Can't get FTP to work on Zyxel 660H router

I'm trying to configure a Zyxel 660H router to allow FTP to a system
on my Soho LAN.

I have the Zyxel configured so that all systems on the LAN can see the
outside world OK, i.e. a basic default ADSL configuration.

In addition I have got outside access to my web server on port 80 and
my ssh server on port 22 working (with the ssh acces restricted to a
few trusted IP addresses).

However I just can't get FTP access from the outside to work. I can
ftp to the ftp server from inside the LAN so the server is working but
when I try and access it from the outside nothing happens at all, just
silence and eventually a timeout. I have port 21 mapped across in the
NAT mapping and I hav opened up port 21 with the firewall, all exactly
as for the services that work.

So, what am I doing wrong? I know FTP is odd in some ways and can be
difficult to make work but surely it should be possible.

--
Chris Green

(E-Mail Removed) wrote:
> I'm trying to configure a Zyxel 660H router to allow FTP to a system
> on my Soho LAN.
>
> I have the Zyxel configured so that all systems on the LAN can see the
> outside world OK, i.e. a basic default ADSL configuration.
>
> In addition I have got outside access to my web server on port 80 and
> my ssh server on port 22 working (with the ssh acces restricted to a
> few trusted IP addresses).
>
> However I just can't get FTP access from the outside to work. I can
> ftp to the ftp server from inside the LAN so the server is working but
> when I try and access it from the outside nothing happens at all, just
> silence and eventually a timeout. I have port 21 mapped across in the
> NAT mapping and I hav opened up port 21 with the firewall, all exactly
> as for the services that work.
>
> So, what am I doing wrong? I know FTP is odd in some ways and can be
> difficult to make work but surely it should be possible.
>
OK, a little Googling suggests that maybe I'm not going to have much
success trying to FTP through NAT and a firewall. I'm pretty sure my
previous Speedtouch router managed FTP OK but, presumably, that had
some tweaks in the firmware will allowed it to work.

It's not a big issue, I'll use rsync, scp, etc. instead.

--
Chris Green

In message <47fd476c$0$755$(E-Mail Removed)>,
(E-Mail Removed) writes
>However I just can't get FTP access from the outside to work. I can
>ftp to the ftp server from inside the LAN so the server is working but
>when I try and access it from the outside nothing happens at all, just
>silence and eventually a timeout. I have port 21 mapped across in the
>NAT mapping and I hav opened up port 21 with the firewall, all exactly
>as for the services that work.
>
>So, what am I doing wrong? I know FTP is odd in some ways and can be
>difficult to make work but surely it should be possible.
>
FTP uses two ports, one a control channel and the other a data channel.
--
Clint Sharp

In article <UaxrbUBYck$(E-Mail Removed)>, Clint Sharp
(E-Mail Removed) says...
> In message <47fd476c$0$755$(E-Mail Removed)>,
> (E-Mail Removed) writes
> >However I just can't get FTP access from the outside to work. I can
> >ftp to the ftp server from inside the LAN so the server is working but
> >when I try and access it from the outside nothing happens at all, just
> >silence and eventually a timeout. I have port 21 mapped across in the
> >NAT mapping and I hav opened up port 21 with the firewall, all exactly
> >as for the services that work.
> >
> >So, what am I doing wrong? I know FTP is odd in some ways and can be
> >difficult to make work but surely it should be possible.
> >
> FTP uses two ports, one a control channel and the other a data channel.
>
And any number of dynamically allocated high-numbered ports, if it's
running in active mode.

In message <(E-Mail Removed)> , Rob Morley
<(E-Mail Removed)> writes
>In article <UaxrbUBYck$(E-Mail Removed)>, Clint Sharp
>(E-Mail Removed) says...
>> FTP uses two ports, one a control channel and the other a data channel.
>>
>And any number of dynamically allocated high-numbered ports, if it's
>running in active mode.
Yeah, but if you're running the server you'd configure it to use passive
mode so the ports of interest are 'standard'.
--
Clint Sharp

In article <017TwGGzI6$(E-Mail Removed)>, Clint Sharp
(E-Mail Removed) says...
> In message <(E-Mail Removed)> , Rob Morley
> <(E-Mail Removed)> writes
> >In article <UaxrbUBYck$(E-Mail Removed)>, Clint Sharp
> >(E-Mail Removed) says...
> >> FTP uses two ports, one a control channel and the other a data channel.
> >>
> >And any number of dynamically allocated high-numbered ports, if it's
> >running in active mode.
> Yeah, but if you're running the server you'd configure it to use passive
> mode so the ports of interest are 'standard'.
>
There's no need to configure the server - if it receives a PORT command
from a client it opens an active session, and if it receives a PASV
command it runs in passive mode.

(E-Mail Removed) wrote:
[snip]
> So, what am I doing wrong? I know FTP is odd in some ways and can be
> difficult to make work but surely it should be possible.

It is possible - but it depends on the FTP server and router.

The bottom line is that there should be no problem getting "active" FTP
to work (with just forwarding of port 21) for a server behind a NAT
router, but "passive" FTP often causes problems.

Unfortunately, a lot of client software defaults to passive mode because
this is most likely to work with the client behind a NAT router.
However, active FTP is normally fine - NAT routers are invariably
capable of modifying the PORT command usually sent by a client.

To get passive FTP to work from a server behind a NAT router, either the
router needs to modify the server's response to the PASV command
(similar to modifying a client's PORT command) or you must be able to
configure the address the server gives in the PASV response, control the
range of ports it will use, and configure the router to forward those
ports in addition to port 21.

Where it is an option (and it sounds like it is for you), I would
recommend forgetting FTP entirely, instead using scp/sftp for private
files and HTTP for public ones.

Alex