Ftp configuration

  • [/code]

  • with filezilla i can write to directory locally.


    So all this time was a client problem....just curious which was the client?


    but still there is a problem with wan connection.


    You mention you fix that buying a static ip from your ISP, so you can technically access from outside your network right? you can test this with smartphone using the carrier data.


    Now what your asking apparently is connecting in LAN using the WAN ip, that's a function on the router is called nat reflection, nat loopback, etc. Some routers don't even have that have that option.

  • Now let me clear up.
    I can log in locally with ftp and read files , with filezilla i can read and write, thanks to you.
    But when i try to access with my carrier connection to my wan ip , i can log in my router's web ui; but no connection at all about ftp. It errors about connectiob time failure.
    I hope i could explain my situation :/

  • Basically, you cannot use the same instance of FTP server and access it via two different IP addresses. You should have 2 instances of the FTP server, one configured to be used on the LAN and one on the WAN. I'm going to deconstruct the FTP protocol, so that you understand how things work.


    Objective: connect to the FTP server from the Internet (WAN IP)
    Steps:

    • get a more or less fixed IP address for the internet connection (either a static IP or a hostname that is updated whenever the IP changes - noip, dyndns etc.)
    • configure the router with port forwarding rules for the FTP command port (21) and the FTP transfer ports (a range of ports >1024 and <65535)
    • configure the FTP server to use that WAN IP and port range when communicating to clients.

    Now for a bit of theory: the FTP command protocol is the one which exchanges messages about source and destination IPs and ports, in order to prepare and establish the TCP connections to transfer the binary data of files. One of the peers is the "active" one, meaning it can open a TCP port in listening state and expect an incoming connection request, while the other peer is the "passive" one and will initiate the connection towards the "active" peer. The connection needs at least one of the peers to be "active", thus reachable through any routers and firewalls, and that's why you do the router configuration to ensure that anyone else, active or passive, can connect to your FTP.


    Here's how the communication between the Server (active) and Client (passive) occurs:
    Client tells the Server: I want to send/receive a file.
    Server responds: Ok, I have opened a socket on IP:port, please connect.
    Client connects to specified IP:port and transfers the data.


    So, as part of the protocol, the FTP server communicates not only the (random) port on which it is listening for connections, but also the IP address to which the client must connect to. For a FTP server configured to be accessed from the Internet through a router, the FTP server will annouce the WAN IP in this message, and never the LAN IP (which would be not routable and the remote client would not be able to connect to it), although the server's machine is operating on a LAN IP itself. It is the configuration of the FTP instance which instructs the FTP server to advertise the WAN IP.


    This will work for a client on the Internet: it gets a routable IP address and a port, it will connect to it and end up on a router, the router will forward the connection to the LAN IP where the server is, and the transfer will proceed.


    However, a client on the LAN side will also receive a message to connect to the WAN IP and port, instead of being told to use directly the LAN IP. The FTP server can't differentiate between LAN and WAN clients to send different messages, so it always sends the same IP address, as instructed in its configuration.


    So what happens then with the LAN client? It attempts to initiate a TCP connection to the routable IP address on the WAN side. The operating system identifies that the desired target is outside the local subnet, so it forwards the connection request to the default gateway - the router. The router performs Network Address Translation on the connection and forwards it to the Internet interface, but the target is actually its own WAN port. The router then identifies that this connection needs to be forwarded back through the Port Forwarding rule to a LAN IP address, and this is where things usually stop. In routers there's commonly a built-in security mechanism to prevent spoofing of source IP addresses in packets received on the WAN port, so that malicious people don't attack internal servers by making the packets appear as being originated from another LAN client.


    And this is why the connection from LAN will not work to the same FTP server instance which is otherwise accessible from the Internet.


    The solution for this is to have 2 instances of the FTP server running, with 2 separate network configurations: one for LAN clients, configured to work on one port and advertise its LAN IP and its own range of active ports (which don't need to be forwarded in the router), and another instance for WAN clients, configured with another port, advertising the WAN IP and another range of active ports which match the Port Forwarding rules in the router.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!