User profile for user: Big Burro
Big Burro Author
User level: Level 1
129 points

Verizon DSL and FTP/SSH issues

Can somebody competent suggest finally something here ? (the web is full of unresolved complains about this).

PROBLEM

iMac, Leopard -FTP server activated, firewall completely disabled. No problem connecting to it from another machine on the same network using local network IP address (as listed in Apple sharing panel: "Other people can access your FTP server at ftp://192.168.1.x").

The problem is connecting to the server from OUTSIDE the local network (that is on the IP assigned to my machine by Verizon DSL modem/router combo) as this always fails with message: "Connection refused"

It is not clear to me what is refusing connection, the router, the mac itself or just the ftp server.

I set up port forwarding on the router (ports 20,21) per widely circulating instructions but that makes no difference whatsoever to my ability to connect to that server.

The situation is really confusing because a simple web check ( http://www.canyouseeme.org/) shows them open, fully accessible, but on the other hand when I do port scan in Network Utility on my mac I see them only open under local IP, external IP only allows 6 ports (telnet, http, http-alt, etc) open, and port forwarding on the modem makes no difference to what Network Utility reports as open on wide IP *.

I know that forwarding works on this Verizon modem from the fact that I was able to get my bittorrent client to work correctly (NAT problem) once I opened its port on the router. So I'm tempted to conclude that it is something on the mac that refuses. But what, firewall (shouldn't - it's disabled), the ftp server (unlikely 3rd party server "Pure FTPd Manager" shows exactly the same behaviour) ?

So who? And what to do?

Apple?

Mac OS X (10.4.7)

Posted on Oct 7, 2008 6:03 AM

Reply
16 replies
User profile for user: Camelot
Camelot
User level: Level 9
58,329 points

Oct 7, 2008 12:27 PM in response to Big Burro

The problem is connecting to the server from OUTSIDE the local network (that is on the IP assigned to my machine by Verizon DSL modem/router combo) as this always fails with message: "Connection refused"


This will never, ever, ever work.

From what you've said, the IP address assigned to your machine is a private-class address (192.168.1.x). No one will ever be able to get to your machine using this address from outside your network. That address, by definition, is private to your LAN.

Remote users have to connect to your PUBLIC IP address (the one assigned to the router's WAN interface). From there the router uses port forwarding to relay the connection to your machine.

That doesn't absolve the issue of getting FTP through NAT/Firewall devices (it's a PITA), or the possibility that Verizon are blocking FTP (they don't want you running a server on their network), but it is the first thing to check.

Also bear in mind that FTP is a bear. It's insecure, it's hard to maintain with NAT and firewalls (thanks to its multiple port model), and it's insecure (yes, I know I said that twice).
For most purposes I recommend using some other protocol whenever possible.
Reply
User profile for user: Big Burro
Big Burro Author
User level: Level 1
129 points

Oct 8, 2008 6:51 PM in response to Camelot

II'm fully aware ftp is risky but if I cannot login into my server using my external IP there is no ways I will be able to use anything else. That is if ftp is impossible so is ssh. So your suggestions is correct but useless.

I'm aware of other services (tunnelin via logmein) but they are very spottily supported on macs and other devices. So its either SHH or FTP old reliable, but with no access externally that's useless.

--------------

PS Camelot - when I was talking about router assigned IP I was not talking about internal IP but external that the router gets from verizon server to identify my network on the www.
Reply
User profile for user: j.v.
j.v.
User level: Level 5
4,155 points

Oct 8, 2008 7:24 PM in response to Big Burro

Are you able to ssh or not? It is clear to me from your posts that ftp is not working for you. It is not clear to me whether ssh is working for you or not. If possible, I would recommend that you port forward ssh (and only ssh) through your home router to the computer of interest, turn on remote login in System Prefs on the computer of interest for the ssh, as well as any other desired services that you would want tunneled through ssh, e.g., vnc and afp. But not ftp. Forget about ftp.

