Static IP

I have a 4 PC network on a 100mbit lan. 1x Switch and 1x ADSL router
(plugged into the switch) I have requested a static IP address and would
like to create a FTP server on one of the PC's

How can I get FTP traffic from the internet to this PC on my network? I know
that I need to NAT but the conexant router NAT settings is not too clear to
me.

On Wed, 03 Dec 2003 20:03:55 +0000, Derek.T wrote:

> I have a 4 PC network on a 100mbit lan. 1x Switch and 1x ADSL router
> (plugged into the switch) I have requested a static IP address and would
> like to create a FTP server on one of the PC's
>
> How can I get FTP traffic from the internet to this PC on my network? I
> know that I need to NAT but the conexant router NAT settings is not too
> clear to me.


FTP doesn't like working from inside a NAT router. But it can be made to
work. Firstly forward the two ports that FTP uses (20 & 21 TCP and UDP)
through the router to the PC that is going to host the FTP service. Start
the FTP service on the PC and that should be it. You should now be able to
access Your FTP service form outside.

But, and this is the problem. Some FTP clients will work fine with this
setup. So you may settle for the setup as it stands if your users can
access the service OK. The service is not actually working correctly. This
is because the FTP service on the PC inside your network has no idea it is
on an internal network with an internal IP address. So when a distant
client makes a connection to it, it tells the distant end to connect to
it's internal IP address, the distant end then tries to exchange data on
the internal IP address and can't. At this point the distant client
does one of two things, it either gives up and the FTP session fails, or
it realises the address is wrong and it recovers the correct address
(which is actually the router's external address) form the TCP/UDP packet
header and it uses this instead. If this happens all is fine. This method
is sometimes refereed to as PASV FTP.

My FTP server is on a Linux machine, you simply tell th FTP server to use
the external address instead of the internal one.

The other thing is security you will get several attacks every day as
hackers scan for FTP servers. You can minimise the usefulness of your server
to people you don't want to use it. You may wish to issue user names and
passwords. You can make your download area read only to prevent files
being deleted or changed. You can also make your upload area non readable,
that is once a file is uploaded by an external user, it can't then be
downloaded. This prevents porn peddlers and warez hackers using your server
to distribute their file.

What ever you decide, only allow access to a ring fenced area of your hard
disk, preferably on a non-critical machine.

I hope this doesn't put you off, your own FTP server can be very useful!

Graham

"Graham" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) s.com...
> On Wed, 03 Dec 2003 20:03:55 +0000, Derek.T wrote:
>
> > I have a 4 PC network on a 100mbit lan. 1x Switch and 1x ADSL router
> > (plugged into the switch) I have requested a static IP address and would
> > like to create a FTP server on one of the PC's
> >
> > How can I get FTP traffic from the internet to this PC on my network? I
> > know that I need to NAT but the conexant router NAT settings is not too
> > clear to me.
>
>
> FTP doesn't like working from inside a NAT router. But it can be made to
> work. Firstly forward the two ports that FTP uses (20 & 21 TCP and UDP)
> through the router to the PC that is going to host the FTP service. Start
> the FTP service on the PC and that should be it. You should now be able to
> access Your FTP service form outside.
>
> But, and this is the problem. Some FTP clients will work fine with this
> setup. So you may settle for the setup as it stands if your users can
> access the service OK. The service is not actually working correctly. This
> is because the FTP service on the PC inside your network has no idea it is
> on an internal network with an internal IP address. So when a distant
> client makes a connection to it, it tells the distant end to connect to
> it's internal IP address, the distant end then tries to exchange data on
> the internal IP address and can't. At this point the distant client
> does one of two things, it either gives up and the FTP session fails, or
> it realises the address is wrong and it recovers the correct address
> (which is actually the router's external address) form the TCP/UDP packet
> header and it uses this instead. If this happens all is fine. This method
> is sometimes refereed to as PASV FTP.
>
> My FTP server is on a Linux machine, you simply tell th FTP server to use
> the external address instead of the internal one.
>
> The other thing is security you will get several attacks every day as
> hackers scan for FTP servers. You can minimise the usefulness of your
server
> to people you don't want to use it. You may wish to issue user names and
> passwords. You can make your download area read only to prevent files
> being deleted or changed. You can also make your upload area non readable,
> that is once a file is uploaded by an external user, it can't then be
> downloaded. This prevents porn peddlers and warez hackers using your
server
> to distribute their file.
>
> What ever you decide, only allow access to a ring fenced area of your hard
> disk, preferably on a non-critical machine.
>
> I hope this doesn't put you off, your own FTP server can be very useful!
>
> Graham
>

Under my NAT settings there is the following

NAT (can be 1 of 4 settings, dymanic, NAT, NAPT or disabled)

Sesson Name (which is a blank Box)
Users IP

What do I need to do here?


