I have two servers on the inside. I need Telnet and FTP connections from the outside to each of these. I have the first set up to forward ports 20, 21, 23 and several others to server A (on 192.168.1.152).
I RDP to a laptop I leave at Grandma’s house to test this kind of thing. The internal IP address of the laptop is 192.168.28.181 . The public IP address is 68.196.x.x . All works fine for Server A.
I need server B (internal IP 192.168.0.151) to provide telnet (port 23) and FTP services (20,21). Telnet works fine. I have a dst-nat that translates port 45123 to port 23 on Server B. Beautiful.
FTP is the problem. I am attempting to have incoming port 45121 port forward to server B on port 21 to provide an FTP connection. Please note - Server B doesn’t do SSH, so I can’t use SFTP.
Short question is that I want to port forward and map ports 45121 and 45120 to behave just like ports 21 and 20.
The FTP control channel (port 45121 to Server B port 21) works fine. I can log on with DOS FTP. So far, so good. But as soon as I try to do a GET or an LS, etc., it hangs. The server is attempting to open a channel back to the internal IP address of the laptop (192.168.28.121) at Grandma’s house instead of the public IP address of Grandma’s router 68.196.x.x .
so the first challenge is - how do I get the server to understand it should be shooting for the external router IP at Grandma’s house?
The second challenge may be - the data channel is shooting for port 20 (aka ‘ftp-data’ in AS400-speak). I don’t know if the router at Grandma’s will be able to understand incoming port 20 since the outbound went out on port 45121 instead of 21.
Very insecure methods of reaching other device.
What router do you use and what is the router that you are trying to reach, both MT routers?
Also does your home and the far site router have publically reachable IP addresses or the ability to forward a port on the ISP router to the MT router??
Understood… but it is what it is. Old as400 platform, and I need port 45121 and 45120 to behave just like 21 and 20. Or more accurately, I need 45121 to behave like 21. SFTP would have fixed the issue, but that didn’t appear on as400 until years later.
I can’t control the client end. In this case, the client end is using an Asus RT-AC53U, a pretty good router. I don’t know if the client router is configuring the connection such that the passive connection attempts to contact the Asus external IP, or if the MT is doing something different based on an incoming port 21. But when I ftp on port 21, the port 20 return connection looks for the Asus external IP. When I connect to FTP on port 45121 with port translation, it tries to connect to the internal IP address of the remote client.
I looked around, but didn’t find anything specific for port 21 on the MT that might indicate different treatment.
Bottom line is that passive FTP has always been a PITA. Unfortunately I can’t disable passive FTP on the AS400 unless it’s talking to another AS400. DOS ftp doesn’t support toggling passive FTP.
From what I’ve read about ‘ftp helper’ on MT, it sounds like the trick to getting the return port 20 connection is at the client’s end? So the Asus must be doing something different at it’s end when a connection is opened on port 21. So perhaps there’s nothing I can do at my end (server, MT router).? Am I correct that FTP would have to run on port 21/20 in order for a passive connection to get set up?
