Cannot access FTP from outside the network, AEbs blocking it?

Question

I&#x27;ve tried everything, but nothing works. I&#x27;ve been at this on and off for over a MONTH now, and I&#x27;m seriously considering throwing this AEbs really hard against wall or something.What&#x27;s the problem:I used to have a Netgear WNDR3700, which worked fine, but I wanted to extend my wireless network, because I use a lot of airplay devices everywhere in the house. So because I already own two Airport Express I wanted to make the swtich to a complete Apple system by replacing the Netgear with the AEbs. This way I could have one wirless network throughout the house. This works perfectly. However:I own a Netgear Readynas NV+, which works fine through SMB, as long as I&#x27;m connected to the network. But because I work on different spots, I need outside access to my files. Which I usually did through FTP. With the netgear it&#x27;s just a matter of forwarding port 21 to the correct ip address en you&#x27;re set (Aside from Readynas setup). This worked perfectly, no problems at all.Enter AEbs: I cannot for the life of me figure out what I&#x27;m doing wrong. I&#x27;m running 7.7.2 on the AEbs (newest model). I&#x27;ve setup DHCP en NAT, port forwarded port 21 to the Nas (which has a static IP setup in the DHCP settings).  But no luck, no connection possible over FTP. Not in Active Mode, and not in Passive mode.Passive mode:Status:          Connecting to xx.xx.xxx.xx:21...Status:          Connection established, waiting for welcome message...Response:          220 ProFTPD 1.3.3g Server (NETGEAR ReadyNAS) [10.0.1.2]Command:          USER xxxxxxResponse:          331 Password required for xxxxxxCommand:          PASS **************Response:          230 User xxxxxx logged inCommand:          SYSTResponse:          215 UNIX Type: L8Command:          FEATResponse:          211-Features:Response:           MDTMResponse:           MFMTResponse:           TVFSResponse:           UTF8Response:           AUTH TLSResponse:           LANG en-US.utf8*Response:           MFF modify;UNIX.group;UNIX.mode;Response:           MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;Response:           PBSZResponse:           PROTResponse:           SITE MKDIRResponse:           SITE RMDIRResponse:           SITE UTIMEResponse:           SITE SYMLINKResponse:           REST STREAMResponse:           SIZEResponse:          211 EndCommand:          OPTS UTF8 ONResponse:          200 UTF8 set to onStatus:          ConnectedStatus:          Retrieving directory listing...Command:          PWDResponse:          257 "/" is the current directoryCommand:          TYPE IResponse:          200 Type set to ICommand:          PASVResponse:          227 Entering Passive Mode (84,25,240,74,206,88)Command:          MLSDError:          Connection timed outError:          Failed to retrieve directory listingActive mode:Status:          Connecting to xx.xx.xxx.xx:21...Status:          Connection established, waiting for welcome message...Error:          Connection timed outError:          Could not connect to serverStatus:          Waiting to retry...Status:          Connecting to xx.xx.xxx.xx:21...Status:          Connection established, waiting for welcome message...Response:          220 ProFTPD 1.3.3g Server (NETGEAR ReadyNAS) [10.0.1.2]Command:          USER xxxxxResponse:          331 Password required for xxxxxCommand:          PASS **************Response:          230 User xxxxx logged inCommand:          SYSTResponse:          215 UNIX Type: L8Command:          FEATResponse:          211-Features:Response:           MDTMResponse:           MFMTResponse:           TVFSResponse:           UTF8Response:           AUTH TLSResponse:           LANG en-US.utf8*Response:           MFF modify;UNIX.group;UNIX.mode;Response:           MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;Response:           PBSZResponse:           PROTResponse:           SITE MKDIRResponse:           SITE RMDIRResponse:           SITE UTIMEResponse:           SITE SYMLINKResponse:           REST STREAMResponse:           SIZEResponse:          211 EndCommand:          OPTS UTF8 ONResponse:          200 UTF8 set to onStatus:          ConnectedStatus:          Retrieving directory listing...Command:          PWDResponse:          257 "/" is the current directoryCommand:          TYPE IResponse:          200 Type set to ICommand:          PORT 192,168,0,94,247,71Response:          200 PORT command successfulCommand:          MLSDResponse:          425 Unable to build data connection: Network is unreachableError:          Failed to retrieve directory listingOne more note: My ISP is not blocking passive mode, because it used to work fine with the Netgear WNDR 3700. I&#x27;m not sure if the&#x27;re blocking active mode.Anyone got an idea how the make this beautiful device not only good looking, but clever enough so I won&#x27;t have to throw it somewhere?Any help is grately appreciated!Kevin

LaPastenague · Answer

We have attempted to crack this but no joy. https://discussions.apple.com/thread/5122931?answerId&#x3D;22927625022#22927625022All of the later Apple router firmware are having this issue.. you need to go back to 7.6.1 for FTP to work on a Gen5 and of course there is no going back on a Gen6. Put the WNDR3700 back into the network as the main router.. bridge the AE and use it for wireless.. the express can still work fine extending the network.. you can even turn off the wireless in the netgear.. but you need it for routing.

