Home / server / Questions / 377760
Accepted
Kurru
Asked: 2012-04-09 20:47:31 +0800 CST

Problems accessing FileZilla FTP Server from static IP

  • 772

I'm trying to connect to my FTP server from my external IP address on Comcast Business.

On the gateway I've set up port-forwarding on ports 20-21 to my server. Additionally I've forwarded ports 7000-8000 to my server for use in passive mode.

In my FileZilla Server application I've set up passive mode to use my static IP and to use the subset of ports listed above.

Unfortunately, it doesn't work through the external static IP for some reason, but I can internally.

When I try to connect through static IP, the FileZila monitor says

Connected, sending welcome message....
220 FileZillaServer version 0.9.37 beta
could not send reply, disconnected

My firewall doesn't register any block events and windows firewall is disabled. What am I doing wrong or missing?

ftp port-forwarding

3 Answers

  1. It would seem that for reason , the connection on port 21 doesn't work , between the external ip and your Filezilla server.

    I would recommend that you would allow inbound and outbound connection on port 21 on both the external ip station and on the server. After that you could try to :

    1. telnet on port 21 from the external ip to the Filezilla server

      2.you might need to forward back the response from the Filezilla server over to the external ip (error 220 - can't receive the welcome message)

    • 1

  2. Passive mode and the high-numbered ports are not used for the command phase, so this is related to transmission on port 21.

    The options are:

    • Filezilla's external IP address config is wrong: try another service on the same IP to confirm. This is the most likely based on what you've provided
    • The ISP is doing some blocking: try changing the port from 21 to something above 1024
    • Windows could be blocking silently: The Windows firewall is not great at logging things. Running Wireshark will confirm whether the packets are actually leaving the Windows host

    Finally, you should try avoid using FTP if you can. SFTP or FTPS are much better choices over the public internet as all content including usernames and passwords are sent in cleartext.

    • 1
  3. Best Answer

    What you are trying to do generally won't work without reconfiguration on the firewall/NAT device.

    The traffic flow for your current setup would basically goes as follows (using example IP's):

    Internal Client IP: 10.0.0.100
    Internal FTP IP: 10.0.0.1
    External FTP IP: 1.2.3.4

    1. Internal client (10.0.0.100) opens an FTP connection (port 21) to 1.2.3.4
    2. Internal client sends traffic to default gateway/firewall
    3. Firewall has a rule that sends port 21 traffic to 10.0.0.1 and sends the traffic to 10.0.0.1 sending it with a true source address of the client IP (10.0.0.100)
    4. FTP server sends response back directly to 10.0.0.100 with source address 10.0.0.1 and never goes back out the firewall since it sees the local source address.
    5. Internal client is expecting FTP traffic to come back with source 1.2.3.4 and discards response from 10.0.0.1
    6. FTP connection times out

    You would need to setup or enable a hairpin NAT rule (or NAT reflection, or other various terms depending on the manufacturer) on the firewall in order to establish the NAT session to the external interface before having the traffic come back in. The Comcast device may have an option to enable NAT reflection but not having worked with them before, I can't say for certain if they do or not.

    The real question is why are you trying to do it this way? If you're just trying to test, then use a true external client (either have a friend test or setup an external client). If you're trying to do it this way moving forward, then just go directly using IP or a split-DNS solution.

    • 1