment's you would find that they have firewalls (at least software) in place.

Anyway certainly not how I would have setup the network.

[dosborne]

Face it guys, this is obviously not an ideal setup, nor is the OP very well versed in networking topology. It works for him and he thinks it meets his needs. Let it go.

[fordem]

Yeah I get it.

I wonder if Landlord knows, that he is not isolated from tenants, and that tenants can still take up to half of the overall bandwidth (they will actually get 100% if he isn't using any).  There is no bandwidth control of course, but if you have two computers (in this case computer and other router) on a switch/router competing for the bandwidth the router should give half of it to each of them.  I guess you could force "bandwidth control" by just making sure router #2 wan port is set 10 Mbps.

Not exactly - and you can try this for yourself - assuming you have a router and multiple computers - start a download from one site on one computer, wait about 30 seconds or so and then start a second download from a different site on the second computer, wait another 30 seconds and then start a third download on a third computer - watch and see how long the download speeds take to equalize - if they ever do.

You can also run a bt download on one system and try to simply browse the net from a second - the computer running the download will invariably hog the bandwidth, making the browsing experience pure frustration.

As far as forcing bandwidth control goes - how many routers do you know which allow you to set the port speed on any of the ports, WAN or LAN?

As far as the other tenants go - consider this - if you travel on business, you probably carry a laptop, and have probably used the free wifi that most hotels offer (if a hotel doesn't offer free high speed internet, it doesn't get my business), this setup offers no more (and no less) protection.  The same goes for free wifi at coffee shops, colleges etc.

[HSishi]

I won't discuss about the nesting of routers or if it's a good idea. Some weeks ago past I found out, just forwarding Port 21 for passive FTP, is not enough.

Let me explain ...

Modern routers support not only forwarding single ports or a port range, they can also forward services. What means, it's a difference between forwarding to "Port 21" or forwarding to a "FTP Server".
I experimented a bit with this and found out, I have either to set a port forwarding to a "FTP server" or forward at least two ports, beginning at Port 21. I still don't know why this works and just port 21 won't.

So you can try 3 things (in "cleanest way" order):
1. Forward "FTP Server" (may be called different in your routers) from router to router to router to NAS.
2. Forward more than one port (I suggest 5), beginning from Port 21, from WAN router 1 to router 2 to router 3 to NAS.
3. Forward in the following way, using different ports, to keep the route clean if more than one FTP server is involved:
Router 1: Forward Ports 21..25 (WAN) to (e.g.) 121..125 (LAN -> Router 2)
Router 2: Forward Ports 121..125 (WAN) to 121..125 (LAN -> Router 3)
Router 3: Forward Ports 121..125 (WAN) to 21..25 (LAN -> NAS)

Important: If one or more of your routers have own FTP server/s (some AVM Fritz! Boxes, for example, do that), disable these server/s or choose and forward different ports to access from the internet.

//HSishi

[fordem]

I won't discuss about the nesting of routers or if it's a good idea. Some weeks ago past I found out, just forwarding Port 21 for passive FTP, is not enough.

If you're going to host a passive ftp server behind a NAT router, you will need to forward a range of passive ports in addition to the control port (default 21) - the default range of passive ports used by the DNS-323 ftp server is 55536~55663.

It is not just an issue of the number (quantity) of ports forwarded, so simply forwarding a range of five ports (21~25) is not enough, you also need to tell the ftp server which ports you have opened - personally, I forward the default range, it makes life easier, one less custom setting to remember.

I have had people tell me that ports 21 & 22 need to be forwarded for an ftp server - which is basically what you are saying now - BUT - I have NEVER had to that, ALL of my active ftp servers have worked with port 21 alone, and I've been doing this for over a decade - Belkin, Cisco, D-Link, Linksys, Netgear - all have worked for me with just 21.

[OlegMZ]

Guys, do not forget, that normally FTP server, which is behind firewall MUST BE ABLE to work in passive mode. The reason to this is that FTP clients are very likely (90%) to be hidden behind their own firewalls and can only INITIATE connection themselves, so incoming FTP DATA connection from ACTIVE FTP server will be dropped by firewall rule. And you do not want to open incoming connection from random remote IP address with source port TCP/20 (FTP-DATA) and destination port RANDOM (1024-65534) to inside your network.

