Ftp using non-standard port behind MN-500

I encountered a problem when setting up a ftp server behind
MS web station MN-500. The web station is set to NAT mode
and is configured properly on the port forwarding page.
Everything works fine when I configure my ftp server to
listen on port 21, but as soon as I change it to some other
ports(>1024), there will be a problem when using LIST
command under PORT mode; the client from outside can only
login and use pwd, but cannot do ls(DIR). In other words,
the ftp-data socket cannot be established.
Can anyone give me a hint on what's going on? Why
non-standard ports won't fully function?!

Thanks a lot.

Joseph


Joseph

Active mode doesn't work too well for almost all routers when using
non-standard ports.

Essentially, all routers (and/or firewalls) would have issues with active
mode due to the way the FTP protocol communicates. Most routers get around
this by having an Application Layer Gateway (ALG) to sniff FTP connections
on port 21. This is done so that the router can then redirect the
communications port (randomly assigned by the server you are connecting to)
back to the ftp client (i.e. you). It would be prohibitively expensive
(CPU-wise) for your router to sniff ALL ports, hence why only the standard
FTP port is monitored for PORT commands.

Your best bet is to use passive mode for FTP. Of course, you'll need to
make sure that your FTP server that you are connecting to is configured
properly for passive mode.

--
Jason Tsang - Microsoft MVP

Find out about the MS MVP Program -
http://mvp.support.microsoft.com/default.aspx

"Joseph" <(E-Mail Removed)> wrote in message
news:164501c4bbec$cadccb00$(E-Mail Removed)...
>I encountered a problem when setting up a ftp server behind
> MS web station MN-500. The web station is set to NAT mode
> and is configured properly on the port forwarding page.
> Everything works fine when I configure my ftp server to
> listen on port 21, but as soon as I change it to some other
> ports(>1024), there will be a problem when using LIST
> command under PORT mode; the client from outside can only
> login and use pwd, but cannot do ls(DIR). In other words,
> the ftp-data socket cannot be established.
> Can anyone give me a hint on what's going on? Why
> non-standard ports won't fully function?!
>
> Thanks a lot.
>
> Joseph

>Most routers get around this by having an Application
Layer Gateway (ALG) to sniff FTP connections
>on port 21. This is done so that the router can then
redirect the
>communications port (randomly assigned by the server you
are connecting to)
>back to the ftp client (i.e. you).

I am pretty sure that under active mode when establishing
the ftp-data socket, client is actually the one that is
listening. So there's no reason for the router to block
this connection from inside of its network. It's just a
normal connection going outside.
This is the part I don't understand.


>Your best bet is to use passive mode for FTP. Of course,
you'll need to
>make sure that your FTP server that you are connecting to
is configured
>properly for passive mode.
>

Yes, I tried passive mode with port forwarding, but I
found out that the server would give its local ip address
instead(i.e. 192.168.1.5). Therefore, when the client
receive this IP there's no way it can find the rout to the
server( client is out side of NAT).

Thank you.

Joseph

The router doesn't know which port to listen on (that's choosen by the ftp
server). That's where the problem lies (this is under the assumption that
you are connecting to an FTP server on the internet, it does not apply when
you connect to an FTP server within your own LAN).

--
Jason Tsang - Microsoft MVP

Find out about the MS MVP Program -
http://mvp.support.microsoft.com/default.aspx

"Joseph" <(E-Mail Removed)> wrote in message
news:18a201c4bc47$3ed93a20$(E-Mail Removed)...
> >Most routers get around this by having an Application
> Layer Gateway (ALG) to sniff FTP connections
>>on port 21. This is done so that the router can then
> redirect the
>>communications port (randomly assigned by the server you
> are connecting to)
>>back to the ftp client (i.e. you).
>
> I am pretty sure that under active mode when establishing
> the ftp-data socket, client is actually the one that is
> listening. So there's no reason for the router to block
> this connection from inside of its network. It's just a
> normal connection going outside.
> This is the part I don't understand.
>
>
>>Your best bet is to use passive mode for FTP. Of course,
> you'll need to
>>make sure that your FTP server that you are connecting to
> is configured
>>properly for passive mode.
>>
>
> Yes, I tried passive mode with port forwarding, but I
> found out that the server would give its local ip address
> instead(i.e. 192.168.1.5). Therefore, when the client
> receive this IP there's no way it can find the rout to the
> server( client is out side of NAT).
>
> Thank you.
>
> Joseph

First, thanks for your kindly reply, but..I still don't
uderstand. Why does the router on the server side needs to
know which port to listen on? It's the server that is
trying to connect to some other machine. Besides that, the
port is actually choosen by the ftp client under active
mode, so all what the ftp server has to do is connect to
the socket that's listening on the client's machine.

