Access to ftp from outside

[zainka]

(Moved from tutorial forum and slightly edited)

I have problems accessing the ftp server from outside world (local access is no problem). My configuration however is somewath "special" with two routers behind my cable modem. First i have one wl520g (Firmware 1.9.5.4) router connected to the modem and which acts like the dhcp server and master in my local nettwork, then I have the wl500g (Firmware 1.9.5.0) acting as AP (wireless access point) connecting two parts of my network together. The FTP server is a 512MB usb flash dongle from Corsair. On a PC connected by wire to the wl500g i am running a web server. The Wl520g NAT settings for virtual servers ar set up to accept a FTP and a WEB server with the following parametres.

Quote:
Server Port range Local port Protocol Local IP
FTP 20:21 21 TCP 192.168.1.2
WEB 80 80 TCP 192.168.1.5


The WEB server was up and running on first attempt, The FTP server has never been accessible from outside local nettwork. Wl520g log does however log incomming request as accepted, but i expect the problem to be with wl500g but since this is set up to be AP there is no log for me to see what wl500g does with the request. The following is a part of wl520g log.

Jan 7 00:22:17 filter: TCP connection accepted to xxx.xxx.xxx.xxx:21 from 192.168.1.5:2111
Jan 7 00:22:17 filter: TCP connection accepted to xxx.xxx.xxx.xxx:21 from 192.168.1.5:2111
Jan 7 00:22:18 filter: TCP connection accepted to xxx.xxx.xxx.xxx:21 from 192.168.1.5:2111

IP 192.168.1.5 is the PC i am currently beeing working from (same as WEB server). xxx.xxx.xxx.xxx is offcourse my global IP as provided to me by my service provider.

The problem must as far as I can understand be burried deep inside Wl500g and I have heard aboute several with the same problem but withut any solution.

Thanks in advance
Z

(By the way.... Please be patient with my bad english... thanks)

[jonolumb]

sorry, I don't know how much you know so don't be patronised by this but have you have tried enabling the FTP port (21) from WAN using Iptables?
There is a guide on how to do this on my wiki:
http://www.sprayfly.com/wiki/FTP_from_WAN

To keep information on the forum, rather than all on external sources, here is that page:

----------------------------------------------------------

To enable ftp from WAN, we need to configure iptables to accept some ports. This is exactly the same as what was done to enable dropbear from WAN. Type

cd /usr/local/sbin
nano post-firewall

If you want to run both dropbear and FTP over WAN, you need the following in the post-firewall file.

#!/bin/sh
#SSH and FTP access from WAN
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 22 -j DNAT --to-destination $4:22
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 21 -j DNAT --to-destination $4:21
iptables -A INPUT -j DROP

If you only want to run FTP over WAN, you need these contents

#!/bin/sh
#SSH and FTP access from WAN
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 21 -j DNAT --to-destination $4:21
iptables -A INPUT -j DROP

Now we need to commit this to the internal flash memory of the WL-HDD. As the post-firewall script is in the /usr/local tree, this is straightforward.

flashfs save
flashfs commit
flashfs enable
reboot

[edit]
Testing

Note that you cannot connect to your FTP server by typing your WAN address into a terminal or browser.

Most ADSL/cable routers do not allow this.

To test your FTP server from WAN, you will either have to have a separate internet connection or go to somebody elses house/work etc.

Connect as normal but enter the WAN ip address rather than you internal LAN IP address.

To find out your WAN IP address, click here.

Note that most WAN IP addresses will change when you restart your DSL/cable router or when you disconnect and reconnect. Consider using a dynamic IP service.
--------------------------------------------------------------

Hope this may have been of some use to you!?
Jono

[max2950]

sorry, I don't know how much you know so don't be patronised by this but have you have tried enabling the FTP port (21) from WAN using Iptables?
There is a guide on how to do this on my wiki:
http://www.sprayfly.com/wiki/FTP_from_WAN

To keep information on the forum, rather than all on external sources, here is that page:

----------------------------------------------------------

To enable ftp from WAN, we need to configure iptables to accept some ports. This is exactly the same as what was done to enable dropbear from WAN. Type

cd /usr/local/sbin
nano post-firewall

If you want to run both dropbear and FTP over WAN, you need the following in the post-firewall file.

