FTP Server behind NAT with dynamic IP, Directory Listing Fails [Answered]RSS

4 replies

Last post Oct 01, 2019 06:10 PM by OleBerg

  • FTP Server behind NAT with dynamic IP, Directory Listing Fails

    Sep 30, 2019 12:33 PM|OleBerg|LINK

    Hi

    I have a windows Server 2016 located behind a external NAT (Asus Router RT AC-88-U with Merlin FW). The external IP is dynamic and I use DYNDNS to link it to my domain. The Server 2016 provides AD and DNS on the LAN and is used to manage a very limited number of users both local and external and to give access to documents and other type of data.

    I am in the process of implementing a new web site or rather portal, VPN access  and a FTP server. I first set up the FTP server with no encryption just plain FTP with access though a defined external port which was forwarded to 21 on the server. This works well both from the LAN and from the WAN. Then I introduced requirement for SSL. I would think that this is a common scenario to establish a FTP server behind a NAT with Dynamic IP but after several days of searching on the internet I can not find any good tutorial or guide to set this up! Please excuse me if this is "motherhood" but I simply can not find a solution for it! 

    I have right or wrong understood that :

    1. Using passive mode will not work since there is no way for the server to send the dynamic IP information to the client?
    2. Using active mode requires a number of ports being open into the client for data transfere posing a potential security risk but will work if configured properly and if the client is able to determine its external IP and use that in the PORT command

    For the FTP over TLS I am using active mode and my client is able to log on and to request the Directory listing as a binary mode data connection. I am using FileZilla as the client. FileZilla can determine the clients external IP address dynamically and use that in the PORT command when in active mode. There is no closed ports closed by my ISP as far as I know. I have also tried with all firewalls wide open without that helping.

    From my LAN using passive mode:

    14:04:29 Status: Connecting to 192.168.111.36:21...
    14:04:29 Status: Connection established, waiting for welcome message...
    14:04:29 Status: Initializing TLS...
    14:04:29 Status: Verifying certificate...
    14:04:32 Status: TLS connection established.
    14:04:32 Status: Logged in
    14:04:32 Status: Retrieving directory listing...
    14:04:32 Status: Directory listing of "/" successful

    From a external machine on WAN using active mode:

    14:09:29 Status: Resolving address of www.xxx.com
    14:09:30 Status: Connecting to 85.165.yyy.z.:5028...
    14:09:30 Status: Connection established, waiting for welcome message...
    14:09:31 Status: Initializing TLS...
    14:09:31 Status: Verifying certificate...
    14:09:31 Status: TLS connection established.
    14:09:31 Status: Logged in
    14:09:31 Status: Retrieving directory listing...
    14:09:51 Command: PWD
    14:09:51 Response: 257 "/" is current directory.
    14:09:51 Command: TYPE I
    14:09:51 Response: 200 Type set to I.
    14:09:51 Command: PORT 77,16,48,114,23,240 Where 77.16.48.114 is my current correct client IP and the port used is 6128 , open
    14:09:51 Response: 200 PORT command successful.
    14:09:51 Command: LIST
    14:09:51 Response: 150 Opening BINARY mode data connection.
    14:09:51 Error: Connection timed out after 20 seconds of inactivity
    14:09:51 Error: Failed to retrieve directory listing

    I would be very happy for some suggestions on what to try or for a reference to tutorials on the matter.  The data itself is not very sensitive so I could live with a non encrypted transmission of the data. The login credentials I would however prefer to be encrypted or to use a authorization method based on certificates or a authenticator APP etc. I do not however know how to set that up.  

    I guess I will run into the same problems when setting up a HTTPS site so I really would like to understand these issues properly.

  • Re: FTP Server behind NAT with dynamic IP, Directory Listing Fails

    Oct 01, 2019 03:29 AM|lextm|LINK

    IIS FTP sends back "External IP Address of Firewall" to clients in passive mode, so the clients can initialize the right connections,

    https://docs.microsoft.com/en-us/iis/publish/using-the-ftp-service/configuring-ftp-firewall-settings-in-iis-7

    However, IIS configuration system assumes that value never changes, which is the cause of the problem here.

    If you cannot get a static IP address, you have to build your own way to modify that IIS setting whenever the external IP address changes.

    Many FTP clients are smart enough to guess the right IP address to use. So you should be able to force them to use the right clients.

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: FTP Server behind NAT with dynamic IP, Directory Listing Fails

    Oct 01, 2019 11:20 AM|OleBerg|LINK

    Thank You for taking the time to answer.

    I have learned that my server does not request data in the port range as specified in the FTP Firewall Support window. I had specified a port range of 6000:7000 but when debugging on the client i found that the server specifies a port 61440. When I changed the forward range in the router to 60000:65000 the passive mode FTP worked fine. (FileZilla has the capability as you mention to revert to the servers external IP address if the received address is an internal one which is working in my case.

    AM I misunderstanding how the port range in the FTP firewall Support window is working? Is this not telling the server to use ports in this range? If not how is that doen?

    You mention that I have to build your own way to modify that ISS setting whenever the external IP address change. How can I do that?

    Rgrds

    Ole Berg

  • Re: FTP Server behind NAT with dynamic IP, Directory Listing Fails

    Oct 01, 2019 02:04 PM|lextm|LINK

    OleBerg

    I had specified a port range of 6000:7000 but when debugging on the client i found that the server specifies a port 61440.

    That means you didn't restart the FTP service after changing that setting.

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: FTP Server behind NAT with dynamic IP, Directory Listing Fails

    Oct 01, 2019 06:10 PM|OleBerg|LINK

    lextm

    That means you didn't restart the FTP service after changing that setting.

    I think i did restart IIS and the FTP server specific. Hovewer I did a restart now of the entire server (needed to apply some updates aswell)  and tried to conect from a different machine and now the port was just above 60000. Seems to be working ok.

    Thank you Lex. I will give you the credit as you did put me on the right track!

    Regards Ole Berg