Please correct me if I was wrong.

p.s.
Let's clearify the situation again:
The server is behind NAT(mn-500) and the client is on the
internet with real IP address and no firewall. Problem
occus when the two machines are trying to establish the
ftp-port connection.

Thank you.

Joseph

>-----Original Message-----
>The router doesn't know which port to listen on (that's
choosen by the ftp
>server). That's where the problem lies (this is under
the assumption that
>you are connecting to an FTP server on the internet, it
does not apply when
>you connect to an FTP server within your own LAN).
>
>--
>Jason Tsang - Microsoft MVP
>
>Find out about the MS MVP Program -
>http://mvp.support.microsoft.com/default.aspx
>
>"Joseph" <(E-Mail Removed)> wrote in
message
>news:18a201c4bc47$3ed93a20$(E-Mail Removed)...
>> >Most routers get around this by having an Application
>> Layer Gateway (ALG) to sniff FTP connections
>>>on port 21. This is done so that the router can then
>> redirect the
>>>communications port (randomly assigned by the server you
>> are connecting to)
>>>back to the ftp client (i.e. you).
>>
>> I am pretty sure that under active mode when establishing
>> the ftp-data socket, client is actually the one that is
>> listening. So there's no reason for the router to block
>> this connection from inside of its network. It's just a
>> normal connection going outside.
>> This is the part I don't understand.
>>
>>
>>>Your best bet is to use passive mode for FTP. Of course,
>> you'll need to
>>>make sure that your FTP server that you are connecting to
>> is configured
>>>properly for passive mode.
>>>
>>
>> Yes, I tried passive mode with port forwarding, but I
>> found out that the server would give its local ip address
>> instead(i.e. 192.168.1.5). Therefore, when the client
>> receive this IP there's no way it can find the rout to the
>> server( client is out side of NAT).
>>
>> Thank you.
>>
>> Joseph
>
>
>.
>

You are incorrect.

See here for a description of how active and passive mode ftp work

http://slacksite.com/other/ftp.html

See step three of Active mode. The router doesn't know what port to forward
back to the ftp client.

--
Jason Tsang - Microsoft MVP

Find out about the MS MVP Program -
http://mvp.support.microsoft.com/default.aspx

<(E-Mail Removed)> wrote in message
news:211e01c4bc7c$c070c8c0$(E-Mail Removed)...
> First, thanks for your kindly reply, but..I still don't
> uderstand. Why does the router on the server side needs to
> know which port to listen on? It's the server that is
> trying to connect to some other machine. Besides that, the
> port is actually choosen by the ftp client under active
> mode, so all what the ftp server has to do is connect to
> the socket that's listening on the client's machine.
>
> Please correct me if I was wrong.
>
> p.s.
> Let's clearify the situation again:
> The server is behind NAT(mn-500) and the client is on the
> internet with real IP address and no firewall. Problem
> occus when the two machines are trying to establish the
> ftp-port connection.
>
> Thank you.
>
> Joseph
>
>>-----Original Message-----
>>The router doesn't know which port to listen on (that's
> choosen by the ftp
>>server). That's where the problem lies (this is under
> the assumption that
>>you are connecting to an FTP server on the internet, it
> does not apply when
>>you connect to an FTP server within your own LAN).
>>
>>--
>>Jason Tsang - Microsoft MVP
>>
>>Find out about the MS MVP Program -
>>http://mvp.support.microsoft.com/default.aspx
>>
>>"Joseph" <(E-Mail Removed)> wrote in
> message
>>news:18a201c4bc47$3ed93a20$(E-Mail Removed)...
>>> >Most routers get around this by having an Application
>>> Layer Gateway (ALG) to sniff FTP connections
>>>>on port 21. This is done so that the router can then
>>> redirect the
>>>>communications port (randomly assigned by the server you
>>> are connecting to)
>>>>back to the ftp client (i.e. you).
>>>
>>> I am pretty sure that under active mode when establishing
>>> the ftp-data socket, client is actually the one that is
>>> listening. So there's no reason for the router to block
>>> this connection from inside of its network. It's just a
>>> normal connection going outside.
>>> This is the part I don't understand.
>>>
>>>
>>>>Your best bet is to use passive mode for FTP. Of course,
>>> you'll need to
>>>>make sure that your FTP server that you are connecting to
>>> is configured
>>>>properly for passive mode.
>>>>
>>>
>>> Yes, I tried passive mode with port forwarding, but I
>>> found out that the server would give its local ip address
>>> instead(i.e. 192.168.1.5). Therefore, when the client
>>> receive this IP there's no way it can find the rout to the
>>> server( client is out side of NAT).
>>>
>>> Thank you.
>>>
>>> Joseph
>>
>>
>>.
>>

