kapp0
join:2001-12-16
Belvidere, IL
|  R7100-C
I am having no luck setting up an FTP server through the built-in firewall. I am following the directions in the manual, but I can't get the connection to go through. If anybody has any directions or something to look for that I may have missed, that would be great. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Could you let us know a bit about the configuration? What version of firmware? Are you using NAT? Did you set up a server list?
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net |
|
JRBlood
Premium
join:1999-12-28
Syracuse, NY
clubs: | reply to kapp0
Did you get this resolved, kapp? |
|
kapp0
join:2001-12-16
Belvidere, IL | Sorry I didn't get back to the post. I'm still working on it. I have a huge manual telling me how to do it. I think I may try to use a different program than Serv-U. I had a hard time with my D-Link router also. |
|
JRBlood
Premium
join:1999-12-28
Syracuse, NY
clubs: | If you still need help with it, let me know. I have a FTP server running behind my R9100, so I can walk ya through it step-by-step.  Your's should be similar. |
|
kapp0
join:2001-12-16
Belvidere, IL
| I have firmware version 4.10.1 and all of the settings outside of the IP address and DNS numbers are the factory defaults. I would love directions on how to set up an FTP. Also maybe some advice on a good FTP server application. Thanks for all the help. |
|
JRBlood
Premium
join:1999-12-28
Syracuse, NY
clubs:
| I've had the best luck with Serv-U. I did test a couple of others, but I don't remember the names of them unfortunately.
I'll get step-by-step instructions written up on the Netopia later on today (gotta work, ya know  ). |
|
JRBlood
Premium
join:1999-12-28
Syracuse, NY
clubs:
|  reply to kapp0
How to set up a FTP server entry using PAT.
NOTE: Please back up your config to your own TFTP server or through the console (serial) port before you make any modifications!! This way you can reload the config to the way you had it before in case something goes wrong. I can not be held responsible if something goes awry.
A lot of assumptions are presented here as I have no way of knowing how you set up your own Netopia, or if there are any differences between the R-9100 and the other models. Please make adjustments to these instructions to fit your specific configuration (WAN port could be your xDSL module, for instance). I have mine locked down pretty tight, so I had to do all of the following to get this working.
First, you need to determine what FTP and PASV (AKA Passive) ports you want to use. You could use the default 20-21 for FTP and then create a separate list of PASV ports, or you could create your own range as I have done. PASV is REQUIRED to get around PAT, if you are using it. If you are not, stop reading as I have not tried this with a server assigned a public IP.
I do not recommend using port 21 for FTP servers unless you want it to be fully available to the entire world. Port scanners look for port 21 to be open and you could be targeted for a malicious attack. If you do want it to be fully public, though, then go ahead. You still need to assign PASV ports, however, to get around PAT.
For this example, I want to set up the server in the following way:
192.168.1.1 - Server's STATIC Private IP address
1234 - FTP Port
2000-2020 - PASV Ports
Now we need to set up a server entry to tell the router where something coming in on these particular ports should be forwarded to.
From the Main Menu:
Go into Quick Menus...
Arrow over to Network Address Translation
Go to Show/Change Server List...
By default, you should have only one entry called Easy-Servers. If so, press Enter to go into it. If you have created your own, however, select the one you are using and press Enter.
Arrow down to Add Server...
Press Enter to select Service....
If you are going to be using the default FTP ports, you can select it from the list shown and press Enter to select it.
Otherwise, go to Other... and press Enter.
Type in your first and last port numbers. If you want to
host a server on one port (Using our example of 1234), then you have to make the range start one port DOWN from your desired port:
First Port Number (1..65535): 1233
Last Port Number (1..65535): 1234
Remember to press Enter after you enter your port number, otherwise it will not stick.
Press Enter again on OK if everything looks alright.
Now, enter your servers static private IP address:
Server Private IP Address: 192.168.1.1
The next line, Public IP Address: does not need to be
changed. It will assume the one public IP address on the WAN side of the router if you leave it at 0.0.0.0.
ADD NAT SERVER should now be selected. Double-check the above entries and then press Enter to save the settings.
OK. Now we need to enter the PASV ports. Follow the same procedure above, but replace the first and last ports with 2000 and 2020 respectfully.
One quick shortcut: If you want to have just one server entry, you could do the following. For example:
1234 - FTP Port
1235-1250 - PASV
Enter 1233 for the First Port number and 1250 for the last. This will cover the FTP and PASV ports. This is how I have mine set up (Not these port #s, of course) and it works perfectly.
