For some time now I've had problems getting an FTP client behind a MikroTik router to work with an external server. I'm not sure if this is a RouterOS V6 issue or not....it did work for me at some time in the past.

I'm running RouterOS 6.27. The LIST command in any FTP client seems to fail. I'm using Passive FTP (Active also does not work.) I've tried multiple FTP clients, they all fail in the same way. For purposes of this discussion I will limit the client to FileZilla. If I run a test using FileZilla with multiple FTP servers and my computer is connected directly to the internet, it works. If I put the MikroTik router in the path it fails. For purposes of my testing I've disabled the Windows 7 firewall and have no other firewall installed.

I observe that the initial connection to the server's Port 21 comes up successfully. I can see the interaction between the client and server proceed over this connection and see the connection get put into passive mode. I see the second connection come up (In the MikroTik connections lists) from the client to the server to the port that the server has instructed the passive client to use. I see the client send the LIST command and then the server replies with "425 Can't open data connection" and I see the second connection closed. The port 21 connection remains up until it times out.

I have verified that the FTP helper app in the MikroTik is enabled. My NAT rules have a masquerade src-nat rule as the first rule for my gateway interface. All other services on the router appear to work normally. (I have a SIP phone and some cameras that can be accessed remotely.) My Firewall rules have an accept established and related rule for all forward traffic as the first forward rule. The only "Drop" rules for the forward chain is to drop Invalid packets, but even if I disable this rule I have the same issue.

Why can't I get passive FTP to work?

Usually the passive mode is trouble free for client, because it's just another outgoing connection. It doesn't even need any NAT helper on client side. The usual reason why it doesn't work is misconfigured server (either has passive port range blocked or returns internal address). If you tried more, it's probably something else, but hard to tell what exactly.

Stupid question, are you sure that it correctly uses passive mode with direct connection? If you try with the same server and compare the logs, there must be same commands and same replies in exactly the same order, except for the port in PASV reply (last two numbers) and the obvious difference in following success/failure.

If the previous is true, then it surely looks like there's something wrong with router. But it shouldn't be, because again, passive mode is just another outgoing connection and should just work. In that case, I'd check all firewall rules very closely.

Usually the passive mode is trouble free for client, because it's just another outgoing connection. It doesn't even need any NAT helper on client side. The usual reason why it doesn't work is misconfigured server (either has passive port range blocked or returns internal address). If you tried more, it's probably something else, but hard to tell what exactly.

Stupid question, are you sure that it correctly uses passive mode with direct connection? If you try with the same server and compare the logs, there must be same commands and same replies in exactly the same order, except for the port in PASV reply (last two numbers) and the obvious difference in following success/failure.

If the previous is true, then it surely looks like there's something wrong with router. But it shouldn't be, because again, passive mode is just another outgoing connection and should just work. In that case, I'd check all firewall rules very closely.

Sob, there are no "stupid questions". Your comment caused me to probe more deeply and test and compare active to passive FTP for this particular FTP server and others. It turns out the active FTP worked, but passive did not. It also turns out that passive FTP did not work only with one particular server and I determined that the particular server has a firewall configured incorrectly, preventing passive FTP from working. So it was not my router, but the FTP server's firewall causing this problem.