[softpawn]

My two computers are connected as shown in the picture (pretty much humble home network).
I'm using cable Internet service.
The base station serves as a hub to which Al PB and iMac are connected wirelessly and via ethernet respectively.
And the private IPs are assigned by the base station as shown in the picture.

What I have been trying to do for the past several days is to access my iMac(10.0.1.2) from a wintel machine at my office over the Internet using a FTP client so that I can share files between the machines.

To do this, I mapped ports in Airport Admin Utility as follows.

Public port: 21
Private IP: 10.0.1.2
Private port:21

And then I turnend on FTP share in the iMac's System Preference Pane.

I figured that I did everything that needs to be done.
But when I typed in my remote IP address in Internet Explorer's URL pane, I got an error "can't connect theh folder".

Where do you think I screwed?

[Millennium]

You need to point your FTP client at the Base Station's public IP address, not your computer's private IP address.

[softpawn]

Thanks for immediately reply.

I did. I pointed the FTP at the Base Station's IP address, which I named "remote IP" in the picture. But it didn't work as I said.

[quadgrande]

I would determine if the problem is connecting at all, or a login or authentication issue. Also, I would consider using a more secure protocol like sftp or scp. If you turn on "Remote Login", that enables ssh/scp and you can more securely login and transfer files on port 22 using something like WinSCP.

Try these steps:

1) Can you ping your public IP address from your outside client?
2) On your imac, see what ports are open with a command like the following:

netstat -an | grep -i listen

3) From the outside, port scan your public IP to see if port 21 is open. There are many freely available port scanners for windows. Search download.com.

4) Examine /var/log/ftp.log to see if your connection attempt was logged. Are there any authentication errors, or other pointers to the problem?

5) Since you only opened port 21, you must enable passive FTP on your ftp client.

[softpawn]

Thanks for the detailed feedback.
Here's result.


1) Can you ping your public IP address from your outside client?

Yes I can.

2) On your imac, see what ports are open with a command like the
following:

netstat -an | grep -i listen

Port 20 and 21 are open at my iMac

3) From the outside, port scan your public IP to see if port 21 is
open. There are many freely available port scanners for
windows. Search download.com.

All of the 60 ports scanned including 20 and 21 are shown
"blocked" when I scanned my public IP

4) Examine /var/log/ftp.log to see if your connection attempt was
logged. Are there any authentication errors, or other pointers
to the problem?

no connection attemps were logged

5) Since you only opened port 21, you must enable passive FTP on
your ftp client.

I did

I guess my Base Station does serve as a sort of firewall blocking port 20 and 21, even if I opened them at my iMac. As a test, I ran VNC server on my iMac to see if I could access it from outside using a vnc client and it's working pretty well. As you know VNC client and server communicate through port 5900. My port scan showed 5900 is open..

It is not enough to open the ports at my iMac?
It seems like I have to have my Base Station open the same ports too.(though this does not make sense to me because you can't open or close ports for the Base Station using Airport Admin Utility.)
If so, how could I do that?

Help!

[Art Vandelay]

It's quite possible that your ISP is blocking traffic on that port. A lot of ISPs block ftp and http ports unless you get the more expensive business plans since they figure home users have no need for those ports.

[softpawn]

Originally posted by Art Vandelay:
It's quite possible that your ISP is blocking traffic on that port. A lot of ISPs block ftp and http ports unless you get the more expensive business plans since they figure home users have no need for those ports.

Well! I've already checked that possibility with my ISP, which told me the only port they blocked is 80. Their policy is not to block any FTP ports technically but to detect and remove FTP servers that are being run for commercial purposes.

Further more my ISP would not have bothered to block all of the 60 ports including 20, 21.

[Mithras]

You should make sure you're testing with an actual external client, not just by entering your external IP address from within your own network.

Some routers, and I'm pretty sure the Airport Base Station in particular, are unhappy looping back an internal request as though it were external.

So first ask a friend to try, or if you have remote shell access on any other machine, try from that remote machine.

