Opening Ports on AE to allow for outside FTP access to NAS

SBeattie2: I meant that port forwarding of FTP worked perfectly with my previous Netgear router. I can confirm that I'm unable to forward incoming FTP traffic through Airport Extreme AC with 7.7.1 firmware.

Thanks for clarifying. I ended up getting a different non-Apple router - because I needed FTP port forwarding to work and did not have time to file a bug report or contact Apple. The AEX-AC works fine in bridge mode. The port 21 forwarding issue does seem like a fundamental FAIL - and somehow got past QA testing. No issues with port 21 on the other router. Hopefully Apple will fix this soon.

~Scott

I dealt with this same issue and here's what is going on. You're using Passive Ports that the airport extreme will support if it's configured correctly. So this isn't a "bug" it's a configuration issue.

The issue at hand is that some routers "need" to "see" the FTP activity, and if the data is encrypted using SSH, then the router blocks the encrypted traffic because it can't "see" that it's FTP traffic that should be allowed due to a request--apple is one such router due to security--which is a good thing.

According to your logs your FTP server is told that the passive ports are between 55536 and 55663 (no suprises here I'm sure). The server will send out a response to the client showing an IP address (your outside ip address should be here) and a port number that will be in the range defined (but not always the same one for each file/session, and a minimum of 50 ports should be given to the server--more if a lot of files are being transfered at one time).

example: in a log file you may see "(84,246,34,80,206,88)" which is IP address: 84.246.34.80 (obvious) port number 52824 (whis is found using this equasion: 206*256=52736 +88=52824 (only with your outside IP address and port number within the range specified by the server).

Ah HA! We've found the problem! So in the router you'll need to open these passive ports for the encrypted traffic (again, no supprise), because data traffic and the session traffic take place on seperate ports and protocols (session traffic is login information, etc. on the standard FTP port of 21, and standard FTP+SSH port 990). SFTP and FTPS are two seperate protocols, and need to be understood as such. Simply stated, one protocol allows the router to "see" that the encrypted traffic is FTP and allowed, the other doesn't--so we just need to allow for the "un-seen" traffic.

Well, now what?

The fix:

1) Under the Network tab of the Airport Utility theres a section titled "port settings."

2) Click the "+" button to add a setting, either select "FTP access" from the dropdown, or add it.

3) Under both "Private TCP ports" and "Public TCP Ports" put in 21 (standard FTP Port). Under Private IP address type the IP address of the destinatin computer (FTP server). *Note: setting a static IP address on the FTP server is strongly suggested*

*note: You do NOT need to allow UDP ports, this may cause a larger security risk.*

4) Repeat step 3 and allow port 990 (standard SSH port).

5) Repeat step 3 one last time an under the TCP ports fill in the range of the passive ports: i.e. "60000-65000" just like that, only with your ports specified by the FTP server. No spaces, no other characters.

6) Apply the settings to the router, and allow it to reset.

7) Test the connection again and report findings.

Both SFTP and FTPS are accepted, and "good" protocols. My opinion is that the FTPS is "better" since even the router can't tell that it's FTP, and to me, that's good because neiter is a hacker. Others may say that the former is "the best" but to each his own.

I hope this helps you out, even though it's been a while.

I did write this as basic as I could for the "average" user, so forgive me if it's too basic.

Cheers!

Hi jrnolan

I've followed your instructions to map 21, 990, 55536-56559 (Passive FTP ports, in my case, QNAP 219P) but still no good news. FileZilla will stop at

And then connection timed out

Sadly I'll have to return the AP Extreme...

I just bought a new Airport Extreme firmware 7.7.2 and sadly enough I cannot port forward FTP port 21.

Connection is established, waiting for welcome message...

And timeout.

Tried all the suggested fixes but without succes.

With my old cheap *** router I have no problems!

My solution is:

1. Set NAS FTP to another port (like 2121)

2. map 21 to 2121

This works, you may give it a try.

Best

In my NAS I defined the FTP port as 2121.

In AE port forwarding:

Public TCP Port: 21

Private TCP Port: 2121

Private IP Address: IP NAS.

This gives following output in Filezilla.

Hi

You still have to map the ports used by passive FTP set in your NAS!

I got it working. Enabled SFTP on the NAS. Portwarding to port 22 and I can access my NAS from outside the network with Filezilla.

Why is this such a hassle to get FTP working with port forwarding. On my other router this is no problem, I don't have to map the passive ports.

Thankyou so much! Opening the passive ports on the AE resolved it for me.

I hope someone is still monitoring this discussion.

