Please look at the following - it's my home network map:

(IMG:http://fishsponge.co.uk/miscfiles/networkMap.gif)

we have an FTP server on "huge", and i've forwarded ports 20 & 21 to this machine (although not labelled yet).

I've also set up the server to only use PASV ports 1040 - 1050. I have also forwarded these to "huge".

However, FTP is not working properly.

The login works fine, and logout too... but 'ls' does not work, and neither does anything else that requires transfer of data.

any ideas people??

dunno, does none PASV ftp work?
PASV ftp is where the client makes the data connections - hence it's harder to setup through a NAT router. I don't think the small range of ports you specified is good enough because the connection will be made to a random 'free' port.
Linux routers need masq_ftp module to do this properly I guess the implementation will vary on your router (if supported at all)

From the picture at least it seems you have the same router as me, an SMC Barricade? (I've got a 7000BR I think).

This is the same situation as I allways had previously, I'm sure it was because I was using PASV for transfers and I shouldn't have been. Try turning PASV off and see if that works.

just thought about this
is there anyway of forcing the ip in someway with the server software you are using?

Say you have 1 "real" ip with several clients masquerated (NAT) behind

Client says I want file abc.txt
Server says ok, connect to me at 192.168.0.3 on port 123 (wrong ip, should be using "real" ip, not the masqueraded private ip)
Client tries to connect to 192.168.0.3 port 123 which is invalid outside the private network

first of all... there's a key problem with the last idea... when the client tries to connect to 192.168.0.3 (on the third line), the request will not go to the router, cos how would the client know that instead of sending to 192.168.0.3, it really needs to send to the external IP... therefore, it would send the request to a machine on it's local lan... which is no good...

make sense??

as for my router... i have an Efficient router, not an SMC one. the picture was stolen from google, i couldn't find a pic of my own router.

and as for FTP connecting on a random 'free' port, this is correct... which is why i forwarded 1040 - 1050 to the FTP server, and told the FTP server to not use any free port, but to only use a port between these values.

It still doesn't work though.

I assume i can set the server up to use Active instead of Passive.... but does anyone know how??

I don't think anything server side needs to be done. PASV just needs to be disabled on the client I'd say.

ok, that would seem sensible... but how do you disable PASV in 'ftp' ??

Also, how do other people do this?? i assume they use the ftp module in the router... right?

What client are you using? If its a GUI one, theres probably an option to use PASV/Passive Mode, if not then its most likly via the PASV command.

QUOTE (fishsponge @ Feb 18 2003, 09:24 AM)

first of all... there's a key problem with the last idea... when the client tries to connect to 192.168.0.3 (on the third line), the request will not go to the router, cos how would the client know that instead of sending to 192.168.0.3, it really needs to send to the external IP... therefore, it would send the request to a machine on it's local lan... which is no good...

Sorry if I wasn't clear, thats what I mean was _actually_ happening, not what _should_ happen. You need to get the server to put the external IP in the PASV requests (what the masq_ftp module does is examine and translate these correctly)

Have you tried snoop/tcpdump/ethereal to see whats actually going on?
Also why ftp? sftp should work with your existing ssh port forwarding and is faster because the data gets compressed.

hadn't thought of SFTP.... are there any SFTP windows servers?? it's for my housemate u see... he has a windows machine, and would like FTP access to it... strange, i know! lol

As for getting the server to put our external IP address in all it's packets... this isn't possible i dont think, without giving that machine our external IP address, but then things would become seriously confusing within our lan!

also... i don't think our router is capable of this FTP module stuff...

I dont know linux but for SFTP you would have to get a SSL certificate and also have port 990 open.

You can get free SSL certificates know which you can generate but at the end of the day if someone is going to hack it they will hack it.

thanks for the info, but i've since moved out of that house, and then out of the house i moved into from there! I'm about to move house again too! lol :D