NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
FTP server using passive ports
Hello everybody.
This is more of a network-question than a readynas one.
I've just recently bought an Ultra 4 in an addition to my Duo. I've had, and still have the FTP service running at the Duo, and was setting up the same for the Ultra.
Problem one was that my router can't seem to forward the same port to two different devices, but thats not the issue.
I chose another port for the FTP server on the Ultra, and forwarded that port in my router to the Ultra's IP address. The problem is that the Ultras FTP server uses the passive ports, since the server sends a passive response. I'd think that since I've opened the port in question, the server would go in active mode, but after further examination, I see during logging onto both the servers, both enters passive mode.
The weird part is this:
When I log onto the FTP server on the Duo, I don't have to open the passive ports in the router, and it seems to use the FTP port I've specified.
When I log into the FTP server on the Ultra, I can't seem to fully enter without defining the passive ports in the router.
As I said, I've forwarded the specified port in the router for the Ultra server, but it won't use it -.-
Any suggestions?
Greetings, Slasky
This is more of a network-question than a readynas one.
I've just recently bought an Ultra 4 in an addition to my Duo. I've had, and still have the FTP service running at the Duo, and was setting up the same for the Ultra.
Problem one was that my router can't seem to forward the same port to two different devices, but thats not the issue.
I chose another port for the FTP server on the Ultra, and forwarded that port in my router to the Ultra's IP address. The problem is that the Ultras FTP server uses the passive ports, since the server sends a passive response. I'd think that since I've opened the port in question, the server would go in active mode, but after further examination, I see during logging onto both the servers, both enters passive mode.
The weird part is this:
When I log onto the FTP server on the Duo, I don't have to open the passive ports in the router, and it seems to use the FTP port I've specified.
When I log into the FTP server on the Ultra, I can't seem to fully enter without defining the passive ports in the router.
As I said, I've forwarded the specified port in the router for the Ultra server, but it won't use it -.-
Any suggestions?
Greetings, Slasky
23 Replies
That is because it is impossible. Like trying to forward your mail to two different addresses.Slasky wrote: Problem one was that my router can't seem to forward the same port to two different devices...
I'm not completely sure what you did, but the normal way you solve is problem is:
forward five ports (X to X+4) to the DUO, using X for the main port and the other X+1 to X+4 for the passive ports.
forward five different ports (Y to Y+4) to the ultra, using Y for the main port and the other Y+1 to Y+4 for the passive ports.
You also need to configure the DUO to use X+1 to X+4 for passive ports, and the ULTRA to use Y+1 to Y+4.
Then specify port X in your ftp client when connecting to the DUO, and port Y in client when connecting to the ULTRA- That's basically what I've done. The only problem here is that I need to use ports lower than 1024 to access anything from my work, as they've blocked any port over 1024 on the firewalls.
The setup is like this:
Duo Server
Port: 21
Passive Ports: 14170-14180
Router settings:
Port 21 forwarded from port 21 external to port 21 internal to Duo IP
Ultra Server:
Port: 27
Passive Ports: 14190-14200
Router settings:
Port 27 forwarded from port 27 external to port 27 internal to Ultra IP
Ports 14190-14200 forwarded from port 14190-14200 external to port 14190-14200 internal to Ultra IP
What's strange is that the Duo doesn't use its passive ports, just the normal one, as the Ultra pops in on the passive ports only.
I've also tried changing the portnumber of the Ultra server just to check that it doesn't collide with another service.
Thanks for the answers though - As your server works in passive mode - did you setup ftp masquerade?
You say that "the Duo doesn't use its passive ports, just the normal one, as the Ultra pops in on the passive ports only" - what do you mean by that - what says your client? - Slasky - what client are you using? With filezilla you can see what passive port is being engaged (though you need to do the math, since it gives you the high and low byte of the port number separately). My Duo V1 definitely uses the passive port. If you are checking this from work, perhaps the firewall is acting as an FTP proxy for the Duo. You could confirm this by changing it to a non-standard port (21 being the normal FTP port). Or see if you get the same behavior when connecting locally.
I use filezilla, and don't configure the masquerade. Filezilla will detect the private address and substitute the address used on the IP layer. If I set the masquerade, then I can't connect inside my LAN (since FileZilla won't substitute a private address for a public one)pugilares wrote: As your server works in passive mode - did you setup ftp masquerade? pugilares wrote:
As your server works in passive mode - did you setup ftp masquerade?
You say that "the Duo doesn't use its passive ports, just the normal one, as the Ultra pops in on the passive ports only" - what do you mean by that - what says your client?