[Xeo]

My first guess is that your picture is missing a few items. Let me illustrate:



In most cases, the cable modem holds onto the remote IP. It has it's own set of IPs that it gives out to the one or more devices that are hooked up to it. The private IP is generally 192.168.x.x. Then, your Base Station has a "public" IP that was issued to it by the cable modem, but it's really just a private address. Therefore, you have to log into your cable modem (probably through a web interface) and set port forwarding up on that end to. Since you only have one device (the base station) hooked up to the cable modem, you can probably just use a DMZ host which will forward all ports to the base station. That way, setting up something else in the future will only require modifying the base station.

Now, my dad's cable modem gives out public IPs to each of the devices hooked up to it (a maximum of 3). If yours is doing the same, then this post is wrong and your original picture is correct. But I think this is the exception more than the rule, so if you're not sure, then this post is probably right.

[quadgrande]

So you port forwarded port 5900 on your Airport to get VNC working, and it's working from the outside? And you did the same thing for ftp and it's not working?

[Arkham_c]

A few things. 1) FTP requires port 21 for the control port, and 20 for the data port, assuming the server and client are in active mode. In passive mode, the server needs to open ports >1024 to the client.

Here's an in-depth discussion:

http://slacksite.com/other/ftp.html

[car1son]

I'm curious about the error message IE reported: "can't connect theh folder".

Did you get prompted for a user name and password before you received that msg?

Having port 21 open should suffice to get logged in. PASV data transfer (including listing the content of the directory/folder) will also require port 20, I think.

[softpawn]

Originally posted by quadgrande:
So you port forwarded port 5900 on your Airport to get VNC working, and it's working from the outside? And you did the same thing for ftp and it's not working?

Exactly.
Again, the port scan (that I did from my office) shows that ports 20 and 21 are closed, while port 5900 is open. So no wonder I can't access the FTP running at the iMac. What frustrates me is that I don't know why 20 and 21 are closed. A real mystery to me.

[Xeo]

Originally posted by softpawn:
Exactly.
Again, the port scan (that I did from my office) shows that ports 20 and 21 are closed, while port 5900 is open. So no wonder I can't access the FTP running at the iMac. What frustrates me is that I don't know why 20 and 21 are closed. A real mystery to me.

Oh, in that case, it must be your ISP. It is not uncommon for ISPs to block incoming ports of 21 and 80 to keep personal FTP servers and Web servers out. Just change the FTP port to like 2100.

[smitty825]

I couldn't tell if you have enabled port mapping on your airport or not. (I'm sorry if this seems obvious..but I've only read that you turned on wireless sharing on one of your computers...(the airport acts as a firewall)

If you haven't opened up the airport, goto the "Show All Settings" menu then click on "Port Mapping" Point ports 20 & 21 to the machine you want, and you should be able to see those ports from the outside!

[softpawn]

Originally posted by Xeo:
Oh, in that case, it must be your ISP. It is not uncommon for ISPs to block incoming ports of 21 and 80 to keep personal FTP servers and Web servers out. Just change the FTP port to like 2100.

Just to make sure that I did all the settings right, I looked back at which ports are opend at my iMac where I turned on FTP share.
To my surprise, port 20 appears closed when I scanned all of the open ports in terminal application of the iMac. To see if this is only my problem, I went a Apple store and scanned open ports at one of its computers where FTP share is turned on only to find out that port 20 is not displayed as "open".

Is it that port 20 is not open listening when FTP share is turned on in Panther? or is it that even if it is not displayed as an open port, it is actually open and listening to incoming signal?

This wrestling with Panther's FTP has taught me a lot, but I'm still on Timbukto.

And FYI for Smitty825, I enabled port mapping on my airport when I began this thread.

[quadgrande]

Port 20 is not "open" or listening until a client makes a connection to port 21.

When I port scan my mac at home with ftp turned on, I get the following:

(The 1652 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
427/tcp open svrloc
548/tcp open afpovertcp

While ftp is run out of "xinetd" (a master Internet daemon controlling many services), it is still listening all of the time. This fact leads me to point to your Airport configuration. It is either that, or a firewall in front of your client is redirecting requests to port 21 to another box.

I'd also be curious to the answer to the login question. Are you getting a login error or a failed connection message in your ftp client?

BTW, if you want to start transferring before you solve this issue, try WinSCP and connect over port 22 via ssh. It's preferrable anyway because all traffic is encrypted as opposed to ftp, where the username and password are sent in plain text.