Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
FTP server using passive ports
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-03
12:49 PM
2012-07-03
12:49 PM
FTP server using passive ports
Hello everybody.
This is more of a network-question than a readynas one.
I've just recently bought an Ultra 4 in an addition to my Duo. I've had, and still have the FTP service running at the Duo, and was setting up the same for the Ultra.
Problem one was that my router can't seem to forward the same port to two different devices, but thats not the issue.
I chose another port for the FTP server on the Ultra, and forwarded that port in my router to the Ultra's IP address. The problem is that the Ultras FTP server uses the passive ports, since the server sends a passive response. I'd think that since I've opened the port in question, the server would go in active mode, but after further examination, I see during logging onto both the servers, both enters passive mode.
The weird part is this:
When I log onto the FTP server on the Duo, I don't have to open the passive ports in the router, and it seems to use the FTP port I've specified.
When I log into the FTP server on the Ultra, I can't seem to fully enter without defining the passive ports in the router.
As I said, I've forwarded the specified port in the router for the Ultra server, but it won't use it -.-
Any suggestions?
Greetings, Slasky
This is more of a network-question than a readynas one.
I've just recently bought an Ultra 4 in an addition to my Duo. I've had, and still have the FTP service running at the Duo, and was setting up the same for the Ultra.
Problem one was that my router can't seem to forward the same port to two different devices, but thats not the issue.
I chose another port for the FTP server on the Ultra, and forwarded that port in my router to the Ultra's IP address. The problem is that the Ultras FTP server uses the passive ports, since the server sends a passive response. I'd think that since I've opened the port in question, the server would go in active mode, but after further examination, I see during logging onto both the servers, both enters passive mode.
The weird part is this:
When I log onto the FTP server on the Duo, I don't have to open the passive ports in the router, and it seems to use the FTP port I've specified.
When I log into the FTP server on the Ultra, I can't seem to fully enter without defining the passive ports in the router.
As I said, I've forwarded the specified port in the router for the Ultra server, but it won't use it -.-
Any suggestions?
Greetings, Slasky
Message 1 of 24
Labels:
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-03
05:13 PM
2012-07-03
05:13 PM
Re: FTP server using passive ports
That is because it is impossible. Like trying to forward your mail to two different addresses.
Slasky wrote: Problem one was that my router can't seem to forward the same port to two different devices...
I'm not completely sure what you did, but the normal way you solve is problem is:
forward five ports (X to X+4) to the DUO, using X for the main port and the other X+1 to X+4 for the passive ports.
forward five different ports (Y to Y+4) to the ultra, using Y for the main port and the other Y+1 to Y+4 for the passive ports.
You also need to configure the DUO to use X+1 to X+4 for passive ports, and the ULTRA to use Y+1 to Y+4.
Then specify port X in your ftp client when connecting to the DUO, and port Y in client when connecting to the ULTRA
Message 2 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-03
11:36 PM
2012-07-03
11:36 PM
Re: FTP server using passive ports
That's basically what I've done. The only problem here is that I need to use ports lower than 1024 to access anything from my work, as they've blocked any port over 1024 on the firewalls.
The setup is like this:
Duo Server
Port: 21
Passive Ports: 14170-14180
Router settings:
Port 21 forwarded from port 21 external to port 21 internal to Duo IP
Ultra Server:
Port: 27
Passive Ports: 14190-14200
Router settings:
Port 27 forwarded from port 27 external to port 27 internal to Ultra IP
Ports 14190-14200 forwarded from port 14190-14200 external to port 14190-14200 internal to Ultra IP
What's strange is that the Duo doesn't use its passive ports, just the normal one, as the Ultra pops in on the passive ports only.
I've also tried changing the portnumber of the Ultra server just to check that it doesn't collide with another service.
Thanks for the answers though
The setup is like this:
Duo Server
Port: 21
Passive Ports: 14170-14180
Router settings:
Port 21 forwarded from port 21 external to port 21 internal to Duo IP
Ultra Server:
Port: 27
Passive Ports: 14190-14200
Router settings:
Port 27 forwarded from port 27 external to port 27 internal to Ultra IP
Ports 14190-14200 forwarded from port 14190-14200 external to port 14190-14200 internal to Ultra IP
What's strange is that the Duo doesn't use its passive ports, just the normal one, as the Ultra pops in on the passive ports only.
