Home FTP access from outside the LAN...

Hey all quick question, to see if anybody has any ideas. In all reality my problem could be Comcast not allowing me to access my server via the internet.

Anyway I have debian setup as a file server on an old laptop. I also configured [FONT=arial, sans-serif]vsftp in attempt to manage my files remotely. I forwarded ports 20 and 21 from my router to the Linux box's private IP address. When accessing my debian server via FTP locally everything works fine. But when trying to access it from a cellular connection via the Routers public IP address, it will not allow me to connect.

Anybody have any ideas?[/FONT]

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

CloudKill9

Have you checked your logs to see if it is hitting the firewall/router?

ptilsen

I am not aware of Comcast blocking FTP, although it is possible and would not shock me. In any event, it seems more likely you are encountering a NAT transversal issue. There are some considerations for properly configuring your server, NAT router, or both. The Wikipedia article gets into some of the details, but it will come down to either a router-side change or a server-side change.

File Transfer Protocol - Wikipedia, the free encyclopedia

Asif Dasl

If you are being blocked, you could sign up for an Amazon Web Services server (which is free for a year) or sign up for a cheap linux VPS (virtual private server) and do an SSH tunnel to your static IP or DynDNS address. Or like ptilsen said you could change the FTP port numbers which might work also.

CodeBlox

Yeah, try changing the ports. Here is a good test to determine if it's an issue on your LAN or somewhere within the ISPs network: Initiate your ftp session internally but use the public address on your router to connect to the server. This would ensure that the NAT and port forwarding are working properly, would seem that way to me anyways.

I access a linux box at home from work via ssh and it works like a charm.

Qord

On your router, are you sure you enabled the port-forwarding? On my router, you can add line items to the forwarding list and not actually enable them. Confused the hell out of me when I "learned" this the hard way. After creating the rule, I had to go back and enable it.

zachkenemer

It could be a NAT issue; however, if you are using a hostname or DDNS service like DynDNS, make sure the DNS records are updated accordingly, if not then you might have to install a client updater for the specific service (if they offer it and if your using DNS).

This could depend on your home router as well. I have a D-Link 825 and I find the Virtual Server section to be easier to use, rather than port forwarding, but accomplishes the same thing.

If your using a cell signal, make sure you can ping your external IP address from an External source. If that is successful, you can try changing the ports like everyone else said, if Comcast is blocking those ports this will succeed.

I'm not sure about the debian config here, as I am more red hat, fedora. make sure to restart the vsftpd service after changing configs.

CodeBlox

I have that exact same wireless device Zach

discount81

I find these modem routers that isps give are usually not the greatest and sometimes have options locked, mine had the option to create a DMZ which basically forwards everything to my DMZ subnet and I put my own firewall in front of that so I can vpn home without any issues, I'd suggest doing the same if you can

paul78

When you say that you cannot connect - what do you mean? If you try to just telnet to your IP on port 21 - are you not getting a FTP connect?

One of the details that a lot of people confuse about FTP is how the FTP data port works - I.e. TCP port 20. In active mode FTP (the default on most FTP clients), the FTP server doesn't listen on port 20 - it sources connections from port 20. If you want to have your FTP client make the data connection to your FTP server - then you need to use passive mode FTP. However, you will need a firewall that is capable of proxy-ing FTP - otherwise you will have to bind the specific port that you want to use as your data port in your FTP server configuration.

Whiteout

Hey all, thanks for the ideas! Been at work all day so going to start doing some troubleshooting with all your advice.

Oh and I just have a cheapo Linksys router, but have upgraded the firmware to DD-WRT.

gorebrush

Surely if you are using a Debian machine, you could just forward port 22 out to it and use SSH?

This is more secure and a bit easier than having to worry about PASV FTP. You also have the added benefit of tunneling things from your remote machine back to home. For example, I use WOL to wake up my desktop when I am at work. I then tunnel a random port number, say 9000 to my desktop's IP (10.1.3.4 for example) thus I can then open Windows RDP and go to localhost:9000

I can then be at my home connection. It is most useful. I've got an arseload of port mappings to all sorts of things.

For example, I also have port 22 mapped to my Debian server, so I can fire up WinSCP, point it to localhost:22 and then manage the server over SCP (through an SSH tunnel) All nice and secure.

jibbajabba

Active FTP is usually a deal breaker when going through a firewall / router as it is using random ports (>1023)

For example

ftp: setsockopt (ignored): Permission denied
PORT 10,10,16,80,12,172

Above would calculate to a port of 3244 .... basically impossible to open those specific ports.

I agree though - you got Debian ? Use SFTP instead (FTP over SSH) and simply open port 22...

Or of course change the client and server to use passive FTP instead and just open 20/21.

networkjutsu

AFAIK, Comcast is not blocking anything. At least in my area, they do not block any ports that I open. I use Filezilla FTP at home and using FTPS. paul78 is right about the active and passive mode. IIRC, traversing NAT is passive mode. Since I use FTPS, I decided to use the regular port which is 990 then for the data stuff, I had to open about 10 or 50 ports on top of it then everything started to work. Good luck!

Whiteout

jibbajabba wrote: »

Use SFTP instead (FTP over SSH) and simply open port 22...

Gave this a shot and it worked. Maybe Comcast blocks unsecured FTP? I don't know, but i'm good to go now. Thanks all!

Zartanasaurus

Comcast isn't blocking FTP, FTP is just a tricky protocol from a network standpoint.

(Passive mode)
Client connect port 21
Server returns random port to establish 2nd (data) connection on
Client connects to 2nd port

FTP established.

So opening port 20/21 doesn't get FTP working. Opening port 20 wouldn't ever really do anything even in active mode.

So the trick is to go into the FTP server and manually specify the range of ports that FTP will use for the data connection, then allow those through the firewall. My suggestion, as was previously suggested, would be to use SFTP and skip all of those headaches.

jibbajabba

Whiteout wrote: »

Gave this a shot and it worked. Maybe Comcast blocks unsecured FTP? I don't know, but i'm good to go now. Thanks all!

Glad you got it working .. SFTP might just be a tad slower.

life980

This could be related to ACTIVE/PASSIVE mode of FTP transmission. You can try both in the FTP client to see if that resolves the issue. Also, make sure you unblock the FTP server application itself and not just the port 21 since the application will bind to other ports to create a data channel.

Turn the firewall off on the FTP client machine because I have had issues using FTP client on Windows 8.1 with firewall enabled even with the FTP client unblocked.

MrAgent

Grave digging a little bit are we?