Now, arrow down to Show/Change Server... to triple-check your entry(s). Our example should look like this:
192.168.1.1 0.0.0.0 1233 - 1234
192.168.1.1 0.0.0.0 2000 - 2020
Or if we did the shortcut:
192.168.1.1 0.0.0.0 1233 - 1250
Now things may get a bit sticky here. If you are using any filters on the WAN port, then you will need to make some slight modifications to it in order for the packets to get through to the LAN side. The following applies to our first example.
From the main Menu:
1. Go into Quick Menus
2. Arrow over to IP Filter Sets
Assuming you are using the default Basic Firewall:
3. Arrow down to Display/Change IP Filter Set...
4. Select the filter set you are using for your WAN.
5. Arrow down to Add Input Filter to Filter Set...
6. Arrow down as needed, use the TAB to change toggled settings, and ENTER to set the toggle or entry. Per our example above, change the following:
Enabled: YES
Forward: YES (TAB this to YES)
Source IP address and subnet do not need to be changed.
Dest. IP Address: 192.168.1.1 <--Your FTP server's private IP
Dest. IP Address Mask: 255.255.255.255 <--Restricts the filter to one IP
For Protocol Type:, type in TCP and press Enter.
Source Port and Source Compare do not need to be changed.
For the compare, press Enter to see the list of options.
Dest. Port Compare... Greater Than or Equal
Dest. Port ID: 1233
Established TCP Conns. Only: NO
Arrow down to ADD THIS FILTER NOW.
Now we need to repeat this again, but in step 6, we need to change it to:
Dest. Port Compare... Less Than or Equal
Dest. Port ID: 1234
We're still not done. We need to repeat this two more times for the PASV port range as well. This is where the shortcut of one range for the FTP and PASV ports saves some time. You only need to make two entries instead of four.
Once you are done, go back to the IP Filter Set menu and select Display/Change Input Filter.... Your entries should look similar to this:
# 0.0.0.0 192.168.1.1 TCP NC >=1233 Yes Yes
# 0.0.0.0 192.168.1.1 TCP NC <=1234 Yes Yes
# 0.0.0.0 192.168.1.1 TCP NC >=2000 Yes Yes
# 0.0.0.0 192.168.1.1 TCP NC <=2020 Yes Yes
The shortcut entry would look like this:
# 0.0.0.0 192.168.1.1 TCP NC >=1233 Yes Yes
# 0.0.0.0 192.168.1.1 TCP NC <=1250 Yes Yes
Remember, if you are using port 21, you CAN NOT use the shortcut trick I mentioned as there are assigned ports past 21. It can get very ugly. That's is why you should use something over > 1024 that is not assigned to anything for the PASV ports.
For a list of the IANA ports, go to »www.iana.org/assignments/port-numbers
to make sure you are not using any ports that may be used on your network.
I hope this explains it clearly enough. I had to document this anyway for the other techs, so it wasn't a big deal to do. If you need any help with this, please ask.  |
|
kapp0
join:2001-12-16
Belvidere, IL |  Thanks for the time, it worked great. I'll keep using Serv-U also. That was a great lesson in Netopia router setup. |
|
azacamis
join:2000-12-16
Singapore
| reply to kapp0
Re: R7100-C
I suggest creating rules to block ports <1024 if you have rules like below
# 0.0.0.0 192.168.1.1 TCP NC <=1250 Yes Yes
If you already have that rule, push it before the rule above.
--
»www.azacamis.com |
|
JRBlood
Premium
join:1999-12-28
Syracuse, NY
clubs:
| reply to kapp0
Re: How to set up a FTP server entry using PAT.
Phew! I was hoping you could understand it OK. I'm glad to see you got it working.
EDIT: I almost forget. Your users will need to enable PASV in their FTP client for your server, otherwise they will not get directory listings or other screwy errors.
The lesson above can also be applied to other services as well, depending on what ports and protocols you need opened. With all of the different services I have running here at work, I've had to become an expert on the Netopia. 
Once you really get down into the router, you start to realize just how much control you can have. It's kind of like a Cisco with a menu. Well worth the money, in spite of the glitches with the 4.11 firmware (I'm running 4.10.1).
[text was edited by author 2002-10-04 18:26:39] |
|