That's how I do business. I tunnel vnc and afp and even imap and smtp (I'm running my own small 5-user mail server, too) through ssh. If you have port forwarded your ssh port to your computer, and connect to your external WAN public IP address (or better yet, get something like dyndns so you can get a free host name and no matter what your ISP changes your public IPA to, you'll always be able to find your home network). Plus with ssh, you can use "scp" just like "cp" for long-distance file copy, or "sftp" just like ftp, except for the both of them it's all encrypted. You can also do additional hardening of your ssh. I would not be running, or even trying to run, plain old ftp.
Reply
User profile for user: Big Burro
Big Burro Author
User level: Level 1
129 points

Oct 8, 2008 8:42 PM in response to j.v.

Yes and no.

Yes but only locally that is the following works (run on the mac 192.168.1.64 which is running the server)

+iMac:~ jmg$ ssh jmg@192.168.1.64+
Password:
+iMac:~ jmg$ exit+

but not externally (71.111.61.141 is my external IP):

+iMac:~ jmg$ ssh jmg@71.111.61.141+
+ssh: connect to host 71.111.61.141 port 22: Connection refused+

Port 22 is open (forwarded to 192.168.1.64) on my Verizon DSLmodem/router as seen on "open port" web site

+Success: I can see your service on 71.111.61.141 on port (22)+
+Your ISP is not blocking port 22+

On the other hand Network Utility does not list 22 as open on 71.111.61.141.

What gives?
Reply
User profile for user: Camelot
Camelot
User level: Level 9
58,329 points

Oct 9, 2008 11:32 AM in response to Big Burro

PS Camelot - when I was talking about router assigned IP I was not talking about internal IP but external that the router gets from verizon server to identify my network on the www.


OK, that wasn't clear from your post.

Assuming you are:

a) trying to connect to the public IP held on the WAN interface of the router,
b) have setup port forwarding on the router to forward (at least) ports 20 and 21 to your server, and
c) have an FTP server running on the server

you should be able to connect (whether or not you'll get successful transfers is a different issue).

If you can't connect then the problem is likely to be Verizon blocking incoming FTP traffic since it violates their acceptable use policy. Not much you can do about that one other than ask them to unblock.
Reply
User profile for user: Big Burro
Big Burro Author
User level: Level 1
129 points

Oct 9, 2008 12:33 PM in response to Camelot

all the assumption listed above are correct as I explained a number of times. And still no go.

Not sure about Verizon, they claim that they don't block anything (just called them). Assuming they can be trusted which I think in this case they can be (open port check from outside tests OK) the problem must be on OS X. But where?

------------
PS Just got an idea, will run a server in Vista under BootCamp to test the above hypo. Will update.
Reply
User profile for user: j.v.
j.v.
User level: Level 5
4,155 points

Oct 9, 2008 9:28 PM in response to Big Burro

experiment for you to try: on your "ssh server" computer, from an admin-privileged account, launch Terminal.app and type:

sudo tcpdump -i en1 dst port 22 >> ~/Desktop/trafficlog.txt

This will log all traffic on the network addressed to port 22 of any destination IP address, be it on your LAN or from your LAN to elsewhere, that it sees on the interface. en0 is the ethernet port interface, usually en1 is the wireless 802.11 interface. Some exceptions; computers with two ethernets such as Mac Pros will be en0 and en1 and the wireless is en2.

Leave Terminal.app open and running. Leave the admin-privileged account logged in; if you don't already have it enabled, enable fast user switching so you can go back to the login window but leave the admin account logged in in the background with applications running. Now go to work or goto some wifi hot spot and try to ssh into your home computer. When you come home, log back in to the "backgrounded" admin-privileged account, type a control-C in the terminal window to stop the tcpdump, and open the text file on your Desktop. See if any port 22 traffic made it through your router onto your home LAN.

I guess I'd check this first when sshing from a computer at home on your home (W)LAN, to make sure it works. You can ssh from a computer on your home LAN; you log tcpdump traffic going to port 22 of the ssh server computer. When you know that's working, then this will help you decide whether the VZW modem/router is blocking the traffic or not.

