problem with active /passive mode

ok forward 20,21, any high port range like 40000-50000
to private lan ip where vsftpd running , from your router.

and add these lines to your vsftpd.conf

pasv_min_port=40000

pasv_max_port=50000

it will work from any router ( i tried on linksys also)

I've got a Linksys router that works pretty well and does what I need it to do. The interface is a little goofy (it was actually better before Cisco bought them out), but it does do port forwarding and port range forwarding.

However, if I'm reading this document correctly, you don't need to buy a new router, yours does do port forwarding. It looks to me like you need to enter ports 21 and 20 on their own lines. It looks as if to forward, say port 21, you need to enter 21 in both boxes of the Inbound port column, enter the private IP of your server in the Private IP column, and then enter 21 in both boxesof the Private port column. Essentially you are telling the router that all inbound port 21 traffic needs to be sent to port 21 on the private IP. It looks to me like you could use the private port bit to re-route traffic to a different port. So say for example you wanted your FTP server to listen on port 73, you would enter 21 in the Inbound ports boxes and then 73 in the private port boxes and then your router would send inbound port 21 traffic to port 73.

In essence I think you were doing something like this when you put 20 in the private port box. Your router was sending port 21 traffic to port 20 on your FTP server, and since FTP is listening on 21, you weren't getting a connection. So if you set up both ports 20 and 21 on their own lines, it should work. And as ravikumar pointed out, you could also use this to forward a range of ports to support passive mode.

Alright, guys as an update I added the pasv lines to my vsftpd.conf and enabled passive mode as suggested but it didn't seem to help though. I will show you what I did later in vsftpd.conf. First of all heres a screenshot I took of my router setup page in the port forwarding section:
http://server5.theimagehosting.com/i...=snapshot2.png
As you can see I have ports 20, 21 setup on their own lines to the static IP of the server of 192.168.2.50. Also I have the passive ports setup (corresponding with my vsftpd.conf file) in there on the last line I know you can't see everything, but the ports are 50000-51000 on both the "inbound port" and on the "private port" sections. I tried setting the inbound port to 21 and the "private port" to 50000-51000 but the router just gave me an error message saying: "use of different inbound and private port ranges is not supported" So after getting this error I looked at my routers manual and it says (in the port forwarding section):
So does this mean im basically screwed with port forwarding?
Again heres the part of my vsftpd.conf file that I changed:
I tried setting the address to my WAN IP (as reported by ipchicken.com) to the pasv_address section in my vsftpd.conf file, but it just made my connection attempts hang until active mode was selected from the ftp client then and only then would the ftp server work on the LAN. So I changed the pasv_address to my LAN IP of 192.168.2.50, which is the static IP of the server. After doing this from a ftp client I can connect in both active and passive mode succesfully again from a client computer or from the server but only in my LAN still not outside my LAN! :mad:

As a side note I also tried with pasv_enable set to NO, I then went in my router setup I put ports 20 and 21 on their own lines as suggested and still got the same socket error when trying to connect from my internet IP. Heres the error that comes in the ftp client log file no matter what I do when it comes to connecting from my internet IP address and again everything works great from inside my LAN.

Trying to connect from outside LAN:
from inside LAN:
Out of pure desperation I placed my server outside the NAT Firewall and still I can't connect from outside my LAN! I have no firewall, I seem to have all the ports forwarded, heck I even had my server outside of the NAT firewall but still same problem!:mad:
Im just about at my wits end this is driving me insane!

EDIT: do I need to do something with my WAN IP in /etc/hosts???????

That makes absolutely no sense, but if it is true, this router won't do the trick for you. I'd be real tempted to contact the manufacturer and ask them what they mean by this. The config page for the router also contradicts this statement.

Speaking of the config page, it looks to me like it is set up correctly.

To be honest, I don't know why this isn't working now. You shouldn't need any modificaiton to your hosts file. About the only other thing I can suggest is to run something like Ethereal on the FTP server to see if the packets are even getting there or if the router is causing a problem. One other thing: are you sure that your domain name is pointing to the correct IP address? It also might be worthwhile trying to set up something like ssh (which only needs port 22) for forwarding from the router to the server to see if something besides ftp works. If that doesn't work either, then your router is probably causing the problem.

