Opening Ports on AE to allow for outside FTP access to NAS

Thank you, Scott. You have assessed my situation very well.

MY FTP connection is basic, non-secured. It is an active connection.

My Time Capsule was an older model, purchased late 2008. I had no problem with any of my FTP connections with it.

THank you for your help.

Ok - this should be easier to troubleshoot - because it is a basic (non-secure) FTP connection. Unfortunately - at the moment - my Airport Extreme 802-11AC is not set up as my router. When I did have it set up as a router - I was only trying to FTP into my own FTP server from outside of my network - and that is where the port forwarding issue surfaced. I never actually tried FTPing out to an external FTP server from behind the Airport Extreme - so I can't say whether that worked or not. I will get back to you later with a couple of things to try - as I am experimenting myself.

In the meantime - you said your Airport Extreme is "new". If it is less than 1 year old - you should be able to get help from Apple - (even better if it is less than 90 days old) - just go to apple.com/support and open a case. Also if you have a Mac that is still covered under an active Apple Care agreement - that active agreement also covers any "Airport" device - even if the Airport device is out of warranty. Most people are unaware that Airport devices are covered automatically by any active Apple Care agreement.

Also if you look at this link below (which isn't a solution to your problem) - it might help to gain a better understanding of how FTP works and what is going on with the ports and why FTP can be so problematic behind a NAT firewall or NAT Gateway.

http://slacksite.com/other/ftp.html

If found the above link to be very helpful.

~Scott

Thank you again, Scott

i unofficial lay talked to someone who works in the Apple call center. He sheepishly admitted that maybe the AE is the problem -- not just mine but the product itself. He explained the problem, which it don't remember all of the details, and it sounds like I will need to buy another brand.

I contacted my ISP since I wondered if the problem was in the modem. They are to set up port forward to port 21 remotely and then I might be able to port forward the AE.

In the meantime, I will open a support ticket. Ive only had it two weeks.

I appreciate your help.

Sounds like some progress is being made. I seriously doubt that your ISP is blocking any of the ports pertaining to FTP - otherwise they would have many unhappy customers.

I suspect that you will find that the problem is going to boil down to a "flaw" in the Airport Extreme 802.11AC (hopefully the firmware and not the hardware) - and maybe they will come up with a fix. I'm now very curious and may consider temporarily using the 802.11AC in router mode to perform some additional tests.

One thing that I can tell you for sure is that when I previously had the 802.11AC setup as a router - even with no port forwarding enabled in the Airport Extreme - an external port scan of my WAN IP - revealed that port 21 was in-fact open - along with a few other ports. In Googling this - apparently some specific ports are open to the router itself - supposedly for remote diagnostics. It appears that there may be a conflict with Apple's device-specific use of port 21 (strange that they would pick that port) and the device's ability to detect actual FTP traffic on port 21. The same set of ports were showing when I set up my Generation 3 Time Capsule - but FTP worked more or less "fine" with the Gen 3 Time Capsule as a router - with an occasional hiccup. I am wondering if the Gen 3 Time Capsule is somehow able to discern legitimate FTP traffic vs diagnostic request - and the new 802.11AC is not - possibly because it doesn't implement that functionality correctly.

Anyway - make sure that your Airport Extreme is the only router - and that you modem is acting just a modem and not a combo modem-router - as that would cause a double-NAT scenario. Your Airport Extreme will tell you if you have a double-NAT situation.

Additionally - make sure that you don't have any USB drives currently attached to the USB port of the Airport Extreme - as that may complicate trouble shooting.

You should have somebody do an external port scan of your WAN ip to see what ports appear to be open - that may help in the troubleshooting. If you need somebody to do the port scan - send me an email with your WAN ip and I will do the scan and send you the results. You can get my email by clicking on my profile.

Good luck and please be sure to report back what you hear from Apple.

~Scott

Here is a quick test to factor your ISP out the equation. Disconnect your Airport Extreme from the modem. Power down the modem. Power down your computer/laptop. Plug an ethernet cable directly between the ethernet port on the modem and the ethernet port on your computer. Turn on the modem and let it complete its boot up process. Turn on your computer. It should pull an IP address. Make sure you can successfully access a known website from a browser. If you appear to have internet connectivity - attempt to run your FTP client software (or even command-line FTP) from your computer. If it works - the problem is not the ISP - it is definitely the Airport Extreme. If it fails - you need to get this basic scenario working (between you and the ISP) before contacting Apple for support on the Airport Extreme.

