FTP Server on non standard port

Hi.

The problem is known ...

PC1 (Client) / Router 1 ------ Router 2 / PC 2 (Server)

The server is listening on a non-standard port (e.g. 20021), since port 21 is already occupied.

Neither active, nor passive transfer is working for well known reasons. Can I configure SmartFTP as client somehow in order to make this work?

Thanks.

Hi, the right way is to limit the range of pasv ports on the server and open that ports on router.
You also can try at Settings->Connection->Force Server IP for PASV mode.

Hi, the right way is to limit the range of pasv ports on the server and open that ports on router.
You also can try at Settings->Connection->Force Server IP for PASV mode.

1. I understand why it makes sense to limit the number of ports with PASV.
2. I don't understand what "Force Server IP for PASV mode" does. Also ... I didn't find any documentation on the SmartFTP about this.

Could you give me some reference where I could find explanations about this option.

Thanks,,

2. I don't understand what "Force Server IP for PASV mode" does. Also ... I didn't find any documentation on the SmartFTP about this.

This option ensures that the PASV IP reported by the server matches the server IP you've connected to. It's basically a work-around for servers behind routers that accidently (due to wrong configuration) report their internal IP in the PASV command.

Hi.

Coming back to point 1. above, I tried to limit the number of ports to 3 (50997-50999) for testing purpose. However ... when logging into a local server (PASV mode), I noticed that the client used port 2047 and the server 1067.

I expected 50997/8/9 as one of the data ports.

Why is that?

... later ...

I spent quite a lot of time in order to find a solution for this. Basically, as fas as I understood the principle ... I must limit the number of ports used by the client in PASV (e.g.). The router of the server must have these 3 ports open and pointed to the ftp server. Is this correct?

How man ports should I open (3 in my example)?

This should always work (at least, I don't see what can go wrong while doing so).

Thanks.

Coming back to point 1. above, I tried to limit the number of ports to 3 (50997-50999) for testing purpose. However ... when logging into a local server (PASV mode), I noticed that the client used port 2047 and the server 1067.

It's the other way around: In PASV mode, the server tells the client which IP and port it should connect to. So you have to limit the port range on the server side (to limit the ports the server can choose from, that it later sends to the client) and do port forwarding on the server side in PASV mode.

If there is no such port forwarding on the server side, you can only connect in PORT mode to the server. And then you'll need port range limiting and forwarding on the client side as you describe.

So in short: Just connect using PORT / active mode, and it should work.

...
If there is no such port forwarding on the server side, you can only connect in PORT mode to the server. And then you'll need port range limiting and forwarding on the client side as you describe.
...

Oups ... a misunderstanding. After your posting I digged myself deeper into the vcftpd man page. You were right!

pasv_min_port=20000
pasv_max_port=20100

This did the job! Thanks a lot!!!

However I have a last question. How many ports should I use. In my example, I use a range of 100 ports. Is this sufficient? Can I use just (e.g.) 2 ports?

Thanks,

However I have a last question. How many ports should I use. In my example, I use a range of 100 ports. Is this sufficient? Can I use just (e.g.) 2 ports?

In fact a single port should be enough. However, I would stick with the 100 ports as other applications might use ports in that range, too, so it's a good idea to give the server at least a few ports to choose from so no conflicts occur.

In fact a single port should be enough. However, I would stick with the 100 ports as other applications might use ports in that range, too, so it's a good idea to give the server at least a few ports to choose from so no conflicts occur.

Thanks a lot !

Something unexpected happend right now.

I configured vsftpd with:
pasv_min_port=20900
pasv_max_port=20999

These 9 ports are also redirected on the server side!

However ... I discovered that I can get into the server using PORT (active transfer), but NOT with PASV (passive transfer). How is that possible? To my understanding, when configuring vsftpd with pasv_min/max_port, it means that the server communicates the client the ports he should use to initiate the data transfer (PASV).

No clue why PASV doesn't work !
Worse ... I have also no clue why PORT works !!!

Any explanation would be greatly welcomed!

