SOLVED FTP from outside network

[squidding]

Hey everyone,

First, let me apologize in advance if I'm posting this in the wrong section of the forum. Also, I'm fairly new to FreeNAS (and anything network related), and everything I've accomplished so far has been through research, and trial/error. I've read through the documentation and I've tried to find an answer in previous forum posts here, but to no avail. I may have missed something though.

My issue is this: I've setup CIFS and shared stuff on my local network from my server with no issues. I've also setup FTP, and I can FTP files to and from my server with no issues. BUT, only from within my own network. So, I thought the solution was to setup Dynamic DNS. I made an account with freedns.afraid.org, and setup Dynamic DNS in the FreeNAS settings. I can now login to the server (and utilize FTP) using the domain I setup, BUT... Only from within the network. When I try to get into the server outside of my network in a web browser, I get an error and when I try to get in with FileZilla, it simply times out. I have port forwarding setup on my router to open port 21, as well as ports 3400 through 3500 for passive FTP connections.

Obviously, I've set something up wrong or missed something. What have I done wrong? Maybe something that I didn't setup correctly when I was initially getting the server running? My friend keeps telling me it's an issue with my subnet mask settings, but I don't understand what's wrong or what to change (if that's even the problem).

Any help will be greatly appreciated, because I can't seem to figure it out on my own. Thank you in advance for your time!

 

[zambanini]

did you setup network connection on your freenas sys correctly? make sure you setup your router as default gateway.

please post your network details (how is what connected, ip adresses, netmask and so on)

 

[squidding]

It's very possible that it is not setup correctly. The settings look like this:

Under Network Settings, Global Configuration - Hostname: freenas | Domain: local.dc | IPv4 Default Gateway: 192.168.1.1 | Nameserver 1: 192.168.1.1 |
Under Interfaces, LAN - IPv4 Address: 192.168.1.129 | IPv4 Netmask: /2 192.0.0.0 |

There's nothing setup under Link Aggregation, Static Routes, or VLAN.

 

[pirateghost]

It's very possible that it is not setup correctly. The settings look like this:

Under Network Settings, Global Configuration - Hostname: freenas | Domain: local.dc | IPv4 Default Gateway: 192.168.1.1 | Nameserver 1: 192.168.1.1 |
Under Interfaces, LAN - IPv4 Address: 192.168.1.129 | IPv4 Netmask: /2 192.0.0.0 |

There's nothing setup under Link Aggregation, Static Routes, or VLAN.

Is your network on a /2 or did you understand what that is?

Most networks are /24

 

[Ericloewe]

I find it unlikely that it's a /2. Not many of those still around.

 

[squidding]

All right, so I went ahead and changed the IPv4 Netmask to /24 255.255.255.0

Everything still works fine from within my network, but logging in from outside of the network still doesn't seem to be working.

 

[pirateghost]

Well, your ISP could be blocking port 21.

Are you aware of the inherent risks of opening your ftp to the world?

 

[squidding]

Because I'm very new to this, I would say that I'm only somewhat aware. The plan was to only expose the server to the world, if possible. If I can get FTP working successfully, I'll lock down access with user accounts and passwords and maybe try out FTPS instead. Even if the server is totally vulnerable though, there's really no sensitive data on it (it's basically just filled with media) so I'm not super worried. Do I need to be more concerned about security? And if so, is there some other way I should be going about all of this that is more secure?

Given the information I've provided so far, do you think that my ISP (Cox Communications) blocking port 21 is the most likely problem? Because if it is, I can certainly contact them and see what I need to do in order to fix that. Otherwise though, are there any other setup issues I may have overlooked that could be causing these issues?

*EDIT* According to the Cox website, they do not block or filter port 21.

 

[depasseg]

FTP is a difficult protocol to deal with. When accessing it through a NAT'd firewall, there are other considerations that need to be factored into the configuration. I haven't done it on FreeNAS, but on other systems, I've found it helpful to use passive mode.

Also, I know you aren't too worried about losing the files, but to me the real security problem is the fact that it creates a hackable hole into the soft part of your network which can be then used as a jumping off point to all your other network resources.

 

[Jailer]

All right, so I went ahead and changed the IPv4 Netmask to /24 255.255.255.0

Everything still works fine from within my network, but logging in from outside of the network still doesn't seem to be working.

You may be stuck in a double NAT situation depending on how your ISP's network is set up. I had to purchase a static public IP so I could connect to my Plex server.

 

[squidding]

depasseg: Should I be looking at some other type of protocol other than FTP for what I'm trying to do here? I'll look into using passive mode as opposed to active. Are there steps I can take to minimize the exposure of my network from a security standpoint? At this point, my goal is simply to be able to read/write files to/from the server from outside of my own network. I thought FTP was the way to go for this, but if not, I can certainly approach the goal from a totally different angle.

Jailer: I'll look into the NAT situation and see if I can determine if there is a double NAT issue going on. I'm learning about all of this for the first time, so I'm fumbling around trying to make sense of everything.

 

[pirateghost]

depasseg: Should I be looking at some other type of protocol other than FTP for what I'm trying to do here? I'll look into using passive mode as opposed to active. Are there steps I can take to minimize the exposure of my network from a security standpoint? At this point, my goal is simply to be able to read/write files to/from the server from outside of my own network. I thought FTP was the way to go for this, but if not, I can certainly approach the goal from a totally different angle.

Jailer: I'll look into the NAT situation and see if I can determine if there is a double NAT issue going on. I'm learning about all of this for the first time, so I'm fumbling around trying to make sense of everything.

I'm on Cox Cable as well. I don't think you have a double NAT issue.

As for the security issues, ftp sends credentials in clear text. As mentioned it just opens up your network to all kinds of bad stuff.

The better option would be to use SSH, and SFTP over the ssh port using ssh keys on a nonstandard port. Although the best solution is to look into openvpn

 

[depasseg]

Look into owncloud. Dr KK wrote a great guide and posted a YouTube tutorial.

 

[squidding]

All right, so first of all, thank you for all of the help and suggestions about potential problems. I have a lot of reading to do still, but in addition to helping me figure out the issue I was having, you've also all pointed me in a lot of interesting new directions for future projects.

So, at this point I have now solved the issue. There were two related problems taking place at the same time. The first was apparently a mistake on my part... I had pointed the Dynamic DNS information to the internal IP address of my server, rather than the external IP address of my network. I don't know how I overlooked this, but it's remedied now. Even after I fixed this issue though, I still couldn't get the dynamic DNS from freedns.afraid.org to work (I don't know why). I switched over to DuckDNS, and now it's all working fine.

Thank you to everyone who took the time to help me!