~Scott

That was one of the first things I wanted to do when I hooked in the AE. However, I have a newer MacBook Pro, which has no ethernet port and I don't have an adapter.

Just today I realized that I could connect my husband's older MacBook directly to the modem. I got the exact same response from the server.

So, it looks like modem is at least part of the equation.

Susan

HI Susan,

WIth your husband's MacBook Pro connected directly to modem - open a terminal window and attempt to connect to your external FTP via command line ftp - in in debug mode - both active and passive. Assuming for this example that your ftp host name is ftpserver.somedomain.com (substitute your actual ftp host name or IP address where you see the assumed name in the commands below.

for active ftp attempt: Note: $ is the terminal prompt

$ ftp -Ad ftpserver.somedomain.com

Note: in above command the "A" requests active mode and "d" requests debug mode.

For for passive ftp attempt:

$ ftp -pd ftpserver.somedomain.com

Note: the "p" is for passive mode - and it's a lowercase p.

Regardless of active or passive - debug mode will spew a lot of extra information about server commands being issued as well as ports being used.

All you really need to do to test the connection is type dir or ls at the FTP prompt. For example:

FTP> dir

or

FTP> ls

If it can list the directory - it's working. If it cannot - then there should be some indictation of the error in the debug output.

What you want to look for in the output is whether the active mode is failing and stepping back to retry as passive - or whether there is a problem with both.

If you can capture output and paste here - we can possibly tell what's going on. Beware that debug mode will show the user and passwords used. You might want to blank those out if you post the debug output.

~Scott

Also - think about getting the USB Ethernet adapter - it comes in handy. There a 100Mb and a 1000Mb version. Both work on all newer MacBook Pros.

Good Morning, Scott

To bring you ip-to-date --

I tried a command line FTP and still couldn't connect to the server.

I also tried port forwarding and all that happen was messing up everything to the point of I thought I was going need to pull out a back up drive to get it back to normal.

I bought a Netgear router to see if that would work. No luck -- and terrible customer support. I was surprised.

When I bought my computer last year, my e-mail address was input wrong so I have to call Apple Care to get that straighten out.

Not sure whether I should try another brand of router. Just give up and resign myself to having to drive to town to use coffee shop wi-fi for ftp. Or just toss the whole mess out of the window.

My daughter works for Apple and she's had to listen to my not-so-nice diatribes. : )

I truly do appreciate all of the time and effort you have given to help me with this problem.

Susan

Hi Susan - So sorry to hear that things seem to have gone from bad to worse. Something doesn't seem right with this problem. You should be able to FTP out to a remote FTP server using a basic non-secure FTP connection - with any router that supports UPnP functionality - without having to manually enable port forwarding. Can you check your new Netgear router configuration to determine if UPnP has been enabled on it? Also - undo any port forwarding that you may have attempted to set up - I don't think you need it for the problem at hand. It is really starting to look like your ISP is blocking one or more of the ports needed for FTP. Just out of curiosity - do any of your friends/neighbors use the same ISP - and can you see if you have the same problem when connected to their home network? Obviously - the coffee shop works - so it has to be an ISP issue. Don't give up - I think you will get it resolved.

Also - can you try the following test...this will tell you whether you are able to contact the remote ftp server on port 21.

Open a terminal window (mac) or cmd prompt (windows).

type this at the command prompt

telnet {ftpserver host name} 21 replace {ftpserver host name} with the host name of your external ftp server's host name or ip address.

If port 21 is open you should see the same login prompt from the ftp server that you see from the ftp command - if you were doing command line ftp.

~Scott

Since this post is not so ancient, I wanted to share my findings with setting up an FTP server for external access (over the internet) through a Time Capsule (FW:7.6.4 Latest at the time of this post).