Thanks.

These 9 ports are also redirected on the server side!

You mean 99 ports, I guess ...

We need logs, logs, logs in order to help, for God's sake! That is SmartFTP logs from both PORT and PASV tries, not vsftpd logs ...

[15:24:52] UPNP: Added port mapping: Router: 2343 -> 192.168.0.2:2343
[15:24:52] UPNP: GetExternalIPAddress returned: "158.64.124.39"
[15:24:52] PORT 158,64,124,39,9,39
[15:24:53] 200 PORT command successful. Consider using PASV.

Here's the answer to your first question: PORT mode works because your friend has a router that supports UPNP, which allows SmartFTP to dynamically configure port forwarding on the client side.

[15:25:10] PASV
[15:25:10] 227 Entering Passive Mode (192,168,1,50,199,55)

Here's the answer to your second question: PASV does not work because you have configured your server (vsftpd in your case) to return the private LAN IP of your server, not it's Internet WAN IP. This is kind of tricky to fix as you're running the server on a dynamic IP. Usually, you would need to enter the IP which "golfhotel.dyndns.info" resolves to as the "pasv_address" in your "vsftpd.conf". However, as your IP may change, you would need to write a cron-job that resolves "golfhotel.dyndns.info" for you, writes the IP to "vsftpd.conf", and restarts the server if the IP changed compared to the last resolve attempt. That was until recently. Luckily, the new vsftpd 2.0.4 adds a "pasv_address_resolve" option, which you need to set to "YES". Then just specify your hostname ("golfhotel.dyndns.info") instead of the IP for "pasv_address" and you're set.

Here's the answer to your first question: PORT mode works because your friend has a router that supports UPNP, which allows SmartFTP to dynamically configure port forwarding on the client side.

Ok, that explains it indeed.

Here's the answer to your second question: PASV does not work because you have configured your server (vsftpd in your case) to return the private LAN IP of your server, not it's Internet WAN IP. This is kind of tricky to fix as you're running the server on a dynamic IP. Usually, you would need to enter the IP which "golfhotel.dyndns.info" resolves to as the "pasv_address" in your "vsftpd.conf".

That's what I did (for testing prupose), and ir worked!

However, as your IP may change, you would need to write a cron-job that resolves "golfhotel.dyndns.info" for you, writes the IP to "vsftpd.conf", and restarts the server if the IP changed compared to the last resolve attempt. That was until recently. Luckily, the new vsftpd 2.0.4 adds a "pasv_address_resolve" option, which you need to set to "YES". Then just specify your hostname ("golfhotel.dyndns.info") instead of the IP for "pasv_address" and you're set.

I just checked it up. I have 2.0.3. Gonna have to update!

Thanks a lot for your explanations!

...
Here's the answer to your second question: PASV does not work because you have configured your server (vsftpd in your case) to return the private LAN IP of your server, not it's Internet WAN IP. This is kind of tricky to fix as you're running the server on a dynamic IP. Usually, you would need to enter the IP which "golfhotel.dyndns.info" resolves to as the "pasv_address" in your "vsftpd.conf". However, as your IP may change, you would need to write a cron-job that resolves "golfhotel.dyndns.info" for you, writes the IP to "vsftpd.conf", and restarts the server if the IP changed compared to the last resolve attempt. That was until recently. Luckily, the new vsftpd 2.0.4 adds a "pasv_address_resolve" option, which you need to set to "YES". Then just specify your hostname ("golfhotel.dyndns.info") instead of the IP for "pasv_address" and you're set.

Is it correct, that the SmartFTP option "Use Server IP for PASV Mode" compensates for the missing WAN IP, not sent be the vsftpd server?

Thanks,

That's what it should do, yes. If SmartFTP finds a private network IP in the PASV command, it ignores this IP and uses the IP that was used to connect to the server instead if this option is checked.

That's what it should do, yes. If SmartFTP finds a private network IP in the PASV command, it ignores this IP and uses the IP that was used to connect to the server instead if this option is checked.

Ok. Thanks again!