0

Setup

  • Router A connected to the internet on the 192.168.178.x subnet.
  • Router B connected to router A through the WAN port on the 192.168.2.x subnet.
  • IIS FTP server running on a PC connected to router B. Allowed FTP Server in Windows firewall.
  • Port forwarded TCP ports 21 and 22 on router B to point to the PC with the FTP server.
  • A range of IP cameras connected to both routers A and B due to proximity, wireless range limitations etc. These IP cameras can put mp4/jpg files to a FTP server.

Problem

There seems to be a firewall issue FTP'ing to the server on router B from the cameras on router A's subnet. I've tested all the cameras on router B and they work fine; they're able to FTP files as expected. When I move a camera to router A's network and point the FTP IP address at router B only the command port seems to work e.g. the cameras are able to create folders and change directory on the server but cannot seem to use the data port (should be port 22?) to actually put content.

Tests

I've tested a windows PC on router A's network - the PC can connect to the FTP server by targeting router B's IP address; it gets and puts content, lists directory content i.e. it seems fully functional. On the PC running the FTP server itself, I can get and put content, list directories etc. if I use 127.0.0.1 or the PC's IP address as assigned by router B. If I try to use the 192.168.178.y address (y is the address of router B on router A's network) the session just hangs when I try and list directories:

ftp> dir
501 Server cannot accept argument.
150 Opening ASCII mode data connection.

NB: The address 192.168.178.y is reachable from router B's network. I can ping it. The Windows client session can connect (it prints the server's custom welcome message).

To test passive mode on the FTP server itself, I had to use Bash on Windows. And in this case the results are pretty much identical. Except instead of hanging, I just get an error:

ftp> dir
227 Entering Passive Mode (192,168,2,167,17,4).
150 Opening ASCII mode data connection.
425 Cannot open data connection.

However, another test I did was to connect a real Linux PC to the PC with the FTP server on it using ICS/Internet Connection Sharing. This means the Linux PC is on another subnet (192.168.147.x). The test results are identical to what I've mentioned above, except when I switch to passive mode (and switch to binary mode) everything works as expected i.e. I can get, put, list directories etc!

The problem is these IP cameras run some version of Linux most likely (probably μClinux) and there is no option to force them use passive mode. So, if I can figure out what I need to configure/change in the firewall(s) then, I think FTP will start working from router A's subnet.

Improve this question
6
  • Is there any particular reason you need port forwarding on router B, and can't either (1) use router B as a simple bridge, or (2) configure proper forwarding and routes for your complete network? Also, the FTP protocol requires special port forwarding rules; does router B support those?
    – dirkt
    Commented Mar 5, 2019 at 11:42
  • Router B is running open-wrt, so I’d think it does support FTP and all the required rules? I didn’t read anything that that said my hardware would be limited in this regard. Is there a way to check which port might be being used for data? Or, check for dropped connection requests in case the data port isn’t being opened for the transfer?
    – Mr. Anderson
    Commented Mar 5, 2019 at 13:50
  • It's not hardware, but software: FTP requires special Linux kernel modules for FTP connection tracking, but OpenWRT has those. How does your forwarding configuration look like? Both ports 20 and 21? And passive as well?
    – dirkt
    Commented Mar 5, 2019 at 14:43
  • But to repeat the point: You really shouldn't need port forwarding in the first place, unless you have very special requirements.
    – dirkt
    Commented Mar 5, 2019 at 14:44
  • If I have two separate subnets then I do require port forwarding or some firewall rule. At the moment if I test without port forwarding not even the C&C channel can connect and the connection is just refused by the router. To setup port forwarding, I just went to through LuCI and set a rule to allow "From any host in wan Via any router IP at port 2x" to map to my server at port 2x. I have just tested the DumbAP/simple bridge configuration as you suggested and works, but I'd still like to figure out how to properly setup the port forward rules.
    – Mr. Anderson
    Commented Mar 6, 2019 at 3:39

1 Answer 1

Reset to default
1

FTP is a uniq bird among the internet protocols it uses two ports 21 and 20

There should be a port forwarding for port 20 too (Port 22 is for ssh and is not needed)

https://www.grc.com/port_20.htm

Improve this answer
1
  • Good catch. But I do already have port 20 forwarded too though. For some reason I saw the setup for the cameras set to port 21 and just thought the data channel was on the n+1 port.
    – Mr. Anderson
    Commented Mar 5, 2019 at 18:40

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .