All geek questions in one place

An FTP server running on Port 2000 through NAT does not work in passive mode

I am running a FILE-Zilla FTP server on Windows on one of the computers on my LAN connected to my router. I am trying to access an FTP server from a network outside the router using the WAN interface of a WLAN (WAN-to-LAN) router by adding a Port-Forwarding (NAT) rule to the router. I have 2 cases here according to the below configurations. 1 works , and 2nd does not (in passive mode).

Note. I added a custom rule for entering the Windows 7 firewall where the ftp server works.

Configuration # 1

Filezilla FTP server port: 21 Passive port range: 50000-51000 NAT - external port: 21 NAT - internal port: 21 Windows firewall inboud rule port allow port: 21, 50000-51000 Client connecting to: <Wan IP>:21

This works if the client tries to connect using active / passive mode.

Configuration # 2

 Filezilla FTP server port: 2000 Passive port range: 50000-51000 NAT - external port: 21 NAT - internal port: 2000 Windows firewall inboud rule port allow port: 2000, 50000-51000 Client connecting to: <Wan IP>:21

This only works if the client is configured for active mode. Does not work with passive mode setting by client. the client can connect and log in successfully, but ends with a server-side error message like this, without any directories.

 227 Entering Passive Mode (192,168,1,2,195,85)

Note: Both cases work on LAN-LAN.

0
source share
1 answer

I assume that configuration # 1 only works because NAT is smart enough to translate the IP address in the PASV response from the server. But this probably only does this for a standard FTP port.

You must tell your FileZilla FTP server your external IP address. Go to "Edit"> "Settings"> "Passive Mode Settings"> "IPv4"> "External Server IP Address" to transfer the passive mode.

Your FTP server is currently sending its internal IP address to the client. And the client obviously cannot connect to the IP address.

And forward the NAT to the ports in the passive port range (50000-51000).

Although the change will break the LAN-LAN connections. To enable LAN and WAN connectivity, check if NAT can be configured to translate IP addresses for non-standard ports. Although the translation will only work for an unencrypted connection. And you should not use unencrypted connections!

The final option is to use Advanced Passive Mode ( EPSV ) if your customers allow it. In extended passive mode, the response does not have an IP address. The FTP client uses the primary IP address of the FTP server to connect to the data.

+1
source

Source: https://habr.com/ru/post/1307956/

More articles:


All Articles