To clarify, both servers enter passive mode, due to being behind a firewall in my router. The thing is that I haven't forwarded the passive ports for the Duo, thats why I assume it's using the original port (port 21)
I've set up masquerade on both servers as the internal IP, to be able to access them locally. This works fine for the Duo, and the Ultra. The servers enter passive mode even if I masquerade them as the external IP or my DynDNS domain.StephenB wrote:
Slasky - what client are you using? With filezilla you can see what passive port is being engaged (though you need to do the math, since it gives you the high and low byte of the port number separately). My Duo V1 definitely uses the passive port. If you are checking this from work, perhaps the firewall is acting as an FTP proxy for the Duo. You could confirm this by changing it to a non-standard port (21 being the normal FTP port). Or see if you get the same behavior when connecting locally.pugilares wrote: wrote:
As your server works in passive mode - did you setup ftp masquerade?
I use filezilla, and don't configure the masquerade. Filezilla will detect the private address and substitute the address used on the IP layer. If I set the masquerade, then I can't connect inside my LAN (since FileZilla won't substitute a private address for a public one)
I'm using FileZilla and numbers popping up after the IP-address are 55 and 119 on the Ultra, and 55 and 99 on the Duo
I've been thinking about the FTP proxy as you mention, planning on testing if I set the standard FTP port on the Ultra, just to check if that passes through. If I can't fix this problem, I guess it's gonna be a trade-off on which FTP server that would be accessible from work.
If it's needed for more thorough exlpanation, I can post pics of my router config and port forwarding
EDIT: I tried setting the Ultra with port 21, and it passed right through. So it's either the firewall who can't parse the port correctly, or it's the FTP server who can't operate on port 27 without using the passive ports
Thanks again for the answersStephenB wrote: I use filezilla, and don't configure the masquerade. Filezilla will detect the private address and substitute the address used on the IP layer. If I set the masquerade, then I can't connect inside my LAN (since FileZilla won't substitute a private address for a public one)
I use Filezilla and I have set up masquerade on the server side and I can access from inside of my LAN and from outside of my LAN with no problem. The thing is to access from inside of my LAN I've setup Filezilla to use active mode. Since server and client is within the same LAN this is no problem to use active. In active mode masquerade setting is not being taken into account. From outside of my LAN passive mode FTP is in use. At the same time if I wanted to give access to my server to somebody from outside I don't have to worry which kind of FTP client he has got - masquerade is doing it's job even for web browsers. Or if I wanted to access my server myself from outside, but from a computer which is not mine and doesn't necessarily have Filezilla installed.Slasky wrote: EDIT: I tried setting the Ultra with port 21, and it passed right through. So it's either the firewall who can't parse the port correctly, or it's the FTP server who can't operate on port 27 without using the passive ports[/color]
Thanks again for the answers
Not so long ago I had a problem with port 21. My router did strange things with the FTP commands sent through this port. I have changed command port to something completely different on the server and forwarded the same port on the router. Since then I have no problem with FTPing from outside of my LAN.
The ultra is using 14199, and the duo is using 14179. That is computed using 55*256+99.Slasky wrote: pugilares wrote: I'm using FileZilla and numbers popping up after the IP-address are 55 and 119 on the Ultra, and 55 and 99 on the Duo
You should be forwarding 14170-14180 to the Duo.
BTW, passive mode was invented to allow connectivity when the client is behind a nat. Active mode works fine when only the server is behind a nat. But in active mode, the server opens the data connection to the client (using a port the client chooses). This fails if the client is behind a firewall/nat which blocks incoming connections.
Passive mode has the client open both the data connection and the control connection to the server. This is outbound traffic to the client's firewall, so it is permitted. But the passive connection can only reach the server if the server's NAT/Firewall opens the passive port.
There is a more detailed explanation here: http://slacksite.com/other/ftp.html
Yes - that is why I suggested changing both ReadyNAS to use non-standard ports. That should work fine in most remote locations (and is what I do).pugilares wrote: Not so long ago I had a problem with port 21. My router did strange things with the FTP commands sent through this port. I have changed command port to something completely different on the server and forwarded the same port on the router. Since then I have no problem with FTPing from outside of my LAN.
Though corporate firewalls are sometimes configured to disallow any outgoing traffic that they don't recognize. If Slasky's is configured that way, then he likely will have to pick only one ReadyNAS to reach from work, and it would need to use port 21 (to ensure that the corporate firewall recognizes it as FTP). He could still access the other ReadyNAS files using https.
EDIT: since https is allowed, another approach is to manage the home router remotely through https, and change the forwarding rule for port 21 when he wants to access the other ReadyNAS. That is cumbersome, but would work.- Anyway - using standard FTP from outside of own LAN is pretty much not secure. Using FTPeS through two NATs is likely to show problems with configuration if ever possible (depending on the configuration of the corporate NAT, the one you don't have control over). Another thing is to disable unsecure FTP login to the ReadyNAS. On Duo you can do it, but you need SSH access to your Duo. I don't know about Ultra in this matter.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
