I was thinking of this solution. Sending a packet from a chosen
port(for example, 1027) to port 20 of the server address. The NAT
firewall will then allow incoming access from port 20 to 1027. Then,
the computer will send a PORT command to the server to inform that the
client data port is 1027. The data transfer will then start.
I do not think you can tell ftp.exe
to use a port of your choice. It sends the PORT
with a port of its choice. You (the application) do not send it yourself.
There is an option on the FileZilla Server "Ignore unroutable IPs on
PORT command" Should I enable it? Will it solve the problem?
It would help, had the problem be that the client does not know it's external IP address (meaning it sends wrong IP in the PORT
command). What is actually the case (10.10.1.239
is local IP address that the server cannot reach), so you need to turn the option on. But you claim the problem is the firewall too. So while the option helps, it does not solve all the problems you have.
Obviously the easiest solution would be to reconfigure your firewall to allow the Active mode. That means to open incoming ports in data connection range.
See my article Network Configuration for Active Mode.
You can restrict the rules just for the server IP address. You can even restrict them further to remote port 20 only.
The only other idea I have is to develop a fake ftp.exe
client that uses the Passive mode. It won't be that difficult, if you make use of some FTP client library, and restrict the client's functionality only to that the application really uses.