#!/bin/sh
#SSH and FTP access from WAN
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 22 -j DNAT --to-destination $4:22
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 21 -j DNAT --to-destination $4:21
iptables -A INPUT -j DROP

If you only want to run FTP over WAN, you need these contents

#!/bin/sh
#SSH and FTP access from WAN
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 21 -j DNAT --to-destination $4:21
iptables -A INPUT -j DROP

Now we need to commit this to the internal flash memory of the WL-HDD. As the post-firewall script is in the /usr/local tree, this is straightforward.

flashfs save
flashfs commit
flashfs enable
reboot

[edit]
Testing

Note that you cannot connect to your FTP server by typing your WAN address into a terminal or browser.

Most ADSL/cable routers do not allow this.

To test your FTP server from WAN, you will either have to have a separate internet connection or go to somebody elses house/work etc.

Connect as normal but enter the WAN ip address rather than you internal LAN IP address.

To find out your WAN IP address, click here.

Note that most WAN IP addresses will change when you restart your DSL/cable router or when you disconnect and reconnect. Consider using a dynamic IP service.
--------------------------------------------------------------

Hope this may have been of some use to you!?
Jono

No chqnce for him to use a post-firewall script. He uses stock firmeware.... Might this solve the proble i have ?

[zainka]

Thanks for your replies, heres what I am familiar with and what I am not...

First, My cable modem provider and service provider have confirmed that there is no restrictions set in my supscription to their service, and My IP is steady as rock. This was the first thing i thought aboute when i noticed the problems given, but these things are cleared out.

Second, As said, a web server was up an running with no problem, and also I have been able to enable the wan access to the router configuration (for wl520g) at a spesific port, and both has been accessible from my computer at work using my .com domain which offcourse points to my WAN IP address (NOTE: All ports are forwarded to this IP address within this domain).
There is also a Sipura IP-phone adapter incorporated into this nettwork behind wl520g with no problems.

Working with the wl520g and wl500g so far has been a dream, all my needs has come true without any finger troubles i.e. If I change my configuration by some reason it has been working almost always at once, except for the ftp access from WAN, this has been a pain in my ass quite a while (except for local access within my local nettwork).

Note that i have been enabling the virtual server for FTP in the same manner as I did for the WEB server. The only different is that the FTP server is hosted by wl500g and the web server is hosted by a local PC. Later I will maybe try to install a FTP server on the same computer as the WEB server, but first I hoped to solve my troubles with ftp server on wl500g.

jonolumb: Is the Asus original firmware blocking access from WAN for FTP by some manner?

Aboute Olegs firmware, could you say some words about it. I understand that Olegs has included some cind of a user interface based on Telnet on LAN side. Is there any thing like this in the Asus org. FW? Would it be sufficient to only uppgrade with Olegs firmware and to use Telnet access from a windowized computer instead of all the tings listed at top of your wiki? Or, is olegs firmware based on linux and also needs an external HD-drive to be mounted?? As beeing rather new in the Linux world (starting with Ubuntu) there is some terminology which I am quite unfamiliar with in your reply, but I am learning, so any help would do..

Regards
Z

Please advise me if my questions is anoying and not fomulated well or if they belong to the catagory RTFM. Thanks anyway

[jonolumb]

Hi there, I am afraid that I know very little about the factory install firmware from asus as the first thing I did when I got my WL-HDD was to upgrade to Oleg's firmware!
Believe it or not, it is not just oleg's firmware that is based on linux but the factory firmware too- thats because the whole box runs linux. However, what Oleg's firmware allows you to do is to access the box from a shell and make modifications and install packages.
You do not need a built in hard disk as on the WL-HDD, you can use external USB harddisks or even a USB flash drive. There are tutorials on installing these on http://www.macsat.com/
There is still the web interface for Olegs firmware which allows certain things to be changed. However, a lot of changes need to be done via a shell (text commands).

I suspect (although i am not sure) that whilst the first router (the 520) is forwarding FTP traffic to your 500g, the 500g is not allowing WAN traffic to the FTP server. However, like I said, I know very little about the basic factory firmware. I don't know if you can configure the basic firmware to accept WAN connections, check out the web interface. This can however be done with Oleg's firmware.

