× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: Is there an actual FTP server built in?

dannieboiz
Aspirant

Is there an actual FTP server built in?

Strangely, I can access FTP://NAS IP internally. Port forwarding port 21 I'm not able to do so externally. I look high and on the interface and saw nothing about FTP server. 

 

I ran into another post where someone responded that there is no FTP server on the RN.... is this true?

 

Why in the world would a NAS NOT have this feature?

Message 1 of 10
StephenB
Guru

Re: Is there an actual FTP server built in?


@dannieboiz wrote:

Strangely, I can access FTP://NAS IP internally. Port forwarding port 21 I'm not able to do so externally. I look high and on the interface and saw nothing about FTP server. 

There is a built-in FTP server, and that is what you are already using when you access the NAS internally.

 

Forwarding port 21 isn't enough to let you access the NAS remotely.  You also need to set up a passive port range (I suggest 4 ports per simultaneous connection) and forward those ports as well.  Of course you'd also need ddns.

 

In addition, you might need to set up masquerading.  Though my advice there is to use FileZilla, which doesn't need masquerading.

 

If you are accessing the NAS remotely I suggest using ftps (which encrypts the connection).

Message 2 of 10
dannieboiz
Aspirant

Re: Is there an actual FTP server built in?

I'm already using filezilla server but figured why couldn't I just use the NAS as an ftp server. Seems more effort than it's worth.
Message 3 of 10
StephenB
Guru

Re: Is there an actual FTP server built in?


@dannieboiz wrote:
I'm already using filezilla server but figured why couldn't I just use the NAS as an ftp server. Seems more effort than it's worth.

It's pretty much the same as accessing a filezilla FTP over the internet.  FTP passive is the mode you'd need for that too, so you'd need to forward the passive ports in your router.  DDNS is needed so you can access by name instead of by your router's IP address.

 

 

Message 4 of 10
dannieboiz
Aspirant

Re: Is there an actual FTP server built in?

I'm a little confused.. with filezilla forward port 21 to my server and be done.. why do we need to forward the range as u said above?
Message 5 of 10
StephenB
Guru

Re: Is there an actual FTP server built in?


@dannieboiz wrote:
I'm a little confused.. with filezilla forward port 21 to my server and be done.. why do we need to forward the range as u said above?

First of all, FTP always uses at least two connections.  Port 21 is the command connection.  The second one is called the data connection.  If you are transfering more than one file at a time, you use one data connection per file transfer.

 

There are two modes for FTP - active and passive.

 

Active only requires that you forward the command port.  But it won't work if the FTP client is behind a NAT - the data connection won't be established.  So it might be ok if you are using a mobile data plan to test it, but normally it won't work if you are using wifi in a hotel or hotspot.  In this mode the data connection is opened from the server->client.  Your home router will allow that connection, but the far end NAT will block it.

 

Passive requires that you also forward ports for the data connection.  In this mode the FTP server tells the client the IP address and  port to use for the data connection, and the client opens the data connection (in the client->server direction).  A remote NAT will allow that connection, but your router normally won't (unless you forward the passive ports).  Masquerading comes into play here, as the server needs to give the correct IP address (which is the WAN port on your router).

 

There is more info on these modes here: https://www.jscape.com/blog/bid/80512/active-v-s-passive-ftp-simplified

 

There are three possible reasons why your FileZilla Server works

  1. You might be using active mode, but not running the client behind a NAT.
  2. You might have put the FileZilla host in the DMZ of the router (which would open it to all internet connections).
  3. The FileZilla server might be asking your home router to automatically (and dynamically) forward the data connections using upnp

Possibilities 2 and 3 are probably more likely than 1, as most servers will default to passive mode.  Possibility (2) is a bad idea btw - it allows hackers to scan your server and either install malware or silently steal your data.  So if you happen to be doing that, you should stop.

 

Most routers will show you the connections that were opened via UPNP, so you can confirm possibility 3 by doing a transfer over the internet, and looking at that connection list.  BTW, in this third case, the FileZilla server would either be figuring out the correct masquerade addess, or (if you are using the FileZilla client), the client is figuring it out.