I struggled with this for several hours. First, I had to get all the right ports in place. I ended up setting up 20,21,22,989,990 and the port range that my NAS device uses (55536-55663). I chose to leave it on the default values for this device which is a D-link DNS-323. These devices are probably incorrectly faulted for poor FTP server capabilities, just as I suspect that AE's and TC's are also likely incorrectly faulted, as WELL as ARRISS routers which i have a 1670 with TWC as the ISP. And when i say "faulted", i'm referring to this scenario in particular. There's a lot of complexity with so many pieces involved, which i think is then compounded by FTP clients' automatic behaviors.

At any rate, after establishing the basic ports matched (not changing the private ports and public ports to other values), I could successfully connect to the FTP server via the DDNS address, BUT this was from within my network, so not actually testing from the outside yet. So at that point, I assumed that it was working fine. Once it was actually tested from somewhere else, it was not working at all. I fooled with several web browsers and an FTP client (FileZilla). I was seeing all sorts of odd behavior from each of these deals. Firefox on a mac sometimes works (from within or outside). Safari works fine, but i'm only testing this internally. IE and Firefox on PC works internally, but neither externally. FileZilla works fine internally, but attempts TLS connection externally and never works. I struggled with this for many many hours (adjusting settings/preferences in FileZilla), and in the end what i found that got something working was configuring an entry in "site manager" inside FileZilla, and forcing it to use "Plain FTP", and "Passive". Without doing this (just using the quick connect method) FileZilla likes to try all sorts of methods of connection, even when you're setting preferences that suggest otherwise. It was getting stuck trying to go the TLS route. This would eventually time out. After creating the entry for the FTP server in the site manager area and then using that to connect.. BAM!! IT JUST WORKED! Which is of course, what any of us are looking for initially at least! Now, beyond this.. trying to get it to be more secure and what not, i haven't gone there yet. I think this is at least "good enough" for some folks, and at least a starting point of "hey this actually does sort of work". It also reveals that a great deal of the frustration is the behaviors of various browsers negotiating the FTP connection automatically. This reminds me of "Auto Negotiate" for link speed on network hardware. Sometimes manual is the only way to go! Anyway, I hope this might come of use to some folks out there. Good luck!

My experience has been as follows - My Time Capsule 3rd Gen - Firmware 7.6.4 - for the most part works correctly with basic FTP from the outside to my DLINK DNS-323 ftp server. The only port that I have to forward is port 21. The DNS-323 opens the other ports dynamically as needed. There is an occasional "miss" where the connection will not be established - and it's more of an annoyance than anything. The bigger problem seems to be with the Airport Extreme AC (gen 1) - firmware 7.7.3 - where basic FTP seems to be very problematic even when all of the specified ports are opened manually (and manually opening the ports is not something that should not be necessary). My FTP needs basic and infrequent so this is less of an issue for me. I have tested FTP with my other non-Apple routers (Linksys, NetGear and ASUS - both old and new) - and FTP appears to work correctly with those routers. Apple needs to fix the FTP functionality with the Airport 802.11ac (and possibly with the older models) - but so far this does not seem to have been acknowledged or addressed. For those that are heavily dependent on FTP functionality and being able to access your internal FTP server from the internet - it may be advisable to get a different router that works as expected with FTP - since the time and frustration spent troubleshooting adds up very quickly and the cost of a different router is probably far less expensive than your time. I know this isn't the answer that people want to hear - but there does not appear to be a reasonable workaround for the problem at hand.

The most reliable workaround that I have found is to change the port number that the DNS-323 uses for FTP (to one of the ports in the list of allowed ports) and then forward external port 21 (on the Apple router) to that port. This somewhat solves the external access issues - but makes internal access to FTP a bit more painful because you need to use an FTP client that allows the port number to be specified. Windows command line FTP does not allow the port number to be overridden.

~Scott

Also - if you close all ports on the the Apple Router (Time Capsule / Airport Extreme / Airport Express) - and then you perform an open port scan - you will notice that port 21 shows as open - indicating that the Apple Router is listening on port 21 - regardless of the port forwarding settings. I suspect this is an indication that port 21 may be supporting some other Apple Router-specific functionality - and possibly the cause of some of issues mentioned in this thread.

~Scott

thanks. problem still exists with firmware 7.7.3 in october 2015.

changing the internal ftp port fixes it.