Hope this was of some help
Check out all the guides you can if you are considering upgrading to Oleg's firmware. They will give you an idea of what you can do.
Jono

[zainka]

Thanks for your replay and information, it does help in understanding what lives inside my router. However, I have solved the problem with WAN access to my FTP server. The thing is that the tutorial given by Asus is wrong(!), and also, when you specify a virtual server under the NAT settings you can select a predefind FTP setup from the "well known applications" drop box. This sets port range to be 20:21 and local port to 21 and this is a problem since it seems that which ports that is used when negotiations are done (from port 21 - ftp admin port) are not restricted to the portrange specifyed by some means, I think so atleast. This are settings done on wl520g. However, by only specifying portrange to be 21 and not specifying any local port, the whole shebang work as expected, Do not ask me why it is like this. I will continue to learn more aboute Linux and Olegs FW, and who knows, one day I might end up with his FW too...

Thanks anyway
Vidar (Z)

[zainka]

Ill be damned... The server set up on my PC works fine from WAN, but the server on wl500g does not respond correctly from work when using total commander as ftp client, most possible not for other clients either. Earlier, all test was performed from within my nettwork by a call to ftp.mydomain.com where the request first was rejected until i did the changes as described in my reply above (i.e. it wouldnt connect to the ftp server if i was using the Asus predefined settings but only after I had done the changes in the virtual server settings) (by the way, when connecting by using a domain name, wouldnt this force the browser to first go outside (WAN) so a ftp request would look like it was comming from WAN side and not from LAN side???). Now, when connecting from work, i get the ftp server respond 200 which means, as you know, "Command OK" but then it hangs on setting the USER. This did not happen befor my changes (back then i got no responce at all except for timeout).

Dont know why, but it seem like it is changing portnumber during the sequence or something so that connection is lost and totalcmd will after timeout report server as beeing OFFLINE. However, the port forwarding status for 520g says that port 21 is redirected to wl500g, this was not the case before when virtual server was set according to Asus preferences.

Strange things happen after dawn (when i was fiddeling with this)

any ideas?

thanks in advance
Vidar (Z)

[zainka]

I have now installed Olegs fw- 1.9.2.7-7b on my wl-500g to see if I can make access to my two ftp servers, one using built in server on 500g, and one on a standalone computer connected to 500g by wire.

For both servers I can now log on to them but the client fails in downloading the directory listing. I can start a uppload to the servers, but the negotiation between the server and the client seems not to get finished so there is no progress in the uppload session of the file itself (if you understand my english gramma, you are good)..

As mentioned in an earlier post i also have an web server up and running on the standalone computer and this i can access whitout problem from wan side.

One more thing... If conecting using firefox to ftp server on standalone computer (filezilla ftp server) the login screen prompts emediatly, then after typing username and pwd, it stop responding until timeout, also error message 425 is given. Next, directory listing fails and an empty index list shows up. Clicking "Up to higher level directory" will require me to reenter user and pwd. offcourse. Using the same address within LAN gives me full access to both servers.

Here is an Iptable list for command iptables -L -t nat -vn used from system command "shell" or wathever it is named:

Code:

Chain INPUT (policy ACCEPT 70992 packets, 6014K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 74752 packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination

Which gives me youst aboute no info helping me with the troubles i have. And i do not reqognice this list according to other peopples lists which has been published in this forum. Any hints?

By the way, Which shell i s used for the system command interface and can you show me a list of commands suported


Thanks in advance
regards
Vidar (Z)

[VidJa]

I just posted a similar story for running a webserver on the WL500g. This seems to be at the heart of the WL500g.

I tried the suggestions earlier in the thread, but without success as well.

[lko]

Hi,
I had the same problem with asus after adsl modem used latest Olegs firmware.
I tried to set port forwarding to local IP in VPN server, but with two rules port 20 to 20 and port 21 to 21 (not 20:21 to 21 as default) and it helped.
See also /etc/protocols - it seems that port 20 is for data and 21 for ftp communication.


try also this from russian discussion - the last message.
http://wl500g.info/showthread.php?t=...ort+forwarding
but I didnt try it.


Let here note if something helped

[Tamadite]

If you have already tried all what's below and you don't get the ftp to work from the WAN and you have manually set up the ftp server in your Asus, try this:

Code:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to-destination $4:21
iptables -I INPUT -p tcp --dport 21 -j ACCEPT

BTW, the $4:21 means "the local IP for the interface port 21"