I've also tried changing the portnumber of the Ultra server just to check that it doesn't collide with another service.
Thanks for the answers though
Message 3 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
01:07 AM
2012-07-04
01:07 AM
Re: FTP server using passive ports
As your server works in passive mode - did you setup ftp masquerade?
You say that "the Duo doesn't use its passive ports, just the normal one, as the Ultra pops in on the passive ports only" - what do you mean by that - what says your client?
You say that "the Duo doesn't use its passive ports, just the normal one, as the Ultra pops in on the passive ports only" - what do you mean by that - what says your client?
Message 4 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
03:54 AM
2012-07-04
03:54 AM
Re: FTP server using passive ports
Slasky - what client are you using? With filezilla you can see what passive port is being engaged (though you need to do the math, since it gives you the high and low byte of the port number separately). My Duo V1 definitely uses the passive port. If you are checking this from work, perhaps the firewall is acting as an FTP proxy for the Duo. You could confirm this by changing it to a non-standard port (21 being the normal FTP port). Or see if you get the same behavior when connecting locally.
I use filezilla, and don't configure the masquerade. Filezilla will detect the private address and substitute the address used on the IP layer. If I set the masquerade, then I can't connect inside my LAN (since FileZilla won't substitute a private address for a public one)
pugilares wrote: As your server works in passive mode - did you setup ftp masquerade?
Message 5 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
04:10 AM
2012-07-04
04:10 AM
Re: FTP server using passive ports
pugilares wrote:
As your server works in passive mode - did you setup ftp masquerade?
You say that "the Duo doesn't use its passive ports, just the normal one, as the Ultra pops in on the passive ports only" - what do you mean by that - what says your client?
To clarify, both servers enter passive mode, due to being behind a firewall in my router. The thing is that I haven't forwarded the passive ports for the Duo, thats why I assume it's using the original port (port 21)
I've set up masquerade on both servers as the internal IP, to be able to access them locally. This works fine for the Duo, and the Ultra. The servers enter passive mode even if I masquerade them as the external IP or my DynDNS domain.
StephenB wrote:
Slasky - what client are you using? With filezilla you can see what passive port is being engaged (though you need to do the math, since it gives you the high and low byte of the port number separately). My Duo V1 definitely uses the passive port. If you are checking this from work, perhaps the firewall is acting as an FTP proxy for the Duo. You could confirm this by changing it to a non-standard port (21 being the normal FTP port). Or see if you get the same behavior when connecting locally.
pugilares wrote: wrote:
As your server works in passive mode - did you setup ftp masquerade?
I use filezilla, and don't configure the masquerade. Filezilla will detect the private address and substitute the address used on the IP layer. If I set the masquerade, then I can't connect inside my LAN (since FileZilla won't substitute a private address for a public one)
I'm using FileZilla and numbers popping up after the IP-address are 55 and 119 on the Ultra, and 55 and 99 on the Duo
I've been thinking about the FTP proxy as you mention, planning on testing if I set the standard FTP port on the Ultra, just to check if that passes through. If I can't fix this problem, I guess it's gonna be a trade-off on which FTP server that would be accessible from work.
If it's needed for more thorough exlpanation, I can post pics of my router config and port forwarding
EDIT: I tried setting the Ultra with port 21, and it passed right through. So it's either the firewall who can't parse the port correctly, or it's the FTP server who can't operate on port 27 without using the passive ports
Thanks again for the answers
Message 6 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
04:25 AM
2012-07-04
04:25 AM
Re: FTP server using passive ports
StephenB wrote: I use filezilla, and don't configure the masquerade. Filezilla will detect the private address and substitute the address used on the IP layer. If I set the masquerade, then I can't connect inside my LAN (since FileZilla won't substitute a private address for a public one)
I use Filezilla and I have set up masquerade on the server side and I can access from inside of my LAN and from outside of my LAN with no problem. The thing is to access from inside of my LAN I've setup Filezilla to use active mode. Since server and client is within the same LAN this is no problem to use active. In active mode masquerade setting is not being taken into account. From outside of my LAN passive mode FTP is in use. At the same time if I wanted to give access to my server to somebody from outside I don't have to worry which kind of FTP client he has got - masquerade is doing it's job even for web browsers. Or if I wanted to access my server myself from outside, but from a computer which is not mine and doesn't necessarily have Filezilla installed.