Kevin Riemens · Answer

I have an update for you. I got it to run under 7.7.2 with 6th Gen AEBS.I&#x27;ll tell you what I changed. I have a AEBS and AE (2013 model, or: the &#x27;white apple tv&#x27; 🙂). I had the AEx expand the wireless network of the AEBS. So I turned everything on the AEx off, expect for Airplay (which I use it mostly for). And suddenly everything works!!!I have to sya though, that the connection fails the first time (times out) or takes really long. Once the connection is there, it&#x27;s lightning speed. But as soon as you do nothing for a little while (20 seconds or so), the connection will time out again.So everything is FAR from optimal, but perhaps this gives you guys (also from the other thread) more of clue as to where the problems come from?Hope I could help this problem along (also for other people).GrKevinEDITBack to square one 😠Turns out it only works, when I do this from INSIDE my own network, and try to connect to my outside IP. So I&#x27;m one step further then I was, but still no solution that works This is really starting to **** ME OFF! So I&#x27;m calling Apple tommorow to start a return/refund. Because your previous comment about still using the netgear for routing. I get that it works that way, but what is the added value of having an AEBS around, when I steel need the netgear for routing things properly. No, this thing is too **** expensive to have to resort to that. Aplle can take it back, figure it out, and I&#x27;ll buy a new one, when it works. Untill then, this was a frustrating journey, but hey, the netgear works, so I&#x27;ll stick to that.Goodbye AEbs... you SUCK!

LaPastenague · Answer

Wireless ***** for lots of people on the WNDR3700.. so you are stuck between the proverbial rock and hard place. The apple system works great for extending wireless but fails miserably at routing. The standard wireless solutions can be great routers but have issues with apple protocols at least some of the time.. eg airplay. And extending wireless is nightmarish. BTW gargoyle firmware on the WNDR3700 can make a big improvement in routing and wireless both. But I get your frustration.. Apple build for their walled garden.. which uses BTMM and iCloud without any need for FTP.. not to mention FTP is a very insecure protocol. Passwords are passed in plain text. You should be using SFTP at least.

jrnolan · Answer

I dealt with this same issue and here&#x27;s what is going on.  You&#x27;re using Passive Ports that the airport extreme will support if it&#x27;s configured correctly.  This is the proper way/Only way to do this.The issue at hand is that some routers "need" to "see" the FTP activity, and if the data is encrypted using SSH, then the router blocks the encrypted traffic because it can&#x27;t "see" that it&#x27;s FTP traffic that should be allowed due to a request.  According to your logs your FTP server is telling the FTP client that the passive ports are located at IP address "84,25,240,74,206,88" meaning IP address 84.25.240.74 port number 52824 (206*256&#x3D;52736 +88&#x3D;52824.  So in the router you&#x27;ll need to open these ports for SSH traffic.  SFTP and FTPS are two seperate protocols, and need to be understood as such.  Simply stated, one protocol allows the router to "see" that the encrypted traffic is allowed, the other doesn&#x27;t.The fix:1) Under the Network tab of the Airport Utility theres a section titled "port settings."  2) Click the "+" button to add a setting, either select "FTP access" from the dropdown, or add it. 3) Under both "Private TCP ports" and "Public TCP Ports" put in 21 (standard FTP Port). Under Private IP address type the IP address of the destinatin computer (FTP server). *Note: setting a static IP address on the FTP server is strongly suggested**note: You do NOT need to allow UDP ports, this may cause a larger security risk.*4) Repeat step 3 and allow port 990 (standard SSH port).  5) Repeat step 3 one last time an under the TCP ports fill in the range of the passive ports: i.e. "60000-65000" just like that, only with your ports. No spaces, no other characters.6) Apply the settings to the router, and allow it to reset.7) Test the connection again and report findings.Hope this helps!