In order for ACTIVE PASSIVE FTP server to work behind firewall it is NOT enough to just open TCP/21 (FTP-CONTROL) to this server. You have to open the wide range of ports 1024-65534 (in general case) to your FTP server for incoming FTP-DATA connection from the client, which is very bad idea.
Luckily virtually all modern routers (even home ones) support APPLICATION INSPECTION for many services, including FTP. When they see incoming FTP connection they inspect the TCP packet payload  (to FTP server on port 21) and derive from it the information about source and destination ports for DATA connection.
After that they DYNAMICALLY create temporary rule for this connection and remove it as soon as FTP session is ended.

So in the case of any FTP connection troubleshooting there are 2 steps which should be inspected.
1) Initial connection to TCP/21 port itself. This is very easy. Just go to command prompt of you PC and issue following command telnet x.y.w.z:21 where x.y.w.z is the IP address of your FTP server.
If you see the reply from the FTP server ( 220 - Welcome to ftpd blah blah blah.), go to step 2 - port forwarding works fine.

2) Make sure inspection works at all the routers. This is no very easy on SOHO routers, so primary way I guess is to treat each router as a "black box", put FTP client in from of each in the chain and try to access the FTP server. Probably it is one of the routers misconfiguration. But it also may be something else - for example destination port which FTP client has dynamically chosen for DATA is in use at on of the routers for PAT for dynamic connection from behind one of the routers.
Packet capture with wireshark would also help, however it is unlikely that any consumer grade router/switch provide capability for port mirroring. Any chance to grab some cisco switch for testing? :-)

[fordem]

Oleg you seem to be confused as to how ftp works.

First - it IS possible to run an active (ie not passive) ftp server forwarding just a single port (21) through a NAT firewall - I am doing exactly this in my office with a DNS-323 behind a Netgear firewall and also at a couple of customer locations with other ftp servers and other NAT firewalls.

In over ten years of implementing ftp servers for clients, I have yet to come across an installation where I could not get an active ftp server up and running on the default port 21, with just that single port forwarded.

Second - with active (ie not passive) ftp - the intitial (or control) connection is made from the client inbound to the server, traditionally on port 21, which is why it needs to be forwarded - the second connection, the data connection is made in the opposite direction, from the server to the client - this is why no additional port forwarding is needed at the server end.

It is with passive ftp that the data connection is made from the client to the server and if passive ftp is being used, that is when an additional range of ports needs to be forwarded to the server.  There is also no need to open the entire range from 1024~65534, most ftp servers will allow you to specify the range of ports that they will use, and with the DNS-323 that range defaults to 55536~55663.

[OlegMZ]

Oleg you seem to be confused as to how ftp works.

Not exactly. I just made a typo at the beginning of my second paragraph and instead of PASSIVE wrote ACTIVE.

In order for ACTIVE PASSIVE FTP server to work behind firewall it is NOT enough to just open TCP/21  blah blah blah...

My bad. I was talking about passive mode as preferable for FTP server behind firewalls from the very beginning and my whole description was regarding it. Well, busy morning is not the best time for such essays - too many disruptions :-).

First - it IS possible to run an active (ie not passive) ftp server forwarding just a single port (21) through a NAT firewall - I am doing exactly this in my office with a DNS-323 behind a Netgear firewall and also at a couple of customer locations with other ftp servers and other NAT firewalls.

You did not get my point. I never stated that FTP server in ACTIVE mode would not work behind firewall. This is the easiest setup. Yet it has one huge drawback. In case the SERVER is in active mode, the client MUST NOT be behind firewall or it must be behind firewall which does support application inspection and is able to create temporary rules for data traffic initiated from FTP server to the client.
In other words - if both FTP server and client are behind their own firewalls at least one of firewalls must be able to inspect FTP control traffic and dynamically open appropriate ports for it. If it is done on client side, then active FTP will work. If it is on the sever side, passive FTP will work. So it makes a good sense to configure application inspection on the server firewall and allow passive FTP mode to guarantee that any client, behind any type of firewall (dumb or intelligent) will be able to access the server.

There is also no need to open the entire range from 1024~65534, most ftp servers will allow you to specify the range of ports that they will use, and with the DNS-323 that range defaults to 55536~55663.

I agree. It helps to overcome limitations of very basic firewalls, which are unable to inspect traffic,  however this is still not very secure solution. These ports are opened all the time and are exposed for everybody on the internet. And these are TCP. So it is very easy for attacker to scan, detect opened port and mount an attack. If server is busy and amount of ports is limited good chances it will succeed.


Неre are a couple of links in case someone wants to know about FTP modes better:
http://slacksite.com/other/ftp.html
http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html
Much more is very easy to google.

P.S. Using SFTP is much better as it
1) provides secure connection
2) works through single TCP/22 port (SSH). So neither application inspection, nor dynamic port openings is necessary..