Message 7 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
04:30 AM
2012-07-04
04:30 AM
Re: FTP server using passive ports
Slasky wrote: EDIT: I tried setting the Ultra with port 21, and it passed right through. So it's either the firewall who can't parse the port correctly, or it's the FTP server who can't operate on port 27 without using the passive ports[/color]
Thanks again for the answers
Not so long ago I had a problem with port 21. My router did strange things with the FTP commands sent through this port. I have changed command port to something completely different on the server and forwarded the same port on the router. Since then I have no problem with FTPing from outside of my LAN.
Message 8 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
04:35 AM
2012-07-04
04:35 AM
Re: FTP server using passive ports
The ultra is using 14199, and the duo is using 14179. That is computed using 55*256+99.
Slasky wrote:
pugilares wrote: I'm using FileZilla and numbers popping up after the IP-address are 55 and 119 on the Ultra, and 55 and 99 on the Duo
You should be forwarding 14170-14180 to the Duo.
BTW, passive mode was invented to allow connectivity when the client is behind a nat. Active mode works fine when only the server is behind a nat. But in active mode, the server opens the data connection to the client (using a port the client chooses). This fails if the client is behind a firewall/nat which blocks incoming connections.
Passive mode has the client open both the data connection and the control connection to the server. This is outbound traffic to the client's firewall, so it is permitted. But the passive connection can only reach the server if the server's NAT/Firewall opens the passive port.
There is a more detailed explanation here: http://slacksite.com/other/ftp.html
Message 9 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
04:43 AM
2012-07-04
04:43 AM
Re: FTP server using passive ports
Yes - that is why I suggested changing both ReadyNAS to use non-standard ports. That should work fine in most remote locations (and is what I do).
pugilares wrote: Not so long ago I had a problem with port 21. My router did strange things with the FTP commands sent through this port. I have changed command port to something completely different on the server and forwarded the same port on the router. Since then I have no problem with FTPing from outside of my LAN.
Though corporate firewalls are sometimes configured to disallow any outgoing traffic that they don't recognize. If Slasky's is configured that way, then he likely will have to pick only one ReadyNAS to reach from work, and it would need to use port 21 (to ensure that the corporate firewall recognizes it as FTP). He could still access the other ReadyNAS files using https.
EDIT: since https is allowed, another approach is to manage the home router remotely through https, and change the forwarding rule for port 21 when he wants to access the other ReadyNAS. That is cumbersome, but would work.
Message 10 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
04:54 AM
2012-07-04
04:54 AM
Re: FTP server using passive ports
Anyway - using standard FTP from outside of own LAN is pretty much not secure. Using FTPeS through two NATs is likely to show problems with configuration if ever possible (depending on the configuration of the corporate NAT, the one you don't have control over). Another thing is to disable unsecure FTP login to the ReadyNAS. On Duo you can do it, but you need SSH access to your Duo. I don't know about Ultra in this matter.
Message 11 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
05:31 AM
2012-07-04
05:31 AM
Re: FTP server using passive ports
Hey
Thanks for all the answers.
I just tried removing the passive ports on my firewall and tried connecting through my external address from home (RDP from work) and that didn't work. So I guess my router isn't NAT'ing the request right or the FTP server can't understand the NAT'ing being done.
This is what I most likely will have to do in the cases where I need to access the other FTP. I can't manage my router directly from work, since the managing ports on the router itself starts at 1024 >.< I have a workaround though with ReadyWOL addon on my Duo and RDP passthrough the router on a lower portnumber than standard 🙂
Thanks for the very clarifying answer to active and passive mode. I think its safe to say that the corporate firewall in combination with my firewall is borking that connection up into oblivion. I've masqueraded both servers as my external DNS address as well as set my FTP connection to active, since it sets itself as passive as default. It works like a charm.
From the outside the speed of the Duo and Ultra are about the same, so I'll figure out which dataset I need access to 😛
As I stated a few posts up, I guess it's a trade-off on which FTP that I want to be available at any given time.
