Posted: Mon Sep 14, 2009 14:43 Post subject: FTP over WAN (internet) on WRT610N
Dear,
Since 2 weeks I installed successfully the EKO DD-WRT firmware on my WRT610N
Firmware Version: DD-WRT v24-sp2 (09/01/09) big - build 12774M NEWD Eko
Everything is working fine, except FTP access over WAN for accessing my attached USB stick to the router.
I tried all hints and tips on following link but whithout a positive result, including the 2 described options:
http://www.dd-wrt.com/wiki/index.php/ProFTPd
The only thing is, I dont use port 21 for FTP as my provider blocks this port. So I replaced port 21 everywhere with
the port I use for FTP. FYI, remote management trough the internet over port 8080 is working fine.
However, inside the LAN, FTP is working correctly.I can see the data on my USB stick
From Outside my LAN (over the internet) it is impossible to access it via FTP.
I tried already via browser and with FTP client Filezilla ..
Please can someone help me or put me in the right direction about how to solve this annoying problem?
/usr/sbin/iptables -I INPUT 1 -p tcp --dport (the port you used for proFTPd) -j logaccept should do the magic.
Do yourself a favor and check that the port you used for FTP is actually visible from the internet, for example by using a port scanner, such as ShieldsUP!
Joined: 24 Aug 2009 Posts: 2070 Location: South Florida
Posted: Mon Sep 14, 2009 19:58 Post subject:
Why on earth does your ISP block port 21? Call them up and bitch...You're paying for it after all..Unless it's part of their terms of service.. _________________ Optware, the Right Way
Asus RT-AC68U
Asus RT-N66U
Asus RT-N10
Asus RT-N12
Asus RT-N16 x5
Asus WL520gU
Engenious ECB350
Linksys WRT600Nv1.1
Linksys WRT610Nv1
Linksys E2000
Netgear WNDR3300
SonicWall NSA220W
SonicWall TZ215W
SonicWall TZ205W
SonicWall TZ105W
I know it is stupid but it's no problem for me because I just use anaother port (12121)
The connection to the ftp server seems to be ok but then I have always the following error in Filezilla:
"Failed to retrieve dirctory listing"
this is driving me nuts
I tried almost everything ..
provider is telenet
No firewall @ client side
on server side there is the DD WRT
connection session is working and sever goes to passive mode and send the port to the client that it needs to use for the data session
Here it goes wrong ..
The client cannot make the datasession with the server on the received port(port between 60000 and 65000 as set on my ftp server)
I did forwarded port range 60000 65000 on the firewall of my DD WRT to the build in proftpd server
I have no clue why this isnt working ..
Searched already for hours and hours :-(
Joined: 27 Dec 2008 Posts: 186 Location: EU, Slovakia
Posted: Sun Sep 20, 2009 11:39 Post subject:
elmiku wrote:
I did forwarded port range 60000 65000 on the firewall of my DD WRT to the build in proftpd server
I have no clue why this isnt working ..
Searched already for hours and hours :-(
greetz
did you already try
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j logaccept
I don't know, if this is part of the standard DD-WRT fw setup. My dd-wrt is not running WAN there.
still, you can try it.
mk _________________ ASUS 500gD on OpenWRT
LinkSys WRT610N V1
ASUS RT-N16
ASUS WL500gP V2
I think there's a problem with iptables on the wrt610n. I have similar issues with connecting to the OpenVPN Server. After disabling the firewall completely, the connection is working. I tried every iptables-rule I could find here for OVPN, but nothing helped. I'm going to flash another build sooner or later, and will try it again.
Hi guys
Thank for the help
I finally found it myself !!!
following iptable rule did the magic
/usr/sbin/iptables -I INPUT -p tcp -m tcp --dport 60000:61000 --syn -j logaccept
(pay attention these are MY paasive ports ...)
The problem is I forwarded these ports with the GUI. The GUI is putting this rule in the FORWARD table instead of the INPUT table .. remember that the FTP server is on the router and NOT on a PC in my LAN.
Therefore the rule in the FORWARD table could never been executed and it blocked all my passive ports.
Joined: 27 Dec 2008 Posts: 186 Location: EU, Slovakia
Posted: Mon Sep 21, 2009 20:20 Post subject:
elmiku wrote:
Hi guys
Thank for the help
I finally found it myself !!!
following iptable rule did the magic
/usr/sbin/iptables -I INPUT -p tcp -m tcp --dport 60000:61000 --syn -j logaccept
normally, ip_conntrack_ftp module should do the job, but apparently this module is not part of dd-wrt installation.
if you want to experiment a little bit, copy this module to jffs and load it via startup script with "insmod /jffs/ip_conntrack_ftp.o".
this should help the firewall to properly pass data connection as part of previous ftp stream on port 21 (RELATED connection).
edit: it seems, that you have also copy and load (before ip_conntrack_ftp) ip_conntrack.o .