Connection outside firewall not working

This forum is for anyone experiencing problems related to their firewall settings. More specifically, anyone experiecing connection issues should take a look at this forum.
jowilson
User
Posts: 10
Joined: Tue Feb 04, 2014 10:51 pm

Connection outside firewall not working

Post by jowilson » Tue Feb 04, 2014 11:01 pm

I have several hours into trying to get things to work, however when attempting to connect to the server from outside the firewall it simply times out. When connecting internally things work fine. I have completely disabled the Windows 7 firewall to rule that out. In my port range forwarding in my router setup I have listed the range of ports that corresponds to the same passive range I have defined in Cerberus. For my port forwards I have ports 20, 21, 22, 100 (this is the port I have set the FTP server to listen on), 443, 990, and the starting and ending ports that correspond to my passive range (fyi using dd-wrt router firmware). I'm honestly not seeing where the issue lies. What I want to understand is the following:

- Is there a good tool that will accurately identify where the problem lies, whether it's a misconfiguration in Cerberus, Windows firewall, the router config, or my ISP blocking the FTP traffic in some way?
- I'm happy to provide screenshots, etc. of my setup if needed, I want to purchase this software just not sure where the problem lies. I've tried virtually every combination of firewall settings, etc. that I can think of.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: Connection outside firewall not working

Post by Serin » Wed Feb 05, 2014 10:24 am

Hello,

What protocol are you using to try to connect? FTP, FTP/S, SSH SFTP, or HTTP/S? Are all failing?

Are you able to see any connection attempt at all in the Cerberus log when trying to connect externally?
from outside the firewall it simply times out. When connecting internally things work fine.
Are you referring to your local machine's Windows 7 firewall, or your router's firewall? Does internally mean on the local PC, or on your internal network?

What I'm trying to understand is if you can connect to Cerberus from any PC on your local network, or just from the same PC running Cerberus? Regardless, the problem is almost certainly external to Cerberus if you can establish a connection on the local PC. That means it's either your local PC firewall (if you cannot connect from another PC on the network), or the firewall running on your router (if you can connect from another PC on your internal network, but not from the Internet).

Once I know which we can troubleshoot from there. You may also want to identify your ISP setup. You are running dd-wrt, so you must have your own router, but is there another router/modem combo from your ISP? There almost certainly is, and that might be where the problem is for external Internet connections.

jowilson
User
Posts: 10
Joined: Tue Feb 04, 2014 10:51 pm

Re: Connection outside firewall not working

Post by jowilson » Wed Feb 05, 2014 11:07 am

I'm using FTP to connect. There is nothing in the log that shows when connecting via external (I use net2ftp.com to test it). I can connect to the server from any PC on my internal network just fine. What's odd though is that even though I have set the listening port for the Cerberus server to 100, I still have to specify port 21 when connecting. Yes there is a second router, one that is connected to my main router via a long LAN cable going to a guest house. It's purpose is to extend the Wi-Fi access (created a second Wi-Fi network on that router). The main router though that I've set the FTP rules up on is the DHCP router. I've tried connecting from external with that router turned both off and on and it's the same result, the connection times out.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: Connection outside firewall not working

Post by Serin » Wed Feb 05, 2014 11:40 am

What's odd though is that even though I have set the listening port for the Cerberus server to 100, I still have to specify port 21 when connecting.
My guess is that you've changed the default FTP listener port, and not the FTP listener for the actual IP address you are logging in over. Changing the Default FTP listener will not affect existing FTP listeners.
I can connect to the server from any PC on my internal network just fine.
Then the problem is external to Cerberus, or the machine running Cerberus. The issue is at your router.
Yes there is a second router, one that is connected to my main router via a long LAN cable going to a guest house. It's purpose is to extend the Wi-Fi access (created a second Wi-Fi network on that router). The main router though that I've set the FTP rules up on is the DHCP router.
It sounds like the second router can be ignored. But you probably also have a router/gateway from your ISP. That may be where the forwarding also needs to be done. I'm sure you didn't load dd-wrt on that. What type of Internet connection do you have? Cable, DSL, FIOS, other?

jowilson
User
Posts: 10
Joined: Tue Feb 04, 2014 10:51 pm

Re: Connection outside firewall not working

Post by jowilson » Wed Feb 05, 2014 11:53 am

Serin wrote:
What's odd though is that even though I have set the listening port for the Cerberus server to 100, I still have to specify port 21 when connecting.
My guess is that you've changed the default FTP listener port, and not the FTP listener for the actual IP address you are logging in over. Changing the Default FTP listener will not affect existing FTP listeners.

Okay, so how do I change the FTP listener for the actual IP address I'm logging in over?
I can connect to the server from any PC on my internal network just fine.
Then the problem is external to Cerberus, or the machine running Cerberus. The issue is at your router.