I'll say this will be the answer, given that I've tried everything I could think of, as well as everything suggested here about port-forwarding and routing/NAT'ing.
Thank you again for the help 🙂
Slasky
Thanks for all the answers.
I just tried removing the passive ports on my firewall and tried connecting through my external address from home (RDP from work) and that didn't work. So I guess my router isn't NAT'ing the request right or the FTP server can't understand the NAT'ing being done.
StephenB wrote:
EDIT: since https is allowed, another approach is to manage the home router remotely through https, and change the forwarding rule for port 21 when he wants to access the other ReadyNAS. That is cumbersome, but would work.
This is what I most likely will have to do in the cases where I need to access the other FTP. I can't manage my router directly from work, since the managing ports on the router itself starts at 1024 >.< I have a workaround though with ReadyWOL addon on my Duo and RDP passthrough the router on a lower portnumber than standard 🙂
Thanks for the very clarifying answer to active and passive mode. I think its safe to say that the corporate firewall in combination with my firewall is borking that connection up into oblivion. I've masqueraded both servers as my external DNS address as well as set my FTP connection to active, since it sets itself as passive as default. It works like a charm.
From the outside the speed of the Duo and Ultra are about the same, so I'll figure out which dataset I need access to 😛
As I stated a few posts up, I guess it's a trade-off on which FTP that I want to be available at any given time.
I'll say this will be the answer, given that I've tried everything I could think of, as well as everything suggested here about port-forwarding and routing/NAT'ing.
Thank you again for the help 🙂
Slasky
Message 12 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
05:49 AM
2012-07-04
05:49 AM
Re: FTP server using passive ports
With most routers, you manage the router with https (port 443). So you should be able to manage the router from work. It doesn't matter what settings you are changing (including ports > 1024), as long as https reaches the router.
Slasky wrote: ... I can't manage my router directly from work, since the managing ports on the router itself starts at 1024 >.
Though of course you wouldn't be able to reach either ReadyNAS using https if you set it up this way (since non-standard ports seem to result in blocked services from your corporate firewall).
Message 13 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
06:04 AM
2012-07-04
06:04 AM
Re: FTP server using passive ports
I have a own web managing tab on the menu on the router, stating that outside management would go to a certain portnumber that I specify, which is allowed from 1024 and up 🙂
For the reference, I have a NetGear N600 router.

And that picture shows how I set my remote management
For the reference, I have a NetGear N600 router.

And that picture shows how I set my remote management
Message 14 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
08:02 AM
2012-07-04
08:02 AM
Re: FTP server using passive ports
Oops, you are correct - the R6300 does the same.
From my point of view that is a bug, it should let you specify 443.
From my point of view that is a bug, it should let you specify 443.
Message 15 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
08:08 AM
2012-07-04
08:08 AM
Re: FTP server using passive ports
Imo, although considered a security risk, ports under 1024 should be allowed, so the users themselves can determine if they want to put them selves at more risk, rather than the firmware saying that you can't
Message 16 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
08:27 AM
2012-07-04
08:27 AM
Re: FTP server using passive ports
I agree - and there really is no greater security risk anyway. Standard port usage is defined by IANA.
0-1023 - "System ports"
1024-49151 - "User ports"
49152-65535 - "Dynamic/Private ports"
The risk of using a system port is that it might interfere with another common (and perhaps essential) network service. For instance, if you tried to use port 53 you would interfere with DNS. It doesn't really impact security one way or another.
In this case, 443 is the standard port for HTTPS, there is no reason why the router shouldn't be able to use it.
0-1023 - "System ports"
1024-49151 - "User ports"
49152-65535 - "Dynamic/Private ports"
The risk of using a system port is that it might interfere with another common (and perhaps essential) network service. For instance, if you tried to use port 53 you would interfere with DNS. It doesn't really impact security one way or another.
In this case, 443 is the standard port for HTTPS, there is no reason why the router shouldn't be able to use it.
Message 17 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
10:56 AM
2012-07-04
10:56 AM
Re: FTP server using passive ports
Unless you have a https port specified on the inside, as you stated earlier. I have specified other https ports on either of my NAS'es, just to seperate them.