Next steps? Depends whether the port 22 traffic is making it through the modem/router onto your LAN or not.
Reply
User profile for user: Big Burro
Big Burro Author
User level: Level 1
129 points

Oct 10, 2008 12:06 AM in response to j.v.

I'm unable to make much out of any of this, so I hope j.v. you will be kind enough to comment further.
---------------
config: Verizon wireless DSL router/modem.

WAN
ip #71.111.61.141

LAN
192.168.1.64 iMac (wired) runninng ssh "server:
192.168.1.66 N800 internet tablet (on WiFi locally, same router)
192.168.1.68 SIP hardware Linksys (wired)

router forwards 22 to iMac 192.168.1.64 (open from WAN per http://www.canyouseeme.org/)

-------
TCP dumps per j.v. test
-------
on successful local IP from iMac
"ssh jmg@192.168.1.64"
nothing dumped
-------
on unsuccessful from iMac on external IP "connection refused"
"ssh jmg@71.111.61.141"
23:48:45.886050 IP 192.168.1.64.63815 > pool-71-111-61-141.ptldor.dsl-w.verizon.net.ssh: S 2691185684:2691185684(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 612547688 0,sackOK,eol>
-------
on successful local IP from N800
"ssh jmg@192.168.1.64"

1 IP 192.168.1.66.56022 > 192.168.1.64.ssh: P 2200:2232(32) ack 2526 win 2636 <nop,nop,timestamp 4936734 612549301>
23:51:27.268487 IP 192.168.1.66.56022 > 192.168.1.64.ssh: F 2232:2232(0) ack 2526 win 2636 <nop,nop,timestamp 4936735 612549301>
23:51:27.271439 IP 192.168.1.66.56022 > 192.168.1.64.ssh: . ack 2527 win 2636 <nop,nop,timestamp 4936735 612549301>
23:57:56.551019 IP 192.168.1.66.61798 > 192.168.1.64.ssh: S 774661275:774661275(0) win 5840 <mss 1460,sackOK,timestamp 4986560 0,nop,wscale 2>
and so on
-----------
on unsuccessful from n800 on external IP "connection refused"
"ssh jmg@71.111.61.141"

1 IP 192.168.1.66.56022 > 192.168.1.64.ssh: P 2200:2232(32) ack 2526 win 2636 <nop,nop,timestamp 4936734 612549301>
23:51:27.268487 IP 192.168.1.66.56022 > 192.168.1.64.ssh: F 2232:2232(0) ack 2526 win 2636 <nop,nop,timestamp 4936735 612549301>
23:51:27.271439 IP 192.168.1.66.56022 > 192.168.1.64.ssh: . ack 2527 win 2636 <nop,nop,timestamp 4936735 612549301>
-------------------
Will test "real external" connection (meaning from something not sitting on the same router) tomorrow and will post.
Reply
User profile for user: Big Burro
Big Burro Author
User level: Level 1
129 points

Oct 10, 2008 12:32 AM in response to Big Burro

correction,I tested the last scenario again and got nothing in the dump
my bad (mixed some dumps)
-----
on unsuccessful from n800 on external IP "connection refused"
"ssh jmg@71.111.61.141"
nothing in the dump.
---------
So that would suggest that 22 traffic from other devices do not go through so
a) is Verizon lying?
b) do I need to open port 22 on my router to N800 too (impossible as far as I can tell, only one device can have any one port forwarded to)
c) http://www.canyouseeme.org/ is lying to me to that me that the port 22 is open. Why?
----
Will test external WiFi later today.
Reply
User profile for user: Big Burro
Big Burro Author
User level: Level 1
129 points

Oct 10, 2008 12:51 AM in response to Big Burro

Tried an external ssh connection (my neighbor left his wifi open so I simply switched my nokia tablet to him) and it WORKS.

So it looks like I simply tested that server connection in a situation that is not supposed to work (attempting to access ssh/ftp from local network on network's WAN IP).

My bad.

Many thanks to j.v. for extremely useful handholding.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Verizon DSL and FTP/SSH issues

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up