How to setup port forwarding manually for broadband ADSL(Cable) router or firewall ?


1. First you have to find out the IP address of your ftp server, as showed in the figure 1 below. If you don't know what is your network's structure (whether it is behind ADSL/Cable router or firewall), you can figure out by the IP address of ftp server.

If IP address is the private IP within 192.168.*.* or 10.*.*.* or 172.13.* .*- 172.32.*.*, then the server could locate behind a NAT device (ADSL/Cable router is the common NAT device). Users from public internet could not access your ftp server directly by using this private IP. Since your server locates behind a NAT device, this NAT device must have a WAN interface with associated public IP address, which is accessible by users from public internet. You have to setup ftp server to use the WAN interface IP or domain name of this WAN interface.

However if your ftp server's IP is not within the above private IP ranges, your server must use public IP. Your ftp server could only behind a firewall. In that case, you may only need to open a range of PASV ports for the ftp server.


Figure 1. How to find your ftp server's IP address?

2. You need to find out your ADSL/Cable router's WAN interface IP. If your ISP won't give you a fixed IP address to the WAN interface of your router (Every time your router reboots, the WAN interface IP will change), you will need to apply a DDNS name (dynamic domain name service) for this WAN interface. Users will then always access your ftp server by using this domain name. You could apply free DDNS name from DDNS service providers such as dyndns.org, NO-IP.com etc. In this example, we use account "testuser" of DynDNS.org and DDNS name "myftp.blogdns.org" for the WAN interface. Many routers had embedded some popular DDNS service providers. To show how to setup DynDNS.org account for DDNS support, we will use Linksys router in the figure 2 as an example.


Figure 2. Setup DDNS support for DynDNS.org account in the Linksys router

3. You have to choose a range of ports used for passive mode ftp. (If you don't know what is passive mode ftp, you can find the answer from Google.) You should better choose port range above 10000, since this will reduce the chance of ports conflict with other applications. In this example we choose port range 60010 - 60030.

4. You have to setup above DDNS and passive port ranges for your ftp server. Go "Global Options->General->NAT and Firewall" as showed in figure 3.


Figure 3. NAT and firewall settings

Click the "Setup..." button in Figure 3. Set the passive port range and domain name of WAN interface as showed in the figure 4.


Figure 4. Passive port range and WAN interface domain name

5. Now you have to setup port forwarding in the router. The purpose of port forwarding is to open up ports in the router, so that outside traffic to the opened ports will be forwarded directly to the internal ftp server.

Before setup port forwarding inside router, you must make sure the machine of your ftp server is using fixed IP instead of dynamic IP from DHCP.

This is very important, because port forwarding requires destination IP to be fixed. If your server is using dynamic IP from DHCP, next time the IP changes, port forwarding settings will become invalid.

In our example, the machine of ftp server is using the fixed private IP 192.168.15.110.

Then you have to setup port forwarding for both standard FTP control port 21 and passive mode port range 60010-60030. We use linksys router as showed in Figure 5. Different routers may have different menus for port forwarding, so you may need to read the router manual. Note, some special type of firewalls may require to open outgoing port 20, please check the troubleshooting section below for detail information.


Figure 5. Setup port forwarding for ftp server inside Linksys router

Troubleshooting:

First you have to make sure the option "Don't use WAN IP for PASV command" is not selected for your virtual server. This option is under [Virtual Server Configuration]->[Advanced]->[Misc] ;

1. If user can not connect to ftp server from outside (public internet). Click the log icon from Xlight's main program window, check your server's logs on screen. If you can not see any connections from outside, you might not configure your router or firewall correctly. Possible reasons are port forwarding for standard FTP control port 21 is not setup correctly inside your router/firewall or your ftp server's IP is different from the destination IP of port forwarding settings.

If you can see ftp connection logs from outside, but users from outside failed to get directory list, then there is something wrong with port forwarding setting for passive mode port ranges. Inside the ftp logs, find the ftp server's response after client sending PASV command. The server response will look like:

227 Entering Passive Mode (65,93,172,59,m,n)

Inside the above response, m,n is used by ftp client to calculate the PASV port it will connect to, the algorithm is m*256+n. For example, if m=10, n=20, then the PASV port opened by server is 10*256+20=2580.

Check whether this port is within the PASV port ranges in ftp server. Also you need to check whether your ftp server's IP is different from the destination IP inside port forwarding settings

2. Make sure your WAN IP has been used by ftp server in its response. The IP (x,x,x,x) inside server response "227 Entering Passive Mode (x,x,x,x,m,n) m, n" should be IP address of your WAN interface.

3. Some firewalls, especially software based firewalls will block outgoing traffic. So this kind of firewall may block port 20 for outgoing traffic, which port 20 is used for ftp PORT command. If PORT command can't work, you may happen to have this kind of firewall and need to open port 20 for outgoing traffic in your firewall