Helping setting up/accessing a FTP server.

[KlokWyze]

My host/server computer has a static IP of 192.168.1.150, out side of the range of the DHCP addresses on my home network. I'm using a WRT54G flashed with DD WRT STD V24. I'm forwarding port ranges 21 & 5000-5100 (for PASV, if needed) to my primary computer (192.168.1.150).

I have filezilla FTP Server. I use Comodo free firewall and an exception for Filezilla is already made.

Let's say my public IP address is: *.85

Do I need to use PASV mode? Exactly what do I need to configure in order to set it up properly? I've been messing with this for hours and cannot, for the life of me, figure this out. I must be missing something simple, but I cannot see it. :\

 

[imagoon]

You forgot port 20.

Also you will need to tell the daemon what the PASV ports and public IP are so that it doesn't hand out your internal information and invalid port information.

Example:

PORT 192,168,150,80,14,178

---> PASV
227 Entering Passive Mode (192,168,150,90,195,149).

What those commands are telling either a) (port) the server to connect to 192.168.150.80 port 3762 (on the client) b) (PASV) The client to connect to 192.168.150.90 port 50069 (on the server).

If your server is handing out 192.168.x.x address the internet facing client will never reach you. To fix this most FTP daemons let you specify the "Internet address" and the port range so the proper addresses get sent out over the control channel.

Your internal server should show something like PASV (123,123,123,85,19,136) being your outside address port 5000.

PASV mode tends to be better supported. It was designed to work behind NAT routers. The older style "PORT" method will have a high failure rate unless the client is directly on the internet and not behind a NAT device.

This really old site actually explains it pretty well.

http://slacksite.com/other/ftp.html

 

[Ghiedo27]

Correct me if I'm wrong here, but don't you need to set up a static NAT on the router to access the ftp server through the internet? Something like x.x.x.85:20 and x.x.x.85:21 translated to your private address 192.168.1.150. And wouldn't that require active ftp to keep the incoming data limited to port 20 and 21?

Do you have a static IP from the ISP?

 

[KlokWyze]

You forgot port 20.

Also you will need to tell the daemon what the PASV ports and public IP are so that it doesn't hand out your internal information and invalid port information.

Example:

PORT 192,168,150,80,14,178

---> PASV
227 Entering Passive Mode (192,168,150,90,195,149).

What those commands are telling either a) (port) the server to connect to 192.168.150.80 port 3762 (on the client) b) (PASV) The client to connect to 192.168.150.90 port 50069 (on the server).

If your server is handing out 192.168.x.x address the internet facing client will never reach you. To fix this most FTP daemons let you specify the "Internet address" and the port range so the proper addresses get sent out over the control channel.

Your internal server should show something like PASV (123,123,123,85,19,136) being your outside address port 5000.

PASV mode tends to be better supported. It was designed to work behind NAT routers. The older style "PORT" method will have a high failure rate unless the client is directly on the internet and not behind a NAT device.

This really old site actually explains it pretty well.

http://slacksite.com/other/ftp.html

Thanks for the website. Very strait forward... After reading through that and verifiying all my settings were correct. They already were. The problem was that Windows Firewall somehow turned itself on and was blocking the connection. d0h!

Correct me if I'm wrong here, but don't you need to set up a static NAT on the router to access the ftp server through the internet? Something like x.x.x.85:20 and x.x.x.85:21 translated to your private address 192.168.1.150. And wouldn't that require active ftp to keep the incoming data limited to port 20 and 21?

Do you have a static IP from the ISP?

No I don't..... TBH I haven't seen a different public IP since I've been @ my new apartment so I don't think it's a big deal. How much would something like that cost?

Anyways..... PASV is setup properly and I'm now trying to configure the SSL/TLS encryption. Reading the wikipedia FTPS page now.I guess I'll set the server to use Explicit mode in case I can't connect via SSL the next time I'm out of my home LAN.

 

[xSauronx]

No I don't..... TBH I haven't seen a different public IP since I've been @ my new apartment so I don't think it's a big deal. How much would something like that cost?

you could use DynDNS for free, dd-wrt supports dyndns updating.

http://www.dyndns.com/

register a free account, pick your domain ($something.dyndns.info or whatever options they give) and give your credentials to dd-wrt to keep dyndns updated. you then dont need to know your ip, just your dyndns subdomain

 

[KlokWyze]

you could use DynDNS for free, dd-wrt supports dyndns updating.

http://www.dyndns.com/

register a free account, pick your domain ($something.dyndns.info or whatever options they give) and give your credentials to dd-wrt to keep dyndns updated. you then dont need to know your ip, just your dyndns subdomain

Nice. Thanks. I actually use to use this many years ago... very cool service. :thumbsup:

 

[Texashiker]

Standard FTP that sends the password in clear text should have been dead 10 years ago. Use SFTP instead.

The smart thing to do is change your FTP/SFTP port to something else, like a game port, such as counter-strike, left 4 dead,,,,, something like that. So that when a port probe hits the server, it does not see anything on the FTP or SFTP port.

 

[KlokWyze]

Standard FTP that sends the password in clear text should have been dead 10 years ago. Use SFTP instead.

The smart thing to do is change your FTP/SFTP port to something else, like a game port, such as counter-strike, left 4 dead,,,,, something like that. So that when a port probe hits the server, it does not see anything on the FTP or SFTP port.

I'm using implicit FTPS (SSL/TLS), not to be confused with SFTP (SSH) that offers full encryption. Haven't switched the port, but that is a good idea. :thumbsup: