All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
$25 reward - Virtual Router with NAT - don't give FTP access to clients, just it's self.
Hello.
I will pay $25 to anybody that have the solution via Paypal right after I have confirmed that the solution works on my setup.
I'm using a virtual router with this setup:
From this guide...
On the router it self, I can use outgoing FTP,, no need for open anything in the firewall or nothing, it's just work. The router is a Server 2016 server.
I then have a TEST-DC server with AD on it, using the DNS from OVH on it.
I also have a client using domain users on the AD server, using the IP from the AD server as DNS. It work just fine on the internet, except on FTP.
I have applied what I learned from this thread I had here on LET on the router.
Here are three screen shots of the issue:
On my router (win server 2016)
On my AD server (win server 2016)
On my test server (win server 2016)
What are I'm missing here?
Comments
Passive works?
Can you try to telnet to this port?
On the router - yes it works to telnet o(open) host 21 - no issues at all.
On the clients - no, telnet do not work on the host port 21.
But I can of course ping the FTP host if I enable ping request on the FTP server.
Nor Passive or Active mode is working on the clients.
Does the VM has his own ip on the network? If so, goes the port forward to there?
The host is working fine, if you are talking about my FTP server in this case. No problem connecting from other computers/servers not using the virtual router. I can connect to FTP if I use require implicit ftp over tls in the FileZilla client on the clients using the router. It then connect using port 990. But I need it to also connect to port 21, since I need this to work with a PowerShell script that somebody have made. Not sure how difficult it is to change the script to connect using implicit ftp over tls on port 990...
I also have another TestLAB on a online.net server,using the same setup with a virtual router using the same guide i linked to in my first post. And the same happens there.
No issue connecting to FTP port 21 on the router it's self, but no access to port 21 on the clients using the virtual router.
Remember, I'm just talking about outgoing traffic, and the FTP Server is not using the virtual router.
I'm wrong, see my edit.
What VM? The router has it's own external IP yes.
The clients is using the the routers external IP.
But the FTP server I try to connect to, is not a part of this internal/external network. It's on another server.
I have also tested with other FTP servers, the same issues there. No outgoing access to port 21 on any of the clients on the virtual router.
Do things work if you turn the firewall off for a second?
After forwarding the ports, did you reboot the server?
Could be your ISP blocks outgoing port 21. Mine blocks port 445 outgoing, so I couldn't connect to my external smb server. Fixed it by creating a forwarding rule on the router, all traffic incoming to its (internal) address is forwarded to my server's ip, port 1445. Serverside, traffic on port 1445 is converted back to 445.
You might wanna consider a similar approach, although it will limit you to 1 (external) ftp server being connectable on port 21, and some work server-side.
It is possible that the FTP server has a limit of 1 connection per IP on port 21.
Seems to be a fw issue, nothing else.
Your issue sounds a lot like https://social.technet.microsoft.com/Forums/en-US/0c68aed6-e22b-4cd4-86bd-f3c767e88349/advanced-firewall-blocking-through-ftp-traffic-rras?forum=winserver8gen
What port forwarding??? I'm not using any, since the FTP server is NOT inside the virtual router. I'm currently testing on two FTP servers there one is on a dedicated server that I have used for FTP without issues for over two years now.
The second one is on a VM on another dedicated server, with it's own external IP. So why do I need port forwarding?
Tried to turn off the firewall on one of the clients, but still no connection.
There is no issues with the two FTP servers I'm currently testing on. Both has nothing to do with this internal virtual router. They are running FileZilla FTP server with default settings.
Like I say, on the virtual router I have NO problem connecting to any FTP server I want.
But on any client having network connection from the virtual router, there is no way to connect to port 21. Port 990 is working fine using implicit ftp over tls
You understand that this is on a dedicated server from OVH? The virtual router is a VM, like all the clients using this virtual router. As I have told many times, the router has no issues connecting to any FTP server in the world.
But none of the clients getting network access via the virtual router, is getting FTP port 21 access. So there is no ISP block, since all the clients are using the same external IP as the virtual router.
share the connection
On the virtual router?
Edit: Can't set this on the virtual router because of the Router function. But all the clients are sharing this internet connection via the settings from this guide:
https://deploymentresearch.com/Research/Post/285/Using-a-virtual-router-for-your-lab-and-test-environment
Then I suggest using Windows tcpdump equivalent to determine the packets flow and find the point where they drop.
And what command do I use for that?
>
Wireshark + WinPcap
Just an update.
It actually work if I turn off Windows Firewall on the virtual router. But that's not practical. So I have search and search, and found this thread at Microsoft, and there was the solution.
It's a routing/NAT issue, and all I had to do is to use this command in cmd:
netsh routing ip nat delete ftp
Tested it on both my TestLAB servers now, and it's the only thing you need to do to let all the virtual router clients get FTP port 21 access.
Thank you for all your help, but this time nobody had the right solution, so I will not pay out the reward. Maybe next time
@needsy deserves to be rewarded. At least partially.
@sayem314 @needsy Of course, missed that link there. Most likely he replied when I wrote the reply right under, and then I missed that comment.
@needsy - PM me your PayPal account, and I will transfer $25 right away (or, I'm going away within 1 hour and going to be offline for 5-7 hours, but as soon as I get online again, I will transfer)