FTP server behind Alcatel router (510)

Discussion in 'Windows Desktop Systems' started by Digdis, Jan 3, 2005.

  1. Digdis

    Digdis OSNN Addict Political User

    Messages:
    91
    Hi there,
    Been trying to setup an FTP server on my PC, without success. here's the info:
    - FTP server: GuildFTPd 0.999.13. Passive mode properly configured to my WAN address.
    - Router: Alcatel Speedtouch 510.
    - OS: XP, no SP (thank god).
    - No firewall running (when trying this).
    - Did port forwarding on ports 20 & 21. This works for me for other applications (p2p mainly).
    - ISP doesn't seem to block port 21, but I'm not sure about that (how can I be sure?) - at least they say they don't.
    - When trying to access with an FTP client or command line from my work PC (got a VNC connection there), the connection fails. The client (WS-FTP) is setup to passive mode. In the command line mode, BTW, the error message is "connection refused".
    - Furthermore, when running a packet sniffer (sniffem), I never saw any incoming packet with port 21.

    BTW, tried the same with an HTTP server, opening port 80. Same failure.

    Any help here would be appreciated.
    D.
     
  2. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    First, Digdis.

    Welcome to OSNN!!, glad you can join us.

    First, make sure that your ISP is not blocking the port21. How to make sure, Port forward 21 on the router, then disable any/all firewalls on that computer just for now. Using that computer, goto www.grc.com and use their "Sheilds Up" port tester. Don't worry, it is a very secure site. If you still getting port 21 blocked, then your ISP controlling that port.

    Heeter
     
  3. Zedric

    Zedric NTFS Guru Folding Team

    Messages:
    4,006
    Location:
    Sweden
    Welcome to the forums!

    - First off, forget about port 20, it's not needed.
    - Like you said you forwarded port 21. This is correct if your ISP allows port 21.
    - You also said you enabled passive mode, but not if you've forwarded a passive port range in the router. This has to be done in order for passive mode to work (and you should use passive mode). So forward the same range of ports that you specified for passive mode in the server. If you don't know how many you need, the rule is one port per concurrent connection (so 100 ports is more than enough).
     
  4. Digdis

    Digdis OSNN Addict Political User

    Messages:
    91
    First of all thanks for the help. Forwarded the ports in the passive mode port range. The problem remains with port 21 - ShieldsUp says it's closed. So - this means either my ISP lies and blocks this port, or my router port forwarding configuration doesn't work (lamer). I think I can manage this from this point on.

    Thanks again,
    D.
     
  5. ve3ofa

    ve3ofa OSNN One Post Wonder

    Messages:
    1
    Betcha that your isp is blocking port 21,25,80. At least mine is, and causing me no end of grief.. having to have my dns sent to a port forwarder and then onto my site(s). outbound on those ports are blocked as well so I'm paying for bandwitdth x 2. But currently still the only local solution. Use my own web server software and others.. If I didn't write it then I don't trust it. Haven't found an Isp where I can put my custom box in and have them plug it in..
     
  6. Zedric

    Zedric NTFS Guru Folding Team

    Messages:
    4,006
    Location:
    Sweden
    OR, the Windows firewall blocks the ports unless you've fixed that part.
     
  7. Digdis

    Digdis OSNN Addict Political User

    Messages:
    91
    I'm not sure about that. When running ShieldsUp (great service BTW), all these ports appear as "closed" (as opposed to "stealth"). According to their explanation, this means my PC (or my router modem to be more exact) is reached, but doesn't reply. Am I correct? If I am, doesn't this mean these ports aren't blocked by the ISP? Just to compare, I borrowed a friend's account user and password that belong to another ISP, and when running ShieldsUp while logged in into this account, these ports appeared as "stealth". I'd assume that in this case the ISP blocks these ports.

    Don't have a Windows firewall, ZoneAlarm was disabled at the time I did the tests.

    Thanks again to everyone here.
    D.
     
  8. Admiral Michael

    Admiral Michael Michaelsoft Systems CEO Folding Team

    Yes, but Windows XP has a b uilt i firewall. Not sure, but I dont think its enabled by default. Its in the properties of Control Panel>Network Connections, properies of the Local Area Connection, Advanced Tab.
     
  9. Zedric

    Zedric NTFS Guru Folding Team

    Messages:
    4,006
    Location:
    Sweden
    Curious. Ports appear as stealthed if a firewall drops them (routers usually do this too when it comes to non-forwarded ports). Ports appear closed if they reach your computer and it responds "No I'm not running any service on this port" (well sort of anyway). Of course if your ISP blocks these ports, they could appear as either stealthed or closed as well, depending on the equipment of your ISP.

    The easiest way to get around this (and test it as well) would be to move the FTP server to listen on port 2100 (or whatever) instead. Once you get that to work, you could move back to port 21 to see if your ISP indeed blocks access.
     
