I'm running an RB450 with a Public IP of 1.2.3.4 and a NATTED subnet of 192.168.100.X. One of my users needs to run an application that uses Active FTP. I'm attempting to open ports 20-22 and 1024-65535 to IP Address 192.168.100.68. Here's my IP FIREWALL NAT print:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses=192.168.100.68 to-ports=20-22 protocol=tcp src-address-list=192.168.100.68 src-port="" dst-port=20-22 port=""
1 chain=srcnat action=src-nat to-addresses=1.2.3.4 to-ports=20-22 protocol=tcp src-address-list=192.168.100.68 dst-address-list=1.2.3.4
src-port=20-22 dst-port="" port=""
2 chain=dstnat action=dst-nat to-addresses=192.168.100.68 to-ports=1024-65535 protocol=tcp src-address-list=192.168.100.68 src-port="" dst-port=1024-65535
port=""
3 chain=srcnat action=src-nat to-addresses=1.2.3.4 to-ports=1024-65535 protocol=tcp src-address-list=192.168.100.68 src-port=1024-65535 dst-port=""
port=""
4 chain=srcnat action=masquerade out-interface=Public
So far, this hasn't worked. I'm new at this so any thoughts or suggestions are very much appreciated.
Re: Opening Ports to Allow Active FTP
I think you are trying to make it more complicated. The dest NAT to your device should be enough to initiate the FTP session on port 21, then the source NAT aka masquerade should handle all the other ports.
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=<WANIP> dst-port=21 protocal=tcp to-address=192.168.100.68 to-ports=21
add action=masquerade chain=srcnat comment=gatewayNAT disabled=no out-interface=ether1-WANGATEWAY
at the very least, you are missing the dst-address=<WANIP> in your statement.
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=<WANIP> dst-port=21 protocal=tcp to-address=192.168.100.68 to-ports=21
add action=masquerade chain=srcnat comment=gatewayNAT disabled=no out-interface=ether1-WANGATEWAY
at the very least, you are missing the dst-address=<WANIP> in your statement.
Re: Opening Ports to Allow Active FTP
I assume that "application that uses Active FTP" means FTP client and not FTP server as syadnom understood it.
If it's the case, you should need to configure almost nothing, as long as it's plain unencrypted FTP on standard port. You just need the masquerade rule and:
It's set by default, so unless you changed it, it's already there. Everything will just work, client will happily issue PORT commands with its internal address 192.168.100.68, knowing nothing about NAT. But RouterOS will monitor the control connection and rewrite them to correct public IP and also take care of forwarding the right ports when data connections from server arrive.
It will fail if:
a) Target FTP server listens on port other than default 21.
If it is just single exception, it can be fixed by adding that port to /ip firewall service-port to have it also monitored.
But if you want that client to be able to connect to any server to any possible non-standard port using active mode, then go right to b), ignore the info about encryption and just use the same settings.
b) Connection to target server is encrypted.
In this case RouterOS can't inspect the control connection and do the rewriting, so you have to forward the ports manually:
That alone is *not* enough, you also have to configure FTP client to send the proper public IP (your example 1.2.3.4) to server with PORT commands. And while you're at it (read "the client supports it") you can also narrow down the forwarded port range to much smaller one (and you must set the same range on both router and client), because you probably don't want to waste so many ports on just one client.
If it's the case, you should need to configure almost nothing, as long as it's plain unencrypted FTP on standard port. You just need the masquerade rule and:
Code: Select all
/ip firewall service-port set ftp disabled=no ports=21It will fail if:
a) Target FTP server listens on port other than default 21.
If it is just single exception, it can be fixed by adding that port to /ip firewall service-port to have it also monitored.
But if you want that client to be able to connect to any server to any possible non-standard port using active mode, then go right to b), ignore the info about encryption and just use the same settings.
b) Connection to target server is encrypted.
In this case RouterOS can't inspect the control connection and do the rewriting, so you have to forward the ports manually:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1.2.3.4 dst-port=1024-65535 \
protocol=tcp to-addresses=192.168.100.68Re: Opening Ports to Allow Active FTP
Active mode is just a PITA for the client. It needs ports 20 & 21 open inbound to the FTP server and the FTP server needs to be able to get out the firewall on ports >1024. The client has to worry about strange inbound replies from the server.
Sob, I don't read the OP as wanting to connect to the mikrotik's ftp server.
Sob, I don't read the OP as wanting to connect to the mikrotik's ftp server.
Re: Opening Ports to Allow Active FTP
You suggested to forward port 21 from public IP to internal IP, so clearly you take the internal device behind NAT as FTP server (different from FTP server on router itself of course). From OP's description (and description alone, his rules show too many forwarded ports to take anything from that) it looks to me more like that internal device is FTP client. Otherwise why would he need to forward ports for active mode, it's what clients need. There's of course the possibility that OP doesn't know exactly what he wants. 
But he'll surely tell us.
But he'll surely tell us.
Re: Opening Ports to Allow Active FTP
In my case, NAT active FTP, works perfectly doing the following:
(RouterOS v6.7)
and,
That's all!
Tnaks to Sob for the useful way to solve this issue!
(RouterOS v6.7)
Code: Select all
/ip firewall nat add action=dst-nat chain=dstnat dst-address="Public Address" dst-port="non-standard port >1023" protocol=tcp to-addresses="Private Address" to-port="non-standard port >1023"
Code: Select all
ip firewall service-port set ftp disabled=no ports="non-standar port"Tnaks to Sob for the useful way to solve this issue!