Setup
- Router A connected to the internet on the 192.168.178.x subnet.
- Router B connected to router A through the WAN port on the 192.168.2.x subnet.
- IIS FTP server running on a PC connected to router B. Allowed FTP Server in Windows firewall.
- Port forwarded TCP ports 21 and 22 on router B to point to the PC with the FTP server.
- A range of IP cameras connected to both routers A and B due to proximity, wireless range limitations etc. These IP cameras can put mp4/jpg files to a FTP server.
Problem
There seems to be a firewall issue FTP'ing to the server on router B from the cameras on router A's subnet. I've tested all the cameras on router B and they work fine; they're able to FTP files as expected. When I move a camera to router A's network and point the FTP IP address at router B only the command port seems to work e.g. the cameras are able to create folders and change directory on the server but cannot seem to use the data port (should be port 22?) to actually put content.
Tests
I've tested a windows PC on router A's network - the PC can connect to the FTP server by targeting router B's IP address; it gets and puts content, lists directory content i.e. it seems fully functional. On the PC running the FTP server itself, I can get and put content, list directories etc. if I use 127.0.0.1 or the PC's IP address as assigned by router B. If I try to use the 192.168.178.y address (y is the address of router B on router A's network) the session just hangs when I try and list directories:
ftp> dir
501 Server cannot accept argument.
150 Opening ASCII mode data connection.
NB: The address 192.168.178.y is reachable from router B's network. I can ping it. The Windows client session can connect (it prints the server's custom welcome message).
To test passive mode on the FTP server itself, I had to use Bash on Windows. And in this case the results are pretty much identical. Except instead of hanging, I just get an error:
ftp> dir
227 Entering Passive Mode (192,168,2,167,17,4).
150 Opening ASCII mode data connection.
425 Cannot open data connection.
However, another test I did was to connect a real Linux PC to the PC with the FTP server on it using ICS/Internet Connection Sharing. This means the Linux PC is on another subnet (192.168.147.x). The test results are identical to what I've mentioned above, except when I switch to passive mode (and switch to binary mode) everything works as expected i.e. I can get, put, list directories etc!
The problem is these IP cameras run some version of Linux most likely (probably μClinux) and there is no option to force them use passive mode. So, if I can figure out what I need to configure/change in the firewall(s) then, I think FTP will start working from router A's subnet.