Ok I've re-read your first posting.

The problem lies with the FTP client (whoever is connecting to you).

Are you sure the person connecting to you isn't behind a shared connection
or firewall.

--
Jason Tsang - Microsoft MVP

Find out about the MS MVP Program -
http://mvp.support.microsoft.com/default.aspx

<(E-Mail Removed)> wrote in message
news:211e01c4bc7c$c070c8c0$(E-Mail Removed)...
> First, thanks for your kindly reply, but..I still don't
> uderstand. Why does the router on the server side needs to
> know which port to listen on? It's the server that is
> trying to connect to some other machine. Besides that, the
> port is actually choosen by the ftp client under active
> mode, so all what the ftp server has to do is connect to
> the socket that's listening on the client's machine.
>
> Please correct me if I was wrong.
>
> p.s.
> Let's clearify the situation again:
> The server is behind NAT(mn-500) and the client is on the
> internet with real IP address and no firewall. Problem
> occus when the two machines are trying to establish the
> ftp-port connection.
>
> Thank you.
>
> Joseph
>
>>-----Original Message-----
>>The router doesn't know which port to listen on (that's
> choosen by the ftp
>>server). That's where the problem lies (this is under
> the assumption that
>>you are connecting to an FTP server on the internet, it
> does not apply when
>>you connect to an FTP server within your own LAN).
>>
>>--
>>Jason Tsang - Microsoft MVP
>>
>>Find out about the MS MVP Program -
>>http://mvp.support.microsoft.com/default.aspx
>>
>>"Joseph" <(E-Mail Removed)> wrote in
> message
>>news:18a201c4bc47$3ed93a20$(E-Mail Removed)...
>>> >Most routers get around this by having an Application
>>> Layer Gateway (ALG) to sniff FTP connections
>>>>on port 21. This is done so that the router can then
>>> redirect the
>>>>communications port (randomly assigned by the server you
>>> are connecting to)
>>>>back to the ftp client (i.e. you).
>>>
>>> I am pretty sure that under active mode when establishing
>>> the ftp-data socket, client is actually the one that is
>>> listening. So there's no reason for the router to block
>>> this connection from inside of its network. It's just a
>>> normal connection going outside.
>>> This is the part I don't understand.
>>>
>>>
>>>>Your best bet is to use passive mode for FTP. Of course,
>>> you'll need to
>>>>make sure that your FTP server that you are connecting to
>>> is configured
>>>>properly for passive mode.
>>>>
>>>
>>> Yes, I tried passive mode with port forwarding, but I
>>> found out that the server would give its local ip address
>>> instead(i.e. 192.168.1.5). Therefore, when the client
>>> receive this IP there's no way it can find the rout to the
>>> server( client is out side of NAT).
>>>
>>> Thank you.
>>>
>>> Joseph
>>
>>
>>.
>>

Yes, I doubt the client is behind a firewall though I
really don't know.

So was I right about the problem? Because what you meant by

>the router doesn't know what port to forward back to the
ftp client.

is refering the problem on the client side, but what I said
was what happened on the server side.

Is there a way to work this out besides from setting the
port to 21 if the client is behind a firewall? 'cause you
will never know what kind of network the client is
connecting from.
BTW, even if the server is not behind a NAT but with a
non-standard port, the client will still have problem
establishing the ftp-data socket! because the NAT on the
client side will not check the non-standard port as you said!

