Not a huge fan of Apple right now. After a recent data loss I went out and picked up a Time Capsule for effortless, automatic backups of the Macs in my house. The backup part works great, but as a router it's a piece of crap. Every configuration change, even if it's just changing a forwarded port, requires the a restart. No Airport owner should ever joke about the restarts required by Windows ever again.
"Hey, I'd like to change my logging level!"
RESTART
"This base station needs a Contact and Location!"
RESTART
It's super convenient since all open connections are closed, disconnecting you from VPN, IM, SSH, etc.
It also made troubleshooting this a real joy. I'm using FileZilla for my FTP server on Windows, listening on the standard port, 21. Since I'm using NAT I restricted the passive mode ports to a fixed range, eg. 56000-56050. Now whenever a client connects to my FTP server using passive mode they'll be given a port between 56000 and 56050 for the transfer.
The server sets the passive mode ports, and the client, passively, uses them. The FileZilla log showed that the correct ports were being used:
(xx.xx.xx.xx)> PASV
(xx.xx.xx.xx)> 227 Entering Passive Mode (xx,xx,xx,xx,218,215)
(xx.xx.xx.xx)> disconnected.
But on my client (in this case ncftp) I saw totally different ports:
Cmd: PASV
227: Entering Passive Mode (xx,xx,xx,xx,227,181)
Cmd: MLSD
Remote host has closed the connection.
Passive and Active mode requests send the command information in the same format – ip1,ip2,ip3,ip4,port1,port2 – where ip1-4 are four octets of an IPv4 IP address, and the port number is calculated using port = port1*256+port2.
In the example above the server is telling the client to use port 56023 (218*256+215), but the client is being told to use port 58293 (227*256+181). I fired up my trusty sniffer (Wireshark) to verify, and the packets leaving my computer contained the correct port (56023).
I set FileZilla up to listen on a random port, 1541 and tried connecting to the server on that port, and was only remotely surprised when it worked.
Obviously something, something expensive, white and overly simplified, was mucking with the requests and modifying the port numbers.
Another setting in FileZilla's Passive mode settings allowed it to use the external IP address (instead of the internal one) for the PASV commands. I'd enabled this, assuming a normal, non-intrusive SOHO router.

I set it back to "Default" and reconnected to the server from an external site – SUCCESS.
My next purchase is going to be a nice new DD-WRT compatible 802.11n router. Suggestions are welcome.





May 3rd, 2009 at 3:51 pm
Same here, Extreme N.
Are we supposed to throw them out of the window or what?
May 12th, 2009 at 2:56 pm
@flapane – Just let the Airport handle the Passive port translation. Configure your FTP server to NOT try and determine the external IP, and just listen on the internal IP. The Airport will (should) handle the rest.
May 13th, 2009 at 3:50 am
I can't as my server is a web hosting service and I can't act on their settings.
I can only set filezilla in PSV, but it losts the connection every time and the first time it needs several times in order to connect to the ftp server (at least 7 8 times).
October 25th, 2009 at 3:15 pm
Suppose it's sad that you have to rely on a gateway to be broken to be happy, but I of course understand your frustration, and your assumptions. It would be Apple who made one problem in life for NAT-cloistered FTP servers easier. NAT is a right arse, and this sort of crap won't go away – really go away – till we move to IPv6 (and that's one thing your pretty box gets right, so think before trashing it). For the record: there is a server FTP ALG, and to enable it you *only* map port 21 into your server. If traffic passes to port 21, it goes through the Airport ALG. NAT makes the passive mode problematic on server only (you obviously know your networking), so the ALG changes the address and port number to a temporary, mapped port to make the private address and port announced reachable. There are other ALGs in there to make other changes, but some of them are broken.
So yeah, if it weren't for UPnP, think before throwing it out, and hope and pray for IPv6.
Cheers,
Sabahattin
PS: Change the LED from flashing to steady? Restart! :-)
It's ironic, since NAT-PMP portmaps happen without restarts. Perhaps you'll look into Lighthouse? I won't.
December 13th, 2009 at 3:29 pm
Well, that's unfair, I paid 150eur and it's a crap stuff. Ok, let me do the transfers at least in PSV, don't loose the connection RANDOMLY on EVERY computer and connecting on EVERY ftp server!