I installed ethereal from source, compiled it, etc, then I ran it and monitored the traffic for eth0 then I had a client PC (in this case 192.168.2.100) try and connect to my server from my net IP with tethereal open. Heres my log of it:
So I got a ARP connection (whatever that is) and apparently it doesn't know what 192.168.2.1 is (its my routers IP) exactly what does this mean in english?
I also just noticed on the first page of my routers setup it says under "internet settings" that my WAN IP is 192.168.0.3 and my default gateway is 192.168.0.1 under "internet settings". This gateway is different than my LANS gateway which is 192.168.2.1, since thats my routers IP address, although im not sure if any of that matters. Do I need to enter my apparent WAN IP of 192.168.0.3 somewhere in vsftpd.conf?

So since apparently "it" doesn't know what 192.168.2.1 is, do I need to add a line somewhere in my vsftpd.conf file telling vsftpd about 192.168.2.1 somehow? or any other ideas as to what the possible problem may be?


Hangdog42, what exactly did you mean by this? Remember im still fairly new at this......
If your talking about my servers static IP address that I set im quite sure those settings are correct, the net works fine on the server and so does the static IP. I configured the static IP of the server with netconfig if it matters.

If all else fails I will call Belkin tech support and ask them about this router and port forwarding..... if this log file doesn't give any obvious clues to the source of the problem that is.....:confused:

EDIT: At any rate thanks for letting me know about this cool program:D

I know you said that you're connected to the internet by a cable modem connected to a router, but is there anything else between your router and the cable modem? Also who is your ISP? The reason I'm asking is that the 192.168.x.x series of IP address are non-routable. In other words, that block is used only within a LAN and have no meaning outside of a LAN. So this means either something is really goofed up about your WAN IP or your ISP is using non-routable IP addresses internally (essentially all their customers are on their LAN) in which case you are completely screwed for hosting any kind of a server.

Your ethereal logs show that your FTP server is definitely NOT seeing the FTP traffic. For comparison, connect to the server through your LAN and you'll see a lot more traffic. ARP packets occur all the time on home networks and that message is just the computer at 192.168.2.100 looking for the router. Odds are it already knows what IP address the router has, it is just checking for changes. I see a lot of this sort of stuff if I leave ethereal running on my LAN and it doesn't seem to cause any trouble.

In your earlier post you had this:

Looking up XXX.XXX.XXX.XXX
Trying XXXXXXXXXXXXX.mydomain.com:21
Connected to XXX.XXX.XXX.XXX:21
Error: Could not read from socket: Connection reset by peer
Disconnecting from site XXX.XXX.XXX.XXX

And I assumed that you had a domain name (the mydomain.com bit). Now I use a no-ip.com domain name for my server and I have to tell no-ip.com what WAN IP address I am using so they can route requests to my domain to my IP address. If I screw that up and give no-ip.com the wrong IP address, then traffic trying to connect using my domain name won't be able to. So I was essentially asking if you were using a domain name and were you sure that the domain name was associated with your WAN IP address. If you're not using a domain name, then this question is moot. And given what you posted about your WAN IP address, this could be the least of the problems.

Ok I found a solution, well sort of.... just so you know I have two houses at one of my houses I have a direcway satellite internet connection(sucks btw) and at my other house I have a comcast cable internet connection. The wan IP I gave you is reported by my satellite connection, so obviously then that connection is terrible for any hosting(the only reason I have satellite at that house is because they don't run cable out there). At my other house with the comcast cable connection, I have a routable WAN IP that doesn't start with 192.168.XXX.XXX. I setup the WAN IP in my vsftpd.conf file at the house with the cable connection and guess what it actually worked! So in short I guess I will only be able to do hosting from the comcast connection.... thanks for your help.

Congrats on getting a server up and running! I didn't know that sattelite used non-routable addresses, but at least you have a solution.

yeah now I just need to set a firewall..... I think i'll try firestarter as you suggested.....
BTW boy does it feel good to finally have this problem sorted:D

You definitely need a firewall, but if you are going to leave this server exposed to the internet, you need to go a bit farther. I would defnitely install a file integrity checker like Aide, Tripwire or Samhain and I would seriously consider installing an IDS like Snort. Once you get a server up and running it is usually pretty tempting to start adding services like a web server or a ssh server, and I know from my logs that people take a rip at my machine on a daily basis. Believe me, you'll want to know if they succeed.