It shouldn't be that complicated, shouldn't it?

thanks

Joseph


>-----Original Message-----
>Ok I've re-read your first posting.
>
>The problem lies with the FTP client (whoever is
connecting to you).
>
>Are you sure the person connecting to you isn't behind a
shared connection
>or firewall.
>
>--
>Jason Tsang - Microsoft MVP
>
>Find out about the MS MVP Program -
>http://mvp.support.microsoft.com/default.aspx
>
><(E-Mail Removed)> wrote in message
>news:211e01c4bc7c$c070c8c0$(E-Mail Removed)...
>> First, thanks for your kindly reply, but..I still don't
>> uderstand. Why does the router on the server side needs to
>> know which port to listen on? It's the server that is
>> trying to connect to some other machine. Besides that, the
>> port is actually choosen by the ftp client under active
>> mode, so all what the ftp server has to do is connect to
>> the socket that's listening on the client's machine.
>>
>> Please correct me if I was wrong.
>>
>> p.s.
>> Let's clearify the situation again:
>> The server is behind NAT(mn-500) and the client is on the
>> internet with real IP address and no firewall. Problem
>> occus when the two machines are trying to establish the
>> ftp-port connection.
>>
>> Thank you.
>>
>> Joseph
>>
>>>-----Original Message-----
>>>The router doesn't know which port to listen on (that's
>> choosen by the ftp
>>>server). That's where the problem lies (this is under
>> the assumption that
>>>you are connecting to an FTP server on the internet, it
>> does not apply when
>>>you connect to an FTP server within your own LAN).
>>>
>>>--
>>>Jason Tsang - Microsoft MVP
>>>
>>>Find out about the MS MVP Program -
>>>http://mvp.support.microsoft.com/default.aspx
>>>
>>>"Joseph" <(E-Mail Removed)> wrote in
>> message
>>>news:18a201c4bc47$3ed93a20$(E-Mail Removed).. .
>>>> >Most routers get around this by having an Application
>>>> Layer Gateway (ALG) to sniff FTP connections
>>>>>on port 21. This is done so that the router can then
>>>> redirect the
>>>>>communications port (randomly assigned by the server you
>>>> are connecting to)
>>>>>back to the ftp client (i.e. you).
>>>>
>>>> I am pretty sure that under active mode when establishing
>>>> the ftp-data socket, client is actually the one that is
>>>> listening. So there's no reason for the router to block
>>>> this connection from inside of its network. It's just a
>>>> normal connection going outside.
>>>> This is the part I don't understand.
>>>>
>>>>
>>>>>Your best bet is to use passive mode for FTP. Of course,
>>>> you'll need to
>>>>>make sure that your FTP server that you are connecting to
>>>> is configured
>>>>>properly for passive mode.
>>>>>
>>>>
>>>> Yes, I tried passive mode with port forwarding, but I
>>>> found out that the server would give its local ip address
>>>> instead(i.e. 192.168.1.5). Therefore, when the client
>>>> receive this IP there's no way it can find the rout to the
>>>> server( client is out side of NAT).
>>>>
>>>> Thank you.
>>>>
>>>> Joseph
>>>
>>>
>>>.
>>>
>
>
>.
>

The best thing to do (IMHO) is to either use port 21 (there are reasons why
you might not want to though, understandably), or set up passive mode
transfers on your ftp server.

It's too bad FTP isn't NAT friendly.

--
Jason Tsang - Microsoft MVP

Find out about the MS MVP Program -
http://mvp.support.microsoft.com/default.aspx

