问题
I am running FILE-Zilla ftp server on windows in one of the LAN pc connect to my router. i am trying to access the FTP server from the network outside of the router using Router WAN ip (WAN-to-LAN) by adding Port-Forwarding rule (NAT) in the router. I have 2 cases here as per below configurations. the 1st is working and the 2nd is not (in Passive mode).
Note: i have added the custom inbound rule in the windows 7 firewall where the ftp server is running.
Configuration #1
Filezilla FTP server port: 21
Passive port range: 50000-51000
NAT - external port: 21
NAT - internal port: 21
Windows firewall inboud rule port allow port: 21, 50000-51000
Client connecting to: <Wan IP>:21
This is working if client is trying to connect using Active/Passive mode
Configuration #2
Filezilla FTP server port: 2000
Passive port range: 50000-51000
NAT - external port: 21
NAT - internal port: 2000
Windows firewall inboud rule port allow port: 2000, 50000-51000
Client connecting to: <Wan IP>:21
This is working only if client is set to Active mode. Not working with Passive mode configuration by client. the client can connect and login is successfull but ends with the error message at server side like this without any directory listing.
227 Entering Passive Mode (192,168,1,2,195,85)
Note: both the case working in LAN-LAN network.
回答1:
My guess is that the configuration #1 works only because the NAT is smart enough to translate the IP address in the PASV response from the server. But it likely does that only for the standard FTP port.
You should tell the FileZilla FTP server its external IP address. Go to Edit > Settings > Passive mode settings > IPv4 specific > External Server IP Address for passive mode transfers.
Currently your FTP server is sending its internal IP address to the client. And the client obviously cannot connect to the IP address.
And have the NAT forward the ports in the passive port range (50000-51000).
Though the change will break the LAN-LAN connections. To allow both LAN and WAN connections, check if the NAT can be configured to translate the IP address for the non standard ports too. Though the translation will work for unencrypted connection only anyway. And you should not use unencrypted connections!
The last option is to use the extended passive mode (EPSV), if your clients allow that. In the extended passive mode, there's no IP address in the response. The FTP client uses the primary IP address of the FTP server for data connections.
来源:https://stackoverflow.com/questions/42503260/ftp-server-running-on-port-2000-over-nat-not-working-on-passive-mode