dell 2350 wireless router problem with NAT FTP server

esthergrl,

Have you tried putting the client in "passive" mode? Here are two good articles on the FTP prococol, and the problems with it in a NAT environment:

http://www.hn.edu.cn/book/NetWork/NetworkingBookshelf_2ndEd/ssh/ch11_02.htm
http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html

Jim

esthergrl,

Am I right that a passive mode outbound FTP connection to an FTP server that's not in a NAT environment works? I'm having difficulty figuring out what NAT on the server end has to do with this. In passive mode, the server sends a message of the form "227 Entering Passive Mode (172,16,3,4,204,173)". That instructs the client to connect to IP address 172.16.3.4, port (204*256)+173, which is Port 52397. The NAT device then has to rewrite the "227" message to specify its own IP address rather than the FTP server's, and set up a transient mapping so traffic arriving at its IP address/port 52397 is forwarded to the server's internal IP address/port 52397. The server should then be "listening" on that port at its internal IP address. The client then attempts to connect to the IP address/port specified in the rewritten "227". See the document at www.ncftp.com, page 6, for an example. Note that there's an error in the document that's repeated twice! The port is 52397, NOT 52937! I'll send the author a note about that.

(edit #2) Within three hours of my sending him a note, the author of ncftp and ncftpd sent me a note that he'd fixed the copy of the document containing that error. So the above caveat no longer applies! :)

However, that all appears to be working correctly, since if the 2350 is eliminated, you're able to get a "data" connection to work. So what could the 2350 be doing? It needs to rewrite the outbound connection request to the FTP server, so that data returned from the server's IP address at the specified destination port (52397 in the example) is returned to the FTP client. The source port used by the client should be entered in the NAT table, so the 2350 knows what port the client has used, and replies sent back to the client at the expected port.

The "425" error sounds like a timeout, from the wording of the error message. But what's different about an outbound connection to an "ephemeral" port than an outbound connection to a well-known port, like 80 (HTTP)? There shouldn't be any!

Hence my question - does passive mode FTP work to other FTP servers besides this one?

(edit) After capturing an FTP "conversation" using Ethereal, I'm still stumped. Firefox's FTP client uses "passive" mode to retrieve directory listings by opening a new connection to the server at the port specified by the server in the last "227" response to a "PASV" command sent from the client to the server. The directory listing is sent by the server from that port. NAT (at least by our FreeBSD system) makes no changes to the destination port, as it shouldn't. After the directory listing is completed, the FTP server (ncftp.com's own, in my test) closes the connection. No rewriting of either the source or destination ports was done by the NAT server.

You may want to download a copy of Ethereal, examine the conversations with and without the 2350 in use, and see where the communications breakdown occurs. You'll need a copy of WinPcap installed. Both can be downloaded from ethereal.com's win32 download directory.

You should use a "capture filter" (illustrated here) and specify the IP address (the "outside" one) of the server you're connecting to. That will eliminate spurious traffic from the capture.

Please post back if you have any questions.  The entire Ethereal User Guide is available from their site.

Jim

Message Edited by jimw on 04-18-2005 03:53 PM

Message Edited by jimw on 04-18-2005 04:44 PM

I just wanted to share the solution.   My friend gave me a link to another FTP server just to see if I could connect to another behind an NAT firewall.  Sure enough, I could! So he tweeked some settings, next thing I know, its working again, and in passive mode where I had started to begin with!  Here is his solution, taken from his website at http://www.mikewren.com

Jim, thanks so much for all your help! I really do appreciate it.  Some of the ideas here stemmed us to do some more research. 

The Resolution :

While visiting Joe and Caroline, my home IP changed. I use a hacked firmware for my Linksys WRt54G firewall/router, Alchemy-6.0-RC1 v2.04.4.8sv by Svaesoft. Among the additional features offered by the Svaesoft firmware, is the ability to automagically update my ZoneEdit account when my Roadrunner IP address changes. On the FTP side, I'm using Remotely Anywhere version 6 server administration software, which includes a built-in FTP server.

Remotely Anywhere allows the server admin (me) to define an external IP address (which changed) and to specify a port range for Passive Mode FTP transfers (which I didn't define, since everyone else was able to connect via Active Mode). I forwarded ports 5150-5300 on my Linksys firewall and defined those ports in Remotely Anywhere. RESULT! It looks like everthing is now working OK for Caroline, once I told her to set SmartFTP to use Passive Mode (NOT active mode). Very odd, very confusing, I know. But this was the resolution to this specific problem. I'm not sure why it worked for everyone else except her, but at least it's working now and everyone is happy. We live to fight another day.

esthergrl,

Thanks for sharing the good news! Yep, sending a response to PASV and then not having the inbound port open that's been specified in the response will surely fail! :smileysad:

I consider "passive mode" a much safer way to use FTP, because no connections have to be made from the server to the client. I'm also surprised that someone else hadn't encountered this problem before.

And moreover, we got a document fixed that was over ten years old since its last revision! :smileyvery-happy: Mike Gleason's paper is one of the better and more readable ones on the complexities of FTP.

Good news all around!

Jim

ok i am haveing a simular problem but am a little slower than the otehr readers and not sure what to do. i am using Serv-U Ftp server and a dell wireless 2350 router along with a comcast cable modum. when it was just teh cable modem everythign was workign fine. but not that i have teh wireless router it is not. i have opened teh ports on teh router (20-21) and onteh firewall on my comp. i have entered teh external IP in teh pasv box but i can not get to my FTP using the internet IP only from the local network IP assigned by teh dell router. what else do i do?  i did not see where i could set active mode and not sure if i must open other ports or how to manually set server responses.

I was wondering wether anyone knew how to switch off the NAT firewall in the 2350 router as it is effecting my broadband speed

Natural Address Translation is how your router works -- a side benefit is that it acts as a basic firewall.  If you only have one machine, you can try setting that machine to the DMZ of the router -- how completely this bypasses the NAT tables depends largely on the quality of the router.

then you can't "turn NAT off."  it's how your router takes your one real IP address and creates "fake" ones for your 3 computers.  a better router might offer better performance -- what exactly is your problem?

does that occur on both wired and wireless connections?

sorry i meant router is when i get the problems

the problem is i have a 1mb broadband modem running full out and when i do checks on the modem it say's i am only using 56k max if i connect the modem direct i get full 1mb its just when i connect the modem when i have problems