But then again, I guess it's Netgears way of staying clear of people using system ports, like you said, 53 for DNS i.e. and borking up the networksetup they have.
It should just have come with a warning once you set a port under 1024 that it can interfere with other services, rather than just block them all off.
But then again, I guess it's Netgears way of staying clear of people using system ports, like you said, 53 for DNS i.e. and borking up the networksetup they have.
It should just have come with a warning once you set a port under 1024 that it can interfere with other services, rather than just block them all off.
Message 18 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
02:02 PM
2012-07-04
02:02 PM
Re: FTP server using passive ports
Btw, I just had an idea. You might have suggested it, but if so, I've overlooked it 😛
I just forced filezilla to use active mode instead of passive mode, and I deleted the port forwarding rules on my router.
I connected to my external IP / DNS address with my specified active port, and it went through without any problems. Gonna test this at work tomorrow. If this works, all I have to do is define that filezilla will have to work in active mode, and I'll have both my NAS'es available.
I'll give you an update tomorrow. Guess the problem lied in the client 😛
Hopefully it'll slip through the corporate NAT / Firewall
I just forced filezilla to use active mode instead of passive mode, and I deleted the port forwarding rules on my router.
I connected to my external IP / DNS address with my specified active port, and it went through without any problems. Gonna test this at work tomorrow. If this works, all I have to do is define that filezilla will have to work in active mode, and I'll have both my NAS'es available.
I'll give you an update tomorrow. Guess the problem lied in the client 😛
Hopefully it'll slip through the corporate NAT / Firewall
Message 19 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
02:37 PM
2012-07-04
02:37 PM
Re: FTP server using passive ports
Chance is next to zero that you will be able to exchange files with your FTP server in active mode when outside your LAN and covered by the corporate NAT. In active mode FTP server initiates connections to the random ports of the client side to transfer data. All that ports are shut down hollow on the corporate firewall.
The passive mode is way around that. But only in case that your corporate firewall lets through outgoing connections within the passive mode data range - this range you specify on your FTP server.
http://wiki.filezilla-project.org/FAQ
"Normal" firewall typically lets through outgoing connections. But "corporate" firewall typically blocks all traffic - incoming and outgoing on all ports with the exception for the few ports specified by corporate network admin. So there are just ports for http, DNS, pop3/smtp/imap (if so) and not much more. But of course I don't know your particular corporate network settings.
The passive mode is way around that. But only in case that your corporate firewall lets through outgoing connections within the passive mode data range - this range you specify on your FTP server.
http://wiki.filezilla-project.org/FAQ
"Normal" firewall typically lets through outgoing connections. But "corporate" firewall typically blocks all traffic - incoming and outgoing on all ports with the exception for the few ports specified by corporate network admin. So there are just ports for http, DNS, pop3/smtp/imap (if so) and not much more. But of course I don't know your particular corporate network settings.
Message 20 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
11:28 PM
2012-07-04
11:28 PM
Re: FTP server using passive ports
Ye, I forgot about that slight fact -.-
Although, you gave me a good idea. I'm gonna try setting passive ports below 1024, if the NAS allows it.
Although, you gave me a good idea. I'm gonna try setting passive ports below 1024, if the NAS allows it.
Message 21 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-04
11:31 PM
2012-07-04
11:31 PM
Re: FTP server using passive ports
Aaaaand of course.. the FTP server won't allow passive ports under 1024 -.-
Guess its the trade-off then
Guess its the trade-off then
Message 22 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-05
04:14 AM
2012-07-05
04:14 AM
Re: FTP server using passive ports
There is no harm in trying active mode with filezilla from work. If the firewall acts as a proxy, it might allow it. Though pugilares is likely correct.
BTW another option (though sluggish) is to try ReadyNAS Remote.
BTW another option (though sluggish) is to try ReadyNAS Remote.
Message 23 of 24
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2012-07-05
04:15 AM
2012-07-05
04:15 AM
Re: FTP server using passive ports
I'm not that desperate 😛 The corp firewall blocked the connection attempt, so no avail there. I'll just RDP and change the port forwarding if needed.
Thanks for the idea bouncing and ideas! 😄
Thanks for the idea bouncing and ideas! 😄
Message 24 of 24