<(E-Mail Removed)> wrote in message
news:194d01c4bca7$eeda22d0$(E-Mail Removed)...
> Yes, I doubt the client is behind a firewall though I
> really don't know.
>
> So was I right about the problem? Because what you meant by
>
>>the router doesn't know what port to forward back to the
> ftp client.
>
> is refering the problem on the client side, but what I said
> was what happened on the server side.
>
> Is there a way to work this out besides from setting the
> port to 21 if the client is behind a firewall? 'cause you
> will never know what kind of network the client is
> connecting from.
> BTW, even if the server is not behind a NAT but with a
> non-standard port, the client will still have problem
> establishing the ftp-data socket! because the NAT on the
> client side will not check the non-standard port as you said!
>
> It shouldn't be that complicated, shouldn't it?
>
> thanks
>
> Joseph
>
>
>>-----Original Message-----
>>Ok I've re-read your first posting.
>>
>>The problem lies with the FTP client (whoever is
> connecting to you).
>>
>>Are you sure the person connecting to you isn't behind a
> shared connection
>>or firewall.
>>
>>--
>>Jason Tsang - Microsoft MVP
>>
>>Find out about the MS MVP Program -
>>http://mvp.support.microsoft.com/default.aspx
>>
>><(E-Mail Removed)> wrote in message
>>news:211e01c4bc7c$c070c8c0$(E-Mail Removed)...
>>> First, thanks for your kindly reply, but..I still don't
>>> uderstand. Why does the router on the server side needs to
>>> know which port to listen on? It's the server that is
>>> trying to connect to some other machine. Besides that, the
>>> port is actually choosen by the ftp client under active
>>> mode, so all what the ftp server has to do is connect to
>>> the socket that's listening on the client's machine.
>>>
>>> Please correct me if I was wrong.
>>>
>>> p.s.
>>> Let's clearify the situation again:
>>> The server is behind NAT(mn-500) and the client is on the
>>> internet with real IP address and no firewall. Problem
>>> occus when the two machines are trying to establish the
>>> ftp-port connection.
>>>
>>> Thank you.
>>>
>>> Joseph
>>>
>>>>-----Original Message-----
>>>>The router doesn't know which port to listen on (that's
>>> choosen by the ftp
>>>>server). That's where the problem lies (this is under
>>> the assumption that
>>>>you are connecting to an FTP server on the internet, it
>>> does not apply when
>>>>you connect to an FTP server within your own LAN).
>>>>
>>>>--
>>>>Jason Tsang - Microsoft MVP
>>>>
>>>>Find out about the MS MVP Program -
>>>>http://mvp.support.microsoft.com/default.aspx
>>>>
>>>>"Joseph" <(E-Mail Removed)> wrote in
>>> message
>>>>news:18a201c4bc47$3ed93a20$(E-Mail Removed). ..
>>>>> >Most routers get around this by having an Application
>>>>> Layer Gateway (ALG) to sniff FTP connections
>>>>>>on port 21. This is done so that the router can then
>>>>> redirect the
>>>>>>communications port (randomly assigned by the server you
>>>>> are connecting to)
>>>>>>back to the ftp client (i.e. you).
>>>>>
>>>>> I am pretty sure that under active mode when establishing
>>>>> the ftp-data socket, client is actually the one that is
>>>>> listening. So there's no reason for the router to block
>>>>> this connection from inside of its network. It's just a
>>>>> normal connection going outside.
>>>>> This is the part I don't understand.
>>>>>
>>>>>
>>>>>>Your best bet is to use passive mode for FTP. Of course,
>>>>> you'll need to
>>>>>>make sure that your FTP server that you are connecting to
>>>>> is configured
>>>>>>properly for passive mode.
>>>>>>
>>>>>
>>>>> Yes, I tried passive mode with port forwarding, but I
>>>>> found out that the server would give its local ip address
>>>>> instead(i.e. 192.168.1.5). Therefore, when the client
>>>>> receive this IP there's no way it can find the rout to the
>>>>> server( client is out side of NAT).
>>>>>
>>>>> Thank you.
>>>>>
>>>>> Joseph
>>>>
>>>>
>>>>.
>>>>
>>
>>
>>.
>>

Thank you very much. I think we have the conclusion.

