sparql
join:2009-07-27
Hampshire, IL
|  Need help setting up a ZyWall 5 for FTP
Hello, I have a ZyWall 5 and am trying to set up an FTP server, I've never had difficulty with consumer-grade products, but this is giving me some difficulty. I suspect I'm missing something simple.
1) I created a Port Forwarding rule, where 2121 goes to 192.168.1.32 on my network
2) I created a service for 2121
3) I created a firewall rule for WAN to LAN that permits access to 2121
I've tried reading the manual with little success. I feel I have a decent understand of how this should work, but am hitting a serious roadblock.
Any help would be much appreciated. Thanks in advance! |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| FTP is a nasty protocol, because it uses two connections.
The first connection (the control connection) is the one you have configured. However, any file transfer or directory listing requires opening a second connect (the data connection). In passive mode, the server listens on the data connection and client connects to it. The port is arbitrary. In active mode, the client listens (arbitrary port) on the data connection, and the server connects to it. In your case, the server should use a source port of 2120 for that connection (one less than port for the control connection).
To make thinks more difficult, information on the ports to use is communicated over the control connection. Since you are using NAT, the information passed will be wrong. Any chance of getting this working will depend on the router being able to modify those packets on the fly, to correct the wrong information.
Some routers have this ability. I don't know whether the ZyWall does. But since you are using a non-standard port, the router won't recognize that this is FTP unless there is some way of configuring that fact.
If you are able to revise your plans to use http: for serving files (with a web server), or to use sftp (file transfer over an ssh channel), you will save your self a bunch of problems.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.11 |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
·TekSavvy Solutions..
1 edit | reply to sparql
ZyWall 5 has a FTP_ALG default set on port 21.
1) Make sure FTP_ALG is enabled
2) Make sure you change the port to 2121 if you wish to run your FTP service on this non-standard port.
3) Enable port 2121 on WAN-to-LAN firewall and you're all set.
Mind, when testing from LAN side you may just want to use LAN IP of FTP server instead of WAN IP as I believe the FTP_ALG is not that smart to handle this situation.
You can enable the FTP_ALG through web interface, but you need to change the port through CLI.
Check chapter 15.1.1 for additional details »ftp://ftp.zyxel.com/ZyWALL_5_UTM/cli_r···TM_2.pdf
--
openSUSE 11.1, KDE 4.2 |
|
sparql
join:2009-07-27
Hampshire, IL
| reply to nwrickert
Thank you for your reply.
I'm currently using (or trying to use) IIS for the FTP server, which if I understand correctly doesn't do sftp.
I'm willing to try something else, if sftp will end up easier to get going than ftp. Do you have a suggestion? |
|
sparql
join:2009-07-27
Hampshire, IL
| reply to Brano
@Brano
Thank you so much, your post really helped. Turns out the FTP_ALG was disabled. Once I turned it back on and set the port range to 2120 to 2121 as nwrickert suggested, it now appears to be working!
Doing that, it appears I didn't even have to change the default FTP port via the CLI.
Thank you both very much. |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON | Are you doing port translation on the router? From WAN:2121 to LAN:21?
In such case the FTP_ALG may just work ...depends on implementation.
--
openSUSE 11.1, KDE 4.2 |
|
sparql
join:2009-07-27
Hampshire, IL | Yes, I am doing the port translation. |
|
