0

Try as I might I cannot seem to get my windows 2012 FTP server to go through my router.

The server is located at 10.0.0.90

I can FTP to that IP address internally (from, say, 10.0.0.40) without a hitch. Works perfectly well.

When I try to access it from the "world" using my public IP I can log in fine but when I do a DIR or pretty much anything I get 

150 Opening ASCII mode data connection

......then nothing

I know that it responds with an active range of some sort but even if I put the server in the DMZ I cannot get past this. Any one have any suggestions?

My router configuration is as follows:

TCP Port  21                --->    10.0.0.90
TCP Port  20                --->    10.0.0.90
TCP Ports 49152 - 65535     --->    10.0.0.90

Even after the advice given below I still cannot connect on the other side of the router.

I also want to point out that I set my FTP settings for firewall support (server level) as follows:

Data Channel Port Range:        External IP Address of Firewall:
49152-65535                     10.0.0.1

I also want to point out that my firewall on that machine is totally off. We rely on our router's firewall exclusively.

***********UPDATE***********

I have confirmed, by using an FTP utility such as WSFTP that the active connection does, in fact, work. I believe the FTP command line utility is a passive utility so it is not working. Additionally, using an FTP url such as ftp://user:pass@domain.com is also passive since it doesn't work either. Can anyone suggest anything further?

Jon Glazer
  • 155
  • 2
  • 12
  • It's a limitation of your router and the ftp protocol. Either fix the router, or enable pasv ftp mode. This question comes up a lot and I'm sure there is a duplicate somewhere. I'm looking... – hookenz May 02 '17 at 23:45
  • Are you using passive or active FTP mode? Show us your client log file. – Martin Prikryl May 03 '17 at 05:56
  • What does "internally" means? On the same server? Or within the private network? – Martin Prikryl May 03 '17 at 05:58
  • Internally means on the same network, within the private network. I can ftp to the server fine inside the network but on the other side of the router it fails. I am testing using simple windows FTP client. No logs. – Jon Glazer May 03 '17 at 12:47
  • Putting the server in the DMZ isn't a panacea. I'm guessing that your DMZ isn't fully open to incoming traffic from the internet. You need to determine three things: `1.` Is the FTP server configured for Active Mode or Passive Mode. `2.` Is the client using Active Mode or Passive Mode? `3.` Is the firewall configured for Active Mode or Passive Mode (or both)? Once you determine those three things you can begin to troubleshoot the problem. – joeqwerty May 03 '17 at 13:12
  • Thanks @joeqwerty. I am trying to figure out how to determine how it is configured (active/passive). It is a pretty generic/clean install (windows 2012 R2). I only put it in the DMZ for testing. I updated the question with the current configuration above. – Jon Glazer May 03 '17 at 13:15
  • You could try opening ports ephemeral ports 1024-65535 as an experiment. – Tim May 03 '17 at 19:06
  • Show us a log file of some FTP client in the passive mode. – Martin Prikryl May 05 '17 at 20:01

2 Answers2

1

Read this article about the FTP protocol.

Ports to open are below. How I understand FTP working is also below, but I don't claim to be an expert here - I understood the general idea and looked the rest up. The main point of my post is you need to open more ports.

  • Port 21: FTP Control port. Used for both active and passive FTP.
  • Port 20: FTP data port, only used with active mode FTP for outgoing connections to the client ephemeral port.
  • 49152 - 65535: Ephemeral port range (reference). Note, in earlier versions of Windows this was 1025 through 5000 (reference).

Background: Ephemeral ports are used so that more than one client can connect to a server on a given port.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • Port 20 is outbound port, while the others are inbound. Mixing them like this without any explanation is confusing. – Martin Prikryl May 03 '17 at 05:57
  • @MartinPrikryl I did a bit more reading. You're right, for active FTP, but not for passive FTP. I've updated my answer. If there's something still not right let me know, I'll do my best to fix it. – Tim May 03 '17 at 09:02
  • @Tim, I configured my router as you suggested above (see updated question above) and still no go. Should I just configure FTP to be passive only? If so, how would I do this. I'd really like to get this working "correctly". Thanks – Jon Glazer May 03 '17 at 13:05
0

Port 21 is commonly referred to the control port for FTP, and is used to pass on the FTP commands. You will also need to open up the data transfer ports, which depends on whether you are using Active or Passive FTP. For active FTP, you will also want port 20 open as it is the data port. Most modern FTP servers and clients are configured to use Passive FTP, which required a different port range to be opened depending on your configuration. You will want to consult the FTP server documentation as to what port range is configured by default.

From what you are experiencing, it sounds like you need to open up the Active or Passive port range on your firewall as well as look at the Windows Firewall on your FTP server. It may be that you have operating system level firewall rules that allow traffic on your internal network, but restrict it for public connection.

Jenos
  • 636
  • 3
  • 5
  • I put the server in the DMZ. Supposedly all traffic goes to that server by doing that (aside from specified ports) and I still have this problem. I am familiar with the port range you speak of but putting it in the DMZ should have covered it I thought. – Jon Glazer May 03 '17 at 12:48
  • If there should be no firewall active at all and traffic isn't getting through, my next step would be to get out Wireshark to see if the connection is even reaching the server. If it is, there may be an issue with returning traffic, such as it not getting properly translated. You might have to check your NAT rules. – Jenos May 03 '17 at 15:14
  • I have confirmed that FTP is, in fact, working through an active connection. But if I try Pasv, it fails. I assume the windows command-line utility is a pasv one? – Jon Glazer May 03 '17 at 16:43
  • @JonGlazer On the contrary, Windows command-line utility supports active mode only - And you wrote above that the active mode works, so some of your statements are not completely correct - So again, show us some logs - both for passive and active. – Martin Prikryl May 05 '17 at 20:02
  • @Matin Prikryl I thought the command line version was active FTP but it doesn't work. I get no data when I do a DIR (or LS). But using WSFTP or other windows FTP apps it works fine. I also cannot get there using a url like ftp://user:password@mydomain.com – Jon Glazer May 06 '17 at 15:56