Call us at 304 5616500

How to configure your ftp server behind a NAT router with dynamic IP?

If you have arrived here it is because you have found yourself with this great dilemma of how to configure your ftp server behind a NAT router with dynamic IP. Let's start by explaining what happens here:

FTP is a protocol for file transfer or as its acronym in English say, File Transfer Protocol. This protocol is very useful mainly when we want to send files to an external server, such as to implement an application, a web page or when we want to bakups our servers either on our computer or on NAS systems (we will discuss these systems in another Post ).

Now, FTP uses the client-server model, our computer or that of a user communicates (from now on customer) with an external server. In the image below you can see how the client interacts with the FTP server. 

This is where the problems begin, if the client is going to communicate with your server requires an IP to locate it, however, the server being behind a NAT router is assigned a single public IP for all computers on the local network, So, how do we achieve that when contacting the public IP it directs it exclusively to the equipment that we have as an FTP server within our local network? This is where the NAT router comes in to do its work, but we will configure it later. For now we are going to configure our FTP server first using Filezilla server.


Filezilla Server installation

On our computer we are going to configure the FTP server, for this we use filezilla server. On the web you will find more options such as Titan FTP Server, Serv-U FTP Server, among others, but Filezilla is the one that has taken its strongest place. 

First we install it in the folder that we define, we leave the default options and we enter an administrator password. Once installed you will find a screen like the following:

To enter our new server we leave the default options and enter the password created when installing the program:

localhost To connect to our computer (

Port 14147 To enter the administrator port

When we connect, depending on the case, we will see several warnings. The most commons are «You appear to be behind a NAT router. Please configure the passive mode settings and forward a range of ports in your router. » and "FTP over TLS is not enabled, users cannot securely log in" and NAT router ". The first warning is the one that we are going to address in this article because without solving it the client will not be able to communicate with our computer. The second warning is telling us that the communication is not made through FTPS therefore it is not secure, we will address it in another Post.

To understand the first warning we have to know how the communication of our computer with the network works.

Groups Settings in Filezilla

We are going to create a group to which we are going to give access to our FTP server. just click on the add button, write the name and check the Enable access for users inside group box.

Filezilla v0.8
Filezilla v1.1

Once created we must configure which folder we are going to give access to the users that belong to this group, for this we go to the shared folders option on the left menu, select the created group and click on the add button (below directories), there we must select the folder that we want to share by ftp and select the permissions that we are going to give it.

Filezilla v0.8
Filezilla v1.1

Finally we are going to add an extra security layer to restrict access to our server. We will only allow our client's ip to access. In our case we are configuring an FTP server to make backups so we have the client's ips quite well defined. To block all incoming connections we will write a * and exclude in the following box the IPs that we want to allow in the connection, we finish by clicking OK:

Filezilla v0.8
Filezilla v1.1

User Creation in Filezilla

Once the group is created, we will create the users. We go to the users section, click on Add, write a name and select the group to which it belongs, then we enable the account and write a password. In the case of Filezilla v1.1 it is important to note that I changed the folder management a bit, it is necessary to select a virtual path, otherwise it will send us an error "Virtual path must be absolute", to solve it just put "/".

Filezilla v0.8
Filezilla v1.1

Being within a group already configured we do not need to make further modifications, however FileZilla allows us to make specific configurations per user if desired. 

We have finished the user configuration. Now we go with our team. As I mentioned at the beginning, we have a NAT router that generates dynamic IPs both to our local IP and to the network IP, this in addition to having a network IP for all our computers in our local network, as you can imagine this implies makes it impossible for our client to connect with our server because the IP to which it connects can be from several different computers in the local network assigned to that IP. For which we must configure the passive mode in FileZilla, this will cause our router to receive a request by FTP (port 21 by default) it returns a series of ports for the client to connect through any of these randomly. To configure this we go to edit> settings and in the left menu we will go to passive mode settings:

Once there, we are going to configure the ports through which we will allow the client to connect, the ports must be greater than 1024 as these are reserved for system protocols. Once the ports have been selected, we activate the Retrieve external IP address from box, this box will allow us to use the IP we have, as it is a dynamic IP it will not always be the same, so we allow FileZilla to obtain it for us.

Once FileZilla is configured, we must configure our router to enable the ports that we have selected in FileZilla. Usually we connect to our router through the IP in our browser. The credentials depend on each router and user configuration. If you don't know it, I recommend you search in google for your router model. Once we enter we go to the Forward port section and indicate the ports that we have just selected in Filezilla:

As you can see, we write the ports described above and direct them to the local ip of our computer, if you don't know what your ip is, open a command line (cmd) and write ipconfig, it is the ipv4 line.

With this we solve the problem of a single IP for our entire local network. The connection would be as follows: 

Client connects through network ip. It is received by the router, through a port forward it determines to which computer in the local network it should send the communication with the ports selected in FileZilla.

Finally we must configure the static (local) IP of our server, with this we make sure that the local IP will not change and the forward port would be sending the communication to an IP that is no longer being used. We must do this configuration in our router:

With this we are done. The remaining step is to connect through the client. The ip would be our network ip, How to know my network ip?, user that we create in our FileZilla server along with its password and port 21 if your client asks for it. If everything is correct, you will see a screen like this in your FileZilla Server with the respective connection status: 

If at this point you have an error in the connection, the firewall is probably preventing the connection with your computer, to solve this I invite you to see this Article

We have already tried with the IP we currently have, but what happens when our IP changes? For this we must use a dynamic DNS service (DDNS) if you do not know about this concept I invite you to see this Aarticle, In short, this service will be in charge of updating the IP of our router and assign it to a host name, so that our client will no longer connect to a specific IP but to the host name. 

We are going to configure our DDNS for this there are many services both paid and free, I recommend you review the options of your router to evaluate if the DDNS service is supported by your router.

Once validated we must enter our DDNS service and create the host name and assign it the current IP. Later we look in the configuration of our router for the DDNS option, we select our service and we enter the credentials. With this, the router can now connect with our DDNS service and update the ip to the host name.

With this we would already have our Local ftp server configured.

Subscribe to get 15% discount