Joseph


>-----Original Message-----
>The best thing to do (IMHO) is to either use port 21
(there are reasons why
>you might not want to though, understandably), or set up
passive mode
>transfers on your ftp server.
>
>It's too bad FTP isn't NAT friendly.
>
>--
>Jason Tsang - Microsoft MVP
>
>Find out about the MS MVP Program -
>http://mvp.support.microsoft.com/default.aspx
>
><(E-Mail Removed)> wrote in message
>news:194d01c4bca7$eeda22d0$(E-Mail Removed)...
>> Yes, I doubt the client is behind a firewall though I
>> really don't know.
>>
>> So was I right about the problem? Because what you meant by
>>
>>>the router doesn't know what port to forward back to the
>> ftp client.
>>
>> is refering the problem on the client side, but what I said
>> was what happened on the server side.
>>
>> Is there a way to work this out besides from setting the
>> port to 21 if the client is behind a firewall? 'cause you
>> will never know what kind of network the client is
>> connecting from.
>> BTW, even if the server is not behind a NAT but with a
>> non-standard port, the client will still have problem
>> establishing the ftp-data socket! because the NAT on the
>> client side will not check the non-standard port as you
said!
>>
>> It shouldn't be that complicated, shouldn't it?
>>
>> thanks
>>
>> Joseph
>>
>>
>>>-----Original Message-----
>>>Ok I've re-read your first posting.
>>>
>>>The problem lies with the FTP client (whoever is
>> connecting to you).
>>>
>>>Are you sure the person connecting to you isn't behind a
>> shared connection
>>>or firewall.
>>>
>>>--
>>>Jason Tsang - Microsoft MVP
>>>
>>>Find out about the MS MVP Program -
>>>http://mvp.support.microsoft.com/default.aspx
>>>
>>><(E-Mail Removed)> wrote in message
>>>news:211e01c4bc7c$c070c8c0$(E-Mail Removed).. .
>>>> First, thanks for your kindly reply, but..I still don't
>>>> uderstand. Why does the router on the server side needs to
>>>> know which port to listen on? It's the server that is
>>>> trying to connect to some other machine. Besides that, the
>>>> port is actually choosen by the ftp client under active
>>>> mode, so all what the ftp server has to do is connect to
>>>> the socket that's listening on the client's machine.
>>>>
>>>> Please correct me if I was wrong.
>>>>
>>>> p.s.
>>>> Let's clearify the situation again:
>>>> The server is behind NAT(mn-500) and the client is on the
>>>> internet with real IP address and no firewall. Problem
>>>> occus when the two machines are trying to establish the
>>>> ftp-port connection.
>>>>
>>>> Thank you.
>>>>
>>>> Joseph
>>>>
>>>>>-----Original Message-----
>>>>>The router doesn't know which port to listen on (that's
>>>> choosen by the ftp
>>>>>server). That's where the problem lies (this is under
>>>> the assumption that
>>>>>you are connecting to an FTP server on the internet, it
>>>> does not apply when
>>>>>you connect to an FTP server within your own LAN).
>>>>>
>>>>>--
>>>>>Jason Tsang - Microsoft MVP
>>>>>
>>>>>Find out about the MS MVP Program -
>>>>>http://mvp.support.microsoft.com/default.aspx
>>>>>
>>>>>"Joseph" <(E-Mail Removed)> wrote in
>>>> message
>>>>>news:18a201c4bc47$3ed93a20$(E-Mail Removed).. .
>>>>>> >Most routers get around this by having an Application
>>>>>> Layer Gateway (ALG) to sniff FTP connections
>>>>>>>on port 21. This is done so that the router can then
>>>>>> redirect the
>>>>>>>communications port (randomly assigned by the server you
>>>>>> are connecting to)
>>>>>>>back to the ftp client (i.e. you).
>>>>>>
>>>>>> I am pretty sure that under active mode when
establishing
>>>>>> the ftp-data socket, client is actually the one that is
>>>>>> listening. So there's no reason for the router to block
>>>>>> this connection from inside of its network. It's just a
>>>>>> normal connection going outside.
>>>>>> This is the part I don't understand.
>>>>>>
>>>>>>
>>>>>>>Your best bet is to use passive mode for FTP. Of
course,
>>>>>> you'll need to
>>>>>>>make sure that your FTP server that you are
connecting to
>>>>>> is configured
>>>>>>>properly for passive mode.
>>>>>>>
>>>>>>
>>>>>> Yes, I tried passive mode with port forwarding, but I
>>>>>> found out that the server would give its local ip
address
>>>>>> instead(i.e. 192.168.1.5). Therefore, when the client
>>>>>> receive this IP there's no way it can find the rout
to the
>>>>>> server( client is out side of NAT).
>>>>>>
>>>>>> Thank you.
>>>>>>
>>>>>> Joseph
>>>>>
>>>>>
>>>>>.
>>>>>
>>>
>>>
>>>.
>>>
>
>
>.
>