  10. Digdis

    Digdis OSNN Addict Political User

    Messages:
    91
    Well, here's some new info:

    - When logged in from my friend's ISP account, and probing my PC using ShieldsUp with port 21, it appeared as open (FTP server running). Also saw the packets with dest port 21 using sniffer. When logging into my ISP account, the port appeared as closed, and no such packets appeared on my sniffer. Conclusion: My ISP blocks this port. This will be taken care of.

    - Using my friend's ISP account once again, I've tried FTP login from work PC to my home WAN address (passive mode, port 21). This time - no success, Sniffer at home doesn't see any packet with dest port 21. I've managed to log in to other FTP sites from work, meaning that the firewall there doesn't block FTP access. Any idea? Trying with other ports (as you suggested Zedric) ain't possible, as I believe the firewall at work will block them. This BTW is the reason for all this trouble: Trying to transfer large files between home & work using FTP (as all other ways are blocked).

    Thanks,
    D.
     
  11. Zedric

    Zedric NTFS Guru Folding Team

    Messages:
    4,006
    Location:
    Sweden
    That does indeed sound strange. I can't really see the problem at the moment, but might I come with another suggestion for the file transfer? You could use SFTP/SCP instead. This does away with the problem with passive port ranges, plus it's encrypted. This would run over port 22 only (which is rarely blocked).

    SSH (SFTP/SCP) server: http://sshwindows.sourceforge.net/
    Download, install and set up according to quickstart.txt.

    Many FTP clients can handle SFTP/SCP, but rarely in their free versions. There are some however.
    Filezilla: http://filezilla.sf.net (Full FTP client)
    WinSCP: http://winscp.sf.net (SFTP/SCP client only)

    All the software above is open source and totally free. :)
     
  12. Weasel

    Weasel Define 'Cynical'

    Messages:
    163
    Location:
    Sammamish, WA
    ZoneAlarm's known to run even when "disabled" so I'd be a little warry about that. Do what Zedric said and change your FTP port to something non-standard like 2100 and put the server in to active mode instead of passive. Also be sure to tell the client to use active mode (I suggest SmartFTP http://smartftp.com) instead of passive. This'll force the client to use only the connecting port and not a range which might be blocked.
     
  13. Digdis

    Digdis OSNN Addict Political User

    Messages:
    91
    (Sorry for the late reply)

    Well, mystery resolved. I received my ISP account from my wife's work for free, so I did some checking, and it appears the account is setup automatically as IP-VPN, meaning that I get into her work's VPN automatically when I connect (silly method IMHO, as you only need to have the user and password of the ISP accout in order to get into the VPN). This means that discovering my WAN IP returns the VPN's IP, and my PC doesn't have a WAN IP. Can't complain about something I get for free, can I :nervous: . Anyway, this of course is the reason I didn't manage setting up any server on my PC (neither FTP nor HTTP). I guess we'll have to settle for third party FTP (or HTTP) servers in order to transfer large files between home and work, unless anyone here has a creative way to bypass this as well. BTW, can't setup an FTP server on her PC as well, as the firewall in her work blocks such inbound access.
    Thanks for all the help everyone. This is a real cool community, and I'll be sure to check it more often.
    D.
     
  14. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    Yeah Digdis,


    Due to the fact that company that your wife works for has total control over the ports, you will be left out in the cold. The only creative way to get around this while using your existing connection setup is if you get really, really close to the IT person from the company. LOLOL.

    Hope to see you around the forum/IRC channel. Again, Welcome!!!

    Heeter
     
  15. Digdis

    Digdis OSNN Addict Political User

    Messages:
    91
    Well their IT folks don't know squat, so they basically ordered this service from their ISP. I don't know if they realize the danger of this solution; I once borrowed a laptop from my friend, then it came to my mind I left the login info remembered in the laptop pptp dialer. I deleted it in the first occasion I had, but I guess this wasn't the only situation their network had been out in the open. Anyway the ISP support people bragged about how safe this solution was. Had no time arguing with him...

    You bet. :cool:

    D.
     
  16. Zedric

    Zedric NTFS Guru Folding Team

    Messages:
    4,006
    Location:
    Sweden
    Active mode is not a good idea. It makes it easier to configure the server, true, but if the client is behind a firewall or NAT router, it won't work despite what you do (short of DMZ:ing the client pretty much). So allways use passive mode. It's worth the extra work.

    Sorry to hear about the network topology Digdis, there's really not much to do about it. Sadly.
     
  17. Weasel

    Weasel Define 'Cynical'

    Messages:
    163
    Location:
    Sammamish, WA
    Interesting, I'll keep this in mind. My experience is a freebsd box behind a m0n0wall router running proftpd in which I'd just use active mode since passive was giving me a headache. Different solutions to the same problem. :)