A solution to this problem will require true MT expert status... This must be hard!
I have reviewed the many posts in the forum regarding passive FTP connections behind a MT router, and all seem to miss the fundamental challenge, which I will attempt to describe.
First, some context. The typical case we are considering is a remote FTP client attempting to connect in passive mode to an FTP server that is behind a MT router, which is connected the the Internet, and has the WAN address of this network on one of its ports. There are likely thousands of this case in current use.
As we know, all FTP connections actually use two separate port/pair connections to communicate - one port/pair for control, and a different port/pair for data transfer. And, passive FTP connections differ from active ones in one critical way - the client initiates both the Control connection and the Data connection, for helpful reasons relevant to communicating over IP, as recommended by the RFC 1579 (Firewall-Friendly FTP).
In passive FTP mode, after initial authentication is established via the control port/pair (typically port 21 on the FTP server side), the client will send the PASV command over this control connection to the FTP server, which will then initiate passive mode, and return the response that it is entering passive mode, and the IP address and Data port that it will be listening on - this looks typically like:
Entering Passive Mode (10,0,0,10,204,173)
This instructs the client to attempt to establish a Data connection to the server (remember, in passive mode, the client establishes both control and data connections) on IP address 10.0.0.10, and on port 52397.
Here's the first part of this challenge - this data connection attempt from the remote FTP client will time-out trying to connect, because the IP address 10.0.0.10 is the internal address of the FTP server - the remote client really should be trying to connect to the Data port (port 52397 in this example) on the external WAN IP address of the MT router.
The second part of this challenge is that the Data port on the FTP server for this connection (52397, is this example), which was passed to the remote FTP client on the Control channel, was generated by the FTP server for this connection uniquely, and is in all likelihood, being blocked by the firewall (back inbound) on the MT router, as well.
What we need to figure out how to accomplish is 1) how to capture the above packet being sent from the FTP server with the Data connection port in it, modify the packet data to change the IP address from the internal address (10.0.0.10 in this example) to the external WAN address, and then send it out, so that the remote client can reach the FTP router from the Internet; and 2) how to dynamically open and forward traffic destined to the Data port uniquely established by the FTP router (port 52397, in this example), to the FTP server on the internal network behind the MT router (correct internal IP address, unique data port).
First, I assume that some sort of packet inspection is required, to 'catch' this packet being sent from the FTP server with the IP address and port number in it, and second, some sort of packet editing, to change the IP address to the WAN address, and third, some sort of dynamic opening and forwarding of packets with the data port destination to the FTP server.
If anyone has figured this out (and, I assume someone must have figured this out, as this is such a common case), or there is a clear explanation posted somewhere in the wiki or on the forum, I'd really appreciate hearing about it.
I will nominate them for MikroTIk Superhero status.......