 

The NAS FTP server doesn't use upnp, so you need to forward the data ports manually.  It also won't attempt to figure out the correct masquerade address for the connection, so that also needs to be manually configured. 

 

FWIW, the FileZilla server (and the FileZilla clients) support two secure FTP protocols (FTPS and SFTP).  You really should be using one of those, and not the much older insecure FTP.  The NAS server can be set to require FTPS, but it can't be configured to use SFTP.

 

Also, if you have multiple FTP servers you can use non-standard ports for the command connection, so you can reach them all over the internet.  

 

In any event, you could switch your server over from FileZilla to the NAS if you want to.  The main benefits are 

  • Not needing to keep two servers running
  • Consolidating authentication (using the NAS user accounts/passwords for both SMB access and FTP).

The main drawbacks are that

  • the initial setup might be somewhat more complicated.
  • the manual masquerading might interfere with local FTP use (depending on your router).

 

Message 6 of 10
schumaku
Guru

Re: Is there an actual FTP server built in?


@StephenB wrote:

@dannieboiz wrote:
I'm a little confused.. with filezilla forward port 21 to my server and be done.. why do we need to forward the range as u said above?

First of all, FTP always uses at least two connections.  Port 21 is the command connection.  The second one is called the data connection.  If you are transfering more than one file at a time, you use one data connection per file transfer.


Now, for the plain FTP, most NAT routers have an FTP ALG (Application Layer Gateway) built-in, at least for the default FTP control port. The FTP ALG does listen on the FTP control port for passive data connections, and does adjust the port forwarding and firewall for the FTP data port(s) involved. This might work nicely as long as you use plain open FTP. Once you try to use FTPES (explicit security) - more and more FTP clients default to FTPES if it's announced available during the FTP connection handshake - once the FTP client has requested FTPES, the FTP ALG can't work anymore, because it has no insight into the now encrypted FTP control channel. So for plain FTP it might work (thanks to the FTP ALG), but finally for FTPES support, there is no way around forwarding the passive FTP data port range manually. 

Some advanced routers might support configuring an FTP ALG on an alternate FTP control data port. If not, and in case you try to operate multiple FTP servers to be accessible over the NAT router, not only different FTP control ports must be configured, but also dedicated passive FTP data port ranges.

 

All this applies to the ReadyNAS FTP server, any other NAS vendor FTP server, and also to the FIleZilla FTP server on whatever platform in the very same way.

Fully agree with @StephenB !

Message 7 of 10
StephenB
Guru

Re: Is there an actual FTP server built in?


@schumaku wrote: ... The FTP ALG does listen on the FTP control port for passive data connections, and does adjust the port forwarding and firewall for the FTP data port(s) involved. ...   Once you try to use FTPES (explicit security) - more and more FTP clients default to FTPES if it's announced available during the FTP connection handshake - once the FTP client has requested FTPES, the FTP ALG can't work anymore, because it has no insight into the now encrypted FTP control channel.

Fully agree that ALGs are part of the puzzle.  I didn't get into that aspect in my simplified explanation.

 

On the explicit security aspect - you definitely want to use encryption, as otherwise anyone snooping the connection can see the username/passwords you use to access the server.  And as @schumaku says, ALGs won't assist with the data connections if you use explicit security/encryption.

Message 8 of 10
dannieboiz
Aspirant

Re: Is there an actual FTP server built in?

Wow, I'm a little embarrassed. After 20+ years in the IT field I wasn't aware of this.

I've been using off the shelf Asus routers at home but recently replaced it with a pfsense router. I will look into this.
Message 9 of 10
schumaku
Guru

Re: Is there an actual FTP server built in?

Consumer routers typically have FTP ALGs on board - that's why you never had to take care of the FTP passive data ports. 

 

For pfsense, start here -> https://docs.netgate.com/pfsense/en/latest/nat/ftp-without-a-proxy.html - keep in mind that the warning in this tech note is not fully correct, FTPES is perfectly fine.

 

 

Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 2293 views
  • 0 kudos
  • 3 in conversation
Announcements