Thanks in advance

Derek

On Thu, 04 Dec 2003 12:07:23 +0000, Derek.T wrote:

> Under my NAT settings there is the following
>
> NAT (can be 1 of 4 settings, dymanic, NAT, NAPT or disabled)
>
> Sesson Name (which is a blank Box)
> Users IP
>
> What do I need to do here?
>
>
> Thanks in advance
>
> Derek


Hmmm you've got more settings there than I have on my router. I
would say set that to just plain old NAT, it will probably give
more control over the settings.

You need to find the page (or table) called port forwarding.
You then specify then need to specify the incomming port number,
the protocol TCP and UDP, then the ip address that the port is
forwarded to. Some routers will let you do this with just one
entry, a range of ports, with others you may have to specify
each port seperatly.

What router have you got?

Graham

"Graham" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> On Thu, 04 Dec 2003 12:07:23 +0000, Derek.T wrote:
>
> > Under my NAT settings there is the following
> >
> > NAT (can be 1 of 4 settings, dymanic, NAT, NAPT or disabled)
> >
> > Sesson Name (which is a blank Box)
> > Users IP
> >
> > What do I need to do here?
> >
> >
> > Thanks in advance
> >
> > Derek
>
>
> Hmmm you've got more settings there than I have on my router. I
> would say set that to just plain old NAT, it will probably give
> more control over the settings.
>
> You need to find the page (or table) called port forwarding.
> You then specify then need to specify the incomming port number,
> the protocol TCP and UDP, then the ip address that the port is
> forwarded to. Some routers will let you do this with just one
> entry, a range of ports, with others you may have to specify
> each port seperatly.
>
> What router have you got?
>
> Graham
>

Hi Graham,

I Have a Origo ASR-8100 Conexant Chipset - the manual is not very helpful!

Thanks

Derek

On Fri, 05 Dec 2003 09:43:23 +0000, Derek.T wrote:


> Hi Graham,
>
> I Have a Origo ASR-8100 Conexant Chipset - the manual is not very
> helpful!
>
> Thanks
>
> Derek


Hello again,

I've had a look at the manual for this router, you can get it from:
http://www.wellgroups.com/wellftp/manual/asr-8000.pdf
You need to look at the section: 5.5 Virtual Server Configuration.
This is the port forwarding I was referring to. For FTP you need 4 entries
(two are required two are optional, it depends whether the router will
allow TCP and UDP on the same port) as follows:-

ID: 1,
Public port: 20, Private port 20, Select: TCP, Host: 'FTP server IP'

ID: 2,
Public port: 21, Private port 21, Select: TCP, Host: 'FTP server IP'

If router allows:-

ID: 3,
Public port: 20, Private port 20, Select: UDP, Host: 'FTP server IP'

ID: 4,
Public port: 21, Private port 21, Select: UDP, Host: 'FTP server IP'

You obviously need to get your internal FTP server working as well.
This FTP server is the IP address you need in the above config lines.


BTW There seems to be a lot of info about a security loophole in this
router: http://www.securitytracker.com/alert...t/1007965.html
There may be a firmware updrade to fix this.

Graham

"Graham" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) s.com...
> On Fri, 05 Dec 2003 09:43:23 +0000, Derek.T wrote:
>
>
> > Hi Graham,
> >
> > I Have a Origo ASR-8100 Conexant Chipset - the manual is not very
> > helpful!
> >
> > Thanks
> >
> > Derek
>
>
> Hello again,
>
> I've had a look at the manual for this router, you can get it from:
> http://www.wellgroups.com/wellftp/manual/asr-8000.pdf
> You need to look at the section: 5.5 Virtual Server Configuration.
> This is the port forwarding I was referring to. For FTP you need 4 entries
> (two are required two are optional, it depends whether the router will
> allow TCP and UDP on the same port) as follows:-
>
> ID: 1,
> Public port: 20, Private port 20, Select: TCP, Host: 'FTP server IP'
>
> ID: 2,
> Public port: 21, Private port 21, Select: TCP, Host: 'FTP server IP'
>
> If router allows:-
>
> ID: 3,
> Public port: 20, Private port 20, Select: UDP, Host: 'FTP server IP'
>
> ID: 4,
> Public port: 21, Private port 21, Select: UDP, Host: 'FTP server IP'
>
> You obviously need to get your internal FTP server working as well.
> This FTP server is the IP address you need in the above config lines.
>
>
> BTW There seems to be a lot of info about a security loophole in this
> router: http://www.securitytracker.com/alert...t/1007965.html
> There may be a firmware updrade to fix this.
>
> Graham
>

Thanks Graham thats excellent...

Regards

Derek