Carl Sundermann said:
Arg! I'm so close to getting it set up, I can taste it. But there is one
problem I can't get.
I have installed the Internet Information Services, etc, and have the FTP
working internally on my network. I have enabled forwarding of the FTP in
my
DLink router.
I can get connected using my outside IP when I use an external FTP client,
but I get this in the log window of my FTP program:
connecting to 69.5.156.111:21
connected to 69.5.156.111 port 21
220-Microsoft FTP Service
USER anonymous
331 Annonymous access allowed, send identity (email name) as password.
PASS (hidden)
230 Anonymous user logged in.
PWD
257 "/" is current directory
SYST
215 Windows_NT
Host type (S): Microsoft NT
PASV
227 Entering Passive Mode (192,168,0,111,19,148).
connecting to 192.168.0.111:5012
---
connecting to 192.168.0.111:5012
Connected to 192.168.0.111 port 5012
LIST
426 Connection closed; transfer aborted.
! Retrieve of folder listing failed.
The weird thing is that I can still make folders and they show up on my
server, but they don't show up at all in my FTP program.
I feel like I'm so close, but I can't figure out what I'm doing wrong.
Can
anyone help? Thanks for your time!!!
Carl Sundermann
Your external client is trying to use Passive Mode.
Since your server is behind NAT, that it the problem.
So what to do?
Your simplest solution is to have external clients connect using Active Mode
FTP.
In otherwords, disable PASV mode.
( Note that this may prevent external clients from connecting if they too
are behind a NAT router. - This is one of the downsides of having an FTP
server behind a NAT. )
FTP is a difficult protocol for NAT routers to handle properly, and you
will have one set of issues with a NAT router at the client side, and an
opposite set of issues with a NAT router at the server side. In cases where
both the client and server are behind NAT, FTP may be impossible.
Summary:
Client behind NAT: Use PASV mode.
Server behind NAT: Use Active ( PORT ) mode.
Both client and server behind NAT: Possibly not going to work, without some
special handling on the NAT router. Try Active, and hope that the
client-side NAT is smart enough to make a special exception for the FTP
session. It may well do.
For a more detailed explanation about the technical background,
grab a strong coffee and read on:
First, let's get on to the same page about how Active and Passive FTP work:
http://slacksite.com/other/ftp.html
http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html
Quick summary:
FTP uses 2 connections:
Control and Data.
Control always comes from clientIP:ephemeral to serverIP:21.
This is why you froward port 21 on your router.
Data depends on Active /Passive mode.
Client requests either active (PORT) or passive (PASV).
Active:
After initial control connection to server port 21,
Client opens ephemeral port, and tells server to connect to it.
Server connects from serverIP:20 -> clientIP:ephemeral
Passive:
After initial control connection to server port 21,
Server opens ephemeral port, and tells client to connect to it.
Client connects from ClientIP:ephemeral -> ServerIP: ephemeral
Now, here's what's happening in your situation,
With server-side NAT ( which you have ).
Active mode:
Client connects to your external IP:21.
This is explicitly forwarded to the FTP server:21.
The control connection is established OK.
Client requests PORT mode.
Client opens ephemeral port, and tells server to connect to it.
Server connects from serverIP:20 -> clientIP:ephemeral.
This is an outbound connection throuth your NAT, and so it works OK.
Passive Mode:
Client connects to your external IP:21.
This is explicitly forwarded to the FTP server:21.
The control connection is established OK.
Client requests PASV.
Server replies with IP:RandomPort to connect to.
Client will attempt to connect to the IP
ort the server specified.
2 problems here:
1) The server will tell the client the wrong IP address.
The server sees itself as 192.168.0.10 or whatever.
It has no knowledge of the external IP,
and so the client attempts to connect to a non-routable IP.
( This is what you are seeing .)
2) The server has opened a random port and asked the client to connect.
The NAT device knows nothing of this, and will see the incoming connection
from the client as unsolicited, and drop the packet.
You need to overcome these 2 fundamental problems to allow Passive FTP to a
server behind NAT.
To solve (1),
Sometimes, an FTP server will have options to manually specify an external
IP.
Sometimes, the NAT is clever enough to recognise the FTP session,
and actually edit the contents of the packet and insert the correct external
IP address.
If neither of these can be done, then it's not going to work.
To solve (2),
If the NAT is clever enough to handle (1), it may also open up a temporary
port-forwarding on-the-fly to accomodate (2).
If it isn't, then you can restrict the Passive Port Range on the server to a
couple of hundred ports,
then on the NAT router, explicitly forward that port range to the FTP
server.
