Why not launch a sniffer in the LAN and look at a connection initiated from the outside? If you can also put a sniffer on a client (and/or on the outside interface of firewall) , then you will have even more information.
You would know where is your problem for ftp:
-> the client can not reach the data port of the server
-> in case of active ftp, the server is maybe blocked by the firewall : src port 20 (for ftp servers that are standards.. not all) to outside should be opened (to the client only) when an ftp transfer is occuring.
-> in case of passive ftp, maybe the client is blocked by your firewall not opening a port
-> the client tries to connected to your internal IP (192.168.0.1 for example) because your nat is not translating the data in the ftp packet ( the nat has to be ftp aware or worse solution: the server has to send your outside interface IP)