FTP server using passive ports

Hey

Thanks for all the answers.

I just tried removing the passive ports on my firewall and tried connecting through my external address from home (RDP from work) and that didn't work. So I guess my router isn't NAT'ing the request right or the FTP server can't understand the NAT'ing being done.

StephenB wrote:
EDIT: since https is allowed, another approach is to manage the home router remotely through https, and change the forwarding rule for port 21 when he wants to access the other ReadyNAS. That is cumbersome, but would work.

This is what I most likely will have to do in the cases where I need to access the other FTP. I can't manage my router directly from work, since the managing ports on the router itself starts at 1024 >.< I have a workaround though with ReadyWOL addon on my Duo and RDP passthrough the router on a lower portnumber than standard :)

Thanks for the very clarifying answer to active and passive mode. I think its safe to say that the corporate firewall in combination with my firewall is borking that connection up into oblivion. I've masqueraded both servers as my external DNS address as well as set my FTP connection to active, since it sets itself as passive as default. It works like a charm.

From the outside the speed of the Duo and Ultra are about the same, so I'll figure out which dataset I need access to :P

As I stated a few posts up, I guess it's a trade-off on which FTP that I want to be available at any given time.

I'll say this will be the answer, given that I've tried everything I could think of, as well as everything suggested here about port-forwarding and routing/NAT'ing.


Thank you again for the help :)
Slasky

Slasky wrote:
... I can't manage my router directly from work, since the managing ports on the router itself starts at 1024 >.

With most routers, you manage the router with https (port 443). So you should be able to manage the router from work. It doesn't matter what settings you are changing (including ports > 1024), as long as https reaches the router.

Though of course you wouldn't be able to reach either ReadyNAS using https if you set it up this way (since non-standard ports seem to result in blocked services from your corporate firewall).

I have a own web managing tab on the menu on the router, stating that outside management would go to a certain portnumber that I specify, which is allowed from 1024 and up :)

For the reference, I have a NetGear N600 router.



And that picture shows how I set my remote management

Oops, you are correct - the R6300 does the same.

From my point of view that is a bug, it should let you specify 443.

Imo, although considered a security risk, ports under 1024 should be allowed, so the users themselves can determine if they want to put them selves at more risk, rather than the firmware saying that you can't

I agree - and there really is no greater security risk anyway. Standard port usage is defined by IANA.

0-1023 - "System ports"
1024-49151 - "User ports"
49152-65535 - "Dynamic/Private ports"

The risk of using a system port is that it might interfere with another common (and perhaps essential) network service. For instance, if you tried to use port 53 you would interfere with DNS. It doesn't really impact security one way or another.

In this case, 443 is the standard port for HTTPS, there is no reason why the router shouldn't be able to use it.

Unless you have a https port specified on the inside, as you stated earlier. I have specified other https ports on either of my NAS'es, just to seperate them.

But then again, I guess it's Netgears way of staying clear of people using system ports, like you said, 53 for DNS i.e. and borking up the networksetup they have.

It should just have come with a warning once you set a port under 1024 that it can interfere with other services, rather than just block them all off.

Btw, I just had an idea. You might have suggested it, but if so, I've overlooked it :P

I just forced filezilla to use active mode instead of passive mode, and I deleted the port forwarding rules on my router.

I connected to my external IP / DNS address with my specified active port, and it went through without any problems. Gonna test this at work tomorrow. If this works, all I have to do is define that filezilla will have to work in active mode, and I'll have both my NAS'es available.

I'll give you an update tomorrow. Guess the problem lied in the client :P

Hopefully it'll slip through the corporate NAT / Firewall

Chance is next to zero that you will be able to exchange files with your FTP server in active mode when outside your LAN and covered by the corporate NAT. In active mode FTP server initiates connections to the random ports of the client side to transfer data. All that ports are shut down hollow on the corporate firewall.

The passive mode is way around that. But only in case that your corporate firewall lets through outgoing connections within the passive mode data range - this range you specify on your FTP server.

http://wiki.filezilla-project.org/FAQ

"Normal" firewall typically lets through outgoing connections. But "corporate" firewall typically blocks all traffic - incoming and outgoing on all ports with the exception for the few ports specified by corporate network admin. So there are just ports for http, DNS, pop3/smtp/imap (if so) and not much more. But of course I don't know your particular corporate network settings.

Ye, I forgot about that slight fact -.-

Although, you gave me a good idea. I'm gonna try setting passive ports below 1024, if the NAS allows it.