I just bought an Airport Extreme (had to thunderstorm blew out TC) firmware 7.7.3 - Mac OS X 10.9.4

I can't connect FTP using Filezilla, CyberDuck, and tried a couple others suggested. The FTP connection requires active connection. I've tried all the suggestions here and elsewhere, including ignoring a double NAT error.

Can't revert my firmware.

Are there any new suggestions?

As of a week ago - this problem with port 21 still exists. This problem is specifically on the new Airport Extreme 802.11AC (and probably the new Time Capsule 802.11AC as well). It has been reported as a bug to Apple and the only response has been that it is a duplicate bug - indicating that they are aware of the issue - but apparently have not addressed it yet. With the 802.11AC - there isn't a firmware version to "revert" to - as the problem exists with the original firmware for that device. I too have tried all of the suggestions here - and the only usable workaround that I found was to change the internal LAN port of my FTP server to something other than 21 - and I believe that solved the issue for the short time period where I was using the Airport Extreme AC as a router. I'm no longer using it as a router - and use it as a secondary access point as well as another network backup device (seems to work fine for those two purposes). Depending on what your FTP Server documentation indicates as allowed ports for FTP - set the FTP server to one of the alternate ports - and forward port 21 on the Airport Extreme AC - to the alternate port and IP address of your FTP server. This should work fine for external FTP requests (which by default will use port 21) - however - your internal FTP clients will need to be able to override to the alternate port when for internal FTP requests. Most FTP clients can override the port - however - Windows FTP (built in) - does not seem to provide an easy way to use a port other than 21. Hope this helps.

~Scott

Thank you, Scott.

I may be in the wrong discussion. I'm trying to access an outside server, thus I have no control over the port used. I've checked with the host and he's able to log-in with my FTP information. My ISP says they have no restrictions on outbound connections.

MacHeavyD said he "Enabled SFTP on the NAS." I don't know how to do that. Am willing to try, if someone can point me to the instructions.

My ISP suggested port forwarding, but I can't find clear instructions to do that with my AE.

I know someone who works in the Apple Call Center. He looked at my situation and mumbled reluctantly that it might, maybe be a problem with the firmware.

I had to use wireless service at a hotel this past weekend to upload some needed files. Sheeee.

Thank you for all the help. This network novice appreciates it greatly.

It sounds like your issue is the inability to connect to an outside FTP server via an FTP client program (FileZilla, CyberDuck, etc) - from behind your router at home. You aren't running your own FTP server on your LAN and you aren't trying to access anything on your LAN from outside via the internet. Is this correct?

You were able to successfully access the external FTP server (via FileZilla, etc) in the past when your Time Capsule was set up as your home router? However - the TimeCapsule was blown out by a thunderstorm - and you replaced your Time Capsule with the new Airport Extreme 802.11AC router (so there is no more Time Capsule)? Is this part correct?

There are many different ways to connect to an FTP Server (non-secure, secure, active or passive). Depending on how you are trying to connect is going to determine what type of troubleshooting steps you will need to follow. This particular thread is dealing is with problems associated with remotely accessing a home/office FTP server that is behind an Apple Airport Router (Time Capsule, Airport Extreme) - however more specifically the Airport Extreme/TimeCapsule 802.11AC. Your problem is not this particular problem - but some of the information in this thread may be related.

Can you indicate what type of connection you are trying to establish with FileZilla?

Basic FTP session (non-secure).

SFTP (SSH File Transfer Protocol) - (secure)

FTPS (FTP over SSL/TLS) - (secure)

In order for any of these to work correctly there is a dependency on the UPnP protocol opening the needed ports. Part of the issue here is that Airport routers don't support (or don't directly support) UPnP (Universal Plug and Play) and rather they use NAT-PMP (NAT Port Mapping Protocol). It seems the Time Capsule (generation 3) had some ability to support UPnP - and thus basic FTP appeared to work in the past. If you are now trying to transfer files securely - that adds a lot of new parameters to the troubleshooting mix - and this would be the case whether the router is an Apple router - or another router. Secure FTP can be problematic.

I know this does not solve your problem at hand - but if you could provide more details on exactly what you are trying to do and how - then maybe somebody here can point you in the right direction.

~Scott

Even though your ISP is claiming not to be blocking outbound ports - they are probably blocking some of your inbound ports and the rest of the inbound ports are being blocked by your router. For the different types of FTP - specific inbound ports need to either be opened dynamically (via UPnP or NAT-PMP) - or they need to be explicitly opened (on your router - via port forwarding). There are added security risks with explicitly opening inbound ports (beyond the scope of this thread).

Can you also clarify if this problem is happening everywhere - or just when you are on your home network behind your Airport Extreme router? You mentioned something about transferring files from a hotel - but you did not indicate whether that worked successfully.