Great, then how should the router be set up? I've provided all of the port forwarding ports and range forwarding ports in my initial post. What else aside from that would need to be set, and did the ports provided look correct?
Yes there is a second router, one that is connected to my main router via a long LAN cable going to a guest house. It's purpose is to extend the Wi-Fi access (created a second Wi-Fi network on that router). The main router though that I've set the FTP rules up on is the DHCP router.
It sounds like the second router can be ignored. But you probably also have a router/gateway from your ISP. That may be where the forwarding also needs to be done. I'm sure you didn't load dd-wrt on that. What type of Internet connection do you have? Cable, DSL, FIOS, other?
Yes I do have a router from my ISP, that is the one that is running dd-wrt and is the one I provided all of the port forwarding information for in my initial post. I have cable internet.

jowilson
User
Posts: 10
Joined: Tue Feb 04, 2014 10:51 pm

Re: Connection outside firewall not working

Post by jowilson » Wed Feb 05, 2014 12:00 pm

Let me also state that I also tested this by bypassing the router, by plugging directly into my cable modem, and it still timed out.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: Connection outside firewall not working

Post by Serin » Wed Feb 05, 2014 12:01 pm

Great, then how should the router be set up? I've provided all of the port forwarding ports and range forwarding ports in my initial post. What else aside from that would need to be set, and did the ports provided look correct?
The ports you provided in your initial post looked fine. You need the FTP control port, which is 100 (default is normally 21), and the passive port range.

However, it doesn't appear that the port forwarding is going to the machine running Cerberus. Otherwise, you would be able to connect. I would double-check those settings.
Yes I do have a router from my ISP, that is the one that is running dd-wrt and is the one I provided all of the port forwarding information for in my initial post. I have cable internet.
If you have cable internet, then the cable is going into a gateway/bridge device from your cable company. I'm a little surprised you would be able to load DD-WRT on that device. However, if that's the case, and that's the only router between your server and the Internet, then that is where the problem is.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: Connection outside firewall not working

Post by Serin » Wed Feb 05, 2014 12:02 pm

That makes much more sense. You have a cable modem, in addition to your router. You also need to enable port forwarding on that modem. It's not just a modem, it's probably a router as well.

jowilson
User
Posts: 10
Joined: Tue Feb 04, 2014 10:51 pm

Re: Connection outside firewall not working

Post by jowilson » Wed Feb 05, 2014 12:16 pm

Let me clarify further- I have a cable modem, which in turn is connected to a router which is running dd-wrt. It is possible that my cable modem also acts as a router, not sure about that, but I've never been provided information from them on that, so I'll need to check with them. The router I've been making all of the changes to is the dd-wrt router, and so if my cable modem also acts as a router I need to check into that.

jowilson
User
Posts: 10
Joined: Tue Feb 04, 2014 10:51 pm

Re: Connection outside firewall not working

Post by jowilson » Wed Feb 05, 2014 12:22 pm

One other question though, if my cable "modem" is actually functioning as a "router", does it make sense that I would have no issues with the internal network connection, only external?

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: Connection outside firewall not working

Post by Serin » Wed Feb 05, 2014 12:45 pm

Yes, that would make sense.

jowilson
User
Posts: 10
Joined: Tue Feb 04, 2014 10:51 pm

Re: Connection outside firewall not working

Post by jowilson » Wed Feb 05, 2014 2:16 pm

Okay so I spoke with my cable company, and they have disabled networking on my modem, which means it is now functioning as a modem only and not a router. But the tests still do not work. So I want to make sure I'm testing properly. On the net2ftp.com site there is a section for basic testing and one for advanced. In the advanced, you specify your FTP server, which I'm putting in the external IP address, the port, which I'm entering as 50000 since I have that in my port forwarding range, I'm selecting passive mode, and entering in the username and password. When I click to login button, it times out and doesn't connect at all. Are those the correct parms I should be using?

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: Connection outside firewall not working

Post by Serin » Wed Feb 05, 2014 2:36 pm

The port should not be 50000, unless you've changed the default FTP port to that number.

The default FTP port is normally 21. You mentioned previously that you tried changing it to 100. You should be using one of those two numbers for the connection port. Passive mode ports are selected by the server and happen later.

jowilson
User
Posts: 10
Joined: Tue Feb 04, 2014 10:51 pm

Re: Connection outside firewall not working

Post by jowilson » Wed Feb 05, 2014 2:43 pm

I changed the port in Cerberus not sure I guess where else to change it to make it 100 all the way around. In any event neither port works when testing via net2ftp.com it times out no matter what I try.

jowilson
User
Posts: 10
Joined: Tue Feb 04, 2014 10:51 pm

Re: Connection outside firewall not working

Post by jowilson » Wed Feb 05, 2014 7:08 pm

So are there any good programs/tools that allow you to accurately diagnose where a port is being blocked from, whether it's the modem, router, or Windows? It seems like these FTP programs should come bundled with that sort of tool, as 90% of the setup issues relate to those components.

Also you mentioned earlier that I need to change to port 100 on the IP address that the server is running on. How is that done, is that a Windows inbound/outbound connection rule or something else?

Post Reply