通过 NAT 在端口 2000 上运行的 FTP 服务器在被动模式下不工作 [英] FTP server running on Port 2000 over NAT not working on Passive Mode
问题描述
我在 Windows 上运行 FILE-Zilla ftp 服务器,其中一台 LAN pc 连接到我的路由器.我正在尝试使用路由器 WAN ip (WAN-to-LAN) 通过添加端口转发规则 (NAT) 从路由器外部的网络访问 FTP 服务器路由器.根据以下配置,我在这里有 2 个案例.第一个工作,而第二个不工作(在被动模式下).
<块引用>注意:我在 windows 7 防火墙中添加了自定义入站规则运行 ftp 服务器的位置.
配置#1
Filezilla FTP 服务器端口:21被动端口范围:50000-51000NAT - 外部端口:21NAT - 内部端口:21Windows防火墙入站规则端口允许端口:21、50000-51000客户端连接到:<Wan IP>:21如果客户端尝试使用主动/被动模式进行连接,这将起作用
配置#2
Filezilla FTP 服务器端口:2000被动端口范围:50000-51000NAT - 外部端口:21NAT - 内部端口:2000Windows防火墙入站规则端口允许端口:2000、50000-51000客户端连接到:<Wan IP>:21这仅在客户端设置为活动模式时有效.不适用于被动模式客户端配置.客户端可以连接并且登录成功,但在服务器端以这样的错误消息结束,没有任何目录列表.
227 进入被动模式 (192,168,1,2,195,85)<块引用>
注意:这两种情况都在 LAN-LAN 网络中工作.
我的猜测是配置 #1 之所以有效,只是因为 NAT 足够聪明,可以将 PASV 响应中的 IP 地址从服务器.但它可能只对标准 FTP 端口这样做.
您应该告诉 FileZilla FTP 服务器它的外部 IP 地址.转到编辑 > 设置 > 被动模式设置 > IPv4 特定 > 用于被动模式传输的外部服务器 IP 地址.
当前,您的 FTP 服务器正在向客户端发送其内部 IP 地址.而且客户端显然无法连接到IP地址.
并让 NAT 转发被动端口范围 (50000-51000) 中的端口.
<小时>虽然更改会中断 LAN-LAN 连接.要同时允许 LAN 和 WAN 连接,请检查 NAT 是否也可以配置为转换非标准端口的 IP 地址.尽管无论如何翻译都只适用于未加密的连接.而且您不应该使用未加密的连接!
如果您的客户允许,最后一个选项是使用扩展被动模式 (EPSV).在扩展被动模式下,响应中没有 IP 地址.FTP 客户端使用 FTP 服务器的主 IP 地址进行数据连接.
I am running FILE-Zilla ftp server on windows in one of the LAN pc connect to my router. i am trying to access the FTP server from the network outside of the router using Router WAN ip (WAN-to-LAN) by adding Port-Forwarding rule (NAT) in the router. I have 2 cases here as per below configurations. the 1st is working and the 2nd is not (in Passive mode).
Note: i have added the custom inbound rule in the windows 7 firewall where the ftp server is running.
Configuration #1
Filezilla FTP server port: 21
Passive port range: 50000-51000
NAT - external port: 21
NAT - internal port: 21
Windows firewall inboud rule port allow port: 21, 50000-51000
Client connecting to: <Wan IP>:21
This is working if client is trying to connect using Active/Passive mode
Configuration #2
Filezilla FTP server port: 2000
Passive port range: 50000-51000
NAT - external port: 21
NAT - internal port: 2000
Windows firewall inboud rule port allow port: 2000, 50000-51000
Client connecting to: <Wan IP>:21
This is working only if client is set to Active mode. Not working with Passive mode configuration by client. the client can connect and login is successfull but ends with the error message at server side like this without any directory listing.
227 Entering Passive Mode (192,168,1,2,195,85)
Note: both the case working in LAN-LAN network.
My guess is that the configuration #1 works only because the NAT is smart enough to translate the IP address in the PASV response from the server. But it likely does that only for the standard FTP port.
You should tell the FileZilla FTP server its external IP address. Go to Edit > Settings > Passive mode settings > IPv4 specific > External Server IP Address for passive mode transfers.
Currently your FTP server is sending its internal IP address to the client. And the client obviously cannot connect to the IP address.
And have the NAT forward the ports in the passive port range (50000-51000).
Though the change will break the LAN-LAN connections. To allow both LAN and WAN connections, check if the NAT can be configured to translate the IP address for the non standard ports too. Though the translation will work for unencrypted connection only anyway. And you should not use unencrypted connections!
The last option is to use the extended passive mode (EPSV), if your clients allow that. In the extended passive mode, there's no IP address in the response. The FTP client uses the primary IP address of the FTP server for data connections.
这篇关于通过 NAT 在端口 2000 上运行的 FTP 服务器在被动模式下不工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
