NAT Routers, Dynamic IPs and CrushFTP

Jeffrey N. Denenberg
jeffrey.denenberg@ieee.org
http://DoctorD.webhop.net
January 19, 2001 (Updated June 8, 2001)

1.  Introduction

The FTP Protocol has developed over a long period, predating the World-Wide-Web by more than 10 years.  When its basic functions were defined there were no Dynamic IPs or NAT Routers. 

An IP currently is a four number code (IP4, planned to be changed in the near future to the new IP6 standard) where each number ranges from 0 to 255 (e.g. 24.151.13.42).  It can be either static (permanent) or dynamic (temporarily assigned and reused by others).  A dynamic IP makes it difficult for others to reliably find servers you may be running on your computer unless you use a Dynamic IP Service as described in the next section. 

An NAT Router (e.g. the low cost units from Linksys, Netgear, and Dlink) allows the sharing of one IP among several computers on a Local Area Network (LAN).  It does this by taking ownership of the Wide Area Network (WAN) IP assigned to you by your Information Service Provider (ISP), assigning local IP numbers to the computers on your LAN, and forwarding information packets as appropriate.  This has a side benefit of shielding your computers from the outside world - a firewall, but can and does cause some problems when you execute some applications (e.g. games, IP telephony, and FTP servers).

2.  Dealing with A Dynamic IP

Several organizations operate services to that provide a pseudo Domain Naming Service (DNS) name to users with a dynamic IP.  You need to register with such a service, create an account (some of them are at no cost) and set up a HOST name on their domain. Here are two examples that I use (both are free services, but contributions of cash or service are appreciated):

http://doctord.dyn.dhs.org:8000/

·       DoctorD            - my Host name

·       dyn                        - stands for dynamic and is a sub domain at

·       dhs.org                        - the domain for Dynamic Host Services - http://www.dhs.org

·       :8000                        - The port that my web server is at.  (Normally defaults to port 80)

http://doctord.dyndns.org:8000/

·       DoctorD            - my Host name again (it could have been different)

·       dyndns.org            - the domain for Dynamic Domain Name Services - http://www.dyndns.com

Note: The "DoctorD.webhop.net" DNS at the beginning of this paper is another service of dyndns that redirects you to my web server via my Hostname at their domain.

·       :8000                        - Again the port that my web server is at. 

To automate the update of your IP at their server, you need to run a client software package on your machine that can sniff out your current IP number and send them a packet to update their database whenever it changes.  Updates have to be done carefully so as not to overload a server with unnecessary updates. 

The Windows Client that I use is DynSite written by Noel Danjou (noeldanjou@bigfoot.com, http://noeld.com/).  DynSite supports most (41 as of January, 2001) of the existing Dynamic IP services.  There are many others for whatever operating system you happen to use.

3.  FTP and NAT Routers

Most FTP Servers assume that the IP number of the local machine is known to the world (an appropriate assumption when the protocol was developed).  An NAT router makes this assumption incorrect.  The IP number is sent in several packet types (eg. the "PORT" packet which sets up "Passive" transfers) to the FTP Client to tell it how to transfer data.  If the IP number is wrong, the protocol breaks. 

High-end NAT routers have a feature specifically designed to handle many of these problems.  It is called "Stateful Packet Inspection".  Each and every outgoing packet is opened up and parsed to find IP and Port (an extension to the IP number) numbers.  If found, the local IP is translated to the WAN IP and a forwarding entry for that port is established so that incoming packets to that port are sent to the local machine.  The packet is then closed back up (redoing the CRC error checksum) and sent out.  This feature improves security and allows FTP servers to function, but is much too much work for a low-cost NAT router so it is generally not implemented.

4.  Solving the Dynamic IP Problem

CrushFTP written by Ben Spink (ben@crushftp.com, http://crushftp.com/) does its part in the solution by allowing the system administrator (you) to specify a hard_code_ip number in its configuration.  Another feature lets it periodically update this by reading a text file in the application directory (hard_code_ip.txt) that has only the current WAN IP number in the first line.

DynSite, the Windows Dynamic IP Client discussed earlier, offers the feature of writing the current WAN IP in a text file at a designated pathname each time an update occurs.  (If you use a different operating system, you should be able to modify one of the script-based clients to perform the same function.)

These two programs work together to form a complete solution. 

5.  Solving the Passive Port Problem

CrushFTP also has a feature (as do several other good FTP Servers) that lets you, the System Administrator, configure the server to limit the randomly selected passive ports to stay within a designated contiguous range.  This limits the number of forwarded ports to a reasonable number and reduces the security risk of open ports.  Note that you must manually set up the NAT router to forward these ports (along with ports 21 and 20) to the machine running your FTP Server.