Question clarification:

By my "WAN address" I mean the address of my router on the Internet. I've been using my router's IP address to try and connect to my FTP server, but I've had no luck. If I try to connect to my FTP server using the PC's IP address behind the router, 192.168.1.2, then it works.

Answer clarification:

Public, Private, Route-ability
The Internet works on numbers -- binary numbers to identify which wire (or set of wires) connects to a specific machine (called a host). People don't think well in binary, so the convention of IPv4 (quad dotted notation) helps manage the 32-bit address space. Eight ones or zeroes can be represented by the numbers 0 to 255. These octets are easier to deal with and the perpetual source of confusion. We actually have problems with the numbers anyway and use "Name Servers" to make the system work in human-friendly terms. My host is PNW-HHP-WS1 and today's address is 192.168.33.99, which identifies a port on my Linksys router behind a double-homed Linux box used as the firewall to a DSL modem. The router has DHCP turned off and is configured as the gateway (192.168.33.1) on my side and as 192.168.16.2 on the firewall side. Its gateway is 192.168.16.1. which is the output NIC of the firewall. The input side is assigned by my ISP (currently 64.243.xxx.yyy). All of the systems behind the router are visible to each other as long as they have a address in the range 192.168.33.2 thru .254 and a subnet of 255.255.255.0. If I change the subnet to 255.255.254.0, the systems could see any host in the range 192.168.33 and 192.168.34. Any requests outside my internal range are passed through the router, through the firewall and resolved by the name servers/routers at the ISP.

Public Addresses

• Class A -- (1.0.0.0 -- 126.0.0.0) subnet 255.0.0.0 = 126 networks of 16 million hosts each. Note: This is the primary disparity in availability of addresses. When HP bought Compaq it acquired that Class A set and now has two. China has about 9 million IP addresses in total.

• Class B -- (128.0.0.0 -- 191.0.0.0) = subnet 255.255.0.0 = 16,128 networks of 64,000 hosts each.

• Class C -- (192.0.0.0 -- 223.0.0.0) = subnet 255.255.255.0 = 2,015,775 networks of 254 hosts each.

• I know 0 to 255 would be 256 hosts, but you lose 2: broadcast on the 0 address and multicast on the 255 address.

• Note: 224.0.0.0 thru 254.0.0.0 are used by the routers themselves -- DO NOT TOUCH!

• Additional losses to those public addressers are the internal loopback address of 127.0.0.1 (some software has problems with any address starting with 127), the private addresses discussed below and Microsoft auto-configuration addresses (169.never going to work).

• ALL of the public addresses are owned by somebody! Arbitrarily setting a static IP to a public address can get you blocked by your ISP, notified by lawyers with "Cease and Desist orders" or taken away for interference with government or safety equipment.

Private Addresses

• Class A -- (10.0.0.0 -- 10.255.255.255) subnet 255.0.0.0 = 1 network with 16 million hosts. Actually used as 254 networks of 64,000 each here at my university. My department has one segment, 10.15.xx.yy, the floor below is 10.17.xx.yy and so on.

• Class B -- (172.16.0.0 -- 172.31.255.255) subnet 255.255.0.0 = 15 networks with 64,000 hosts on each. Primarily corporate use.

• Class C -- (192.168.0.0 -- 192.168.254.255) subnet 255.255.255.0 = 254 networks with 254 hosts on each. Normal small network use, 90% use 192.168.0.xxx or 192.168.1.yyy.

My setup has a Windows 2003 server at 192.168.33.66 running IIS 6.0, FTP and SharePoint Services. None of these are directly accessible from the Internet, but they are readily accessed by the internal systems. I use Dynamic Domain Name Services to register a link between the ISP address on the firewall, which is subject to change, and ports 80, 443, 21 on the server through the routing tables in the firewall. I'd say 999 times out of a 1000, NAT (Native Address Translation) works by accepting a response to a query that went out. In your case, you want an incoming request to be honored.

• The ISP cannot be filtering 21, 80, 443 incoming to you.
• When you are out in the wild (on the Internet from some other location) can you ping your ISP provided address?

From Why PASV Poses Problems for FTP Servers on Internal Networks:

The other server-side problem that can occur is when a client is trying to access an FTP server on an internal network protected by a routing device. Because a server response from PASV includes an IP address and port number, if this IP address corresponds to a private network then the client will not be able to connect to that private address. From our PASV example above, we have:

     Server:  227 Entering Passive Mode (172,16,3,4,204,173)

If left unaltered, the client would try to connect to port 52397 on the IP address 172.16.3.4. If the client is not on the private internal network, the client would time-out trying to connect to that address, when in reality it should be connecting to the external IP address of the routing device.

Solution 1: The network administrator of the server network can consult the routing device vendor's documentation to see if FTP connections can be dynamically monitored and dynamically replace the IP address specification for packets containing the PASV response.

Using our PASV example above, when the FTP server replies to the PASV request:

Server:  227 Entering Passive Mode (172,16,3,4,204,173)

The routing device should rewrite the packet like this, assuming the external address is 17.254.0.91:

Server:  227 Entering Passive Mode (17,254,0,91,204,173)

The remote client would then attempt to connect to the routing device at 17.254.0.91:52397. The routing device in this example would then forward all traffic for this connection between the remote client and the internal FTP server at IP address 172.16.3.4.