I have 2 networks. Network 1 has the computers, servers and 2 ftps. One ftp is filezilla, one is a asus router with external hd and has ftp enabled (the best 20€ i have ever spent! simple solution and highly effective and useful!). The network 2 has 1 computer that runs 2 virtual computers.
Problem 1:
Mikrotik 1 has NAT port forwarding from port 21 to port 21 for FTP 1 and NAT port forwarding from port 333 to port 21 for FTP 2. This way FTP 1 and 2 are accessible from the internet. The problem is NAT port forwarding for FTP 1, because i can’t connect to my outside FTP 3 which also runs on port 21! I switch NAT port forwarding from 21 to 334. This way i can access my FTP 3 and both FTPs are accessible from the internet. I have also entered this:
/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept
Also make sure that you allow packets with connection-state=related. It’s usually part if first standard rule.
Problem solved! Do i realy need this firewall filter?
Problem 2:
I don’t even know how to explain this, but every computer behind Mikrotik 2, so the network 2, which has its own external IP, can’t connect to FTP 1 or FPT 2 in network 1. It can connect to FTP 3 (ftp outside). Or let me correct myself. It can connect, but after a period of time, i get error 10054. After the connection, it starts to fetch the directories and files of the root, but it never displays the results. The funny part is that sometimes it does work and i can browse the ftp … 1 out of 10 times maybe … I have cobianbackup here that can upload to ftp. The test sometimes goes through and sometimes it returns the error 10054. I also have a freesqlbackup program that also transfers files to the ftp. The test connection to the ftp works, but when the actual upload starts, it stops working …
I entered into the mikrotik 2 NAT port forwarding for ports 333 and 334 and added the external ip, also added the same filter … Nothing works because i don’t know what i doing! I am guess the problem is with mikrotik 1 and i don’t need to do anything on mikrotik 2 since it can connect to FPT 3 without any issues … Or am i wrong? Do i need NAT and filters? Or just NAT? Please help me out.
Thumbs up for image. But without showing your config, it’s a guessing game, and not a good one. Guess for problem 1 is wrong dstnat rule that doesn’t specify destination address in any way. Guess for problem 2 is some other wrong config, but depending on how “creative” you are, it could be so many things…
If you want to increase your chances, do:
/export hide-sensitive file=myconfig
And post content of myconfig.rsc in code tags. You can mask things like public address if you want, but don’t overdo it.
Here are both mikrotik settings. Let me know if i need to post anything else. Like i said. I basicly copied NATs from old router and
entered them into the NAT section. And i added 1 filter rule since that is what i found on forums here.
then only two conditions are protocol and port. It will take incoming connections to your server, outgoing connections to remote servers, everything, because it will all match. With non-standard port 334 it’s less noticeable, but it’s still possibly a problem. With standard port 21, well, you discovered that yourself.
You need to add another condition, to limit it only to your address. It can be either dst-address= (if you have static public address on this router; I’m not sure what you have, I see both some static address and DHCP client on ether1) or dst-address-type=local (matches any address on router, which may still be too broad, but usually it’s good enough). You want to do this for all your current dstnat rules.
About unneeded things, that would be this on both routers:
And the two bold rules on router 2 are completely useless too.
As for why servers in network 1 don’t work from network 2, I’m not sure. They should. Make sure that clients use passive mode, but that’s probably not it, because it should be default. Try to return one server to port 21 and check if it helps. I assume you have just plain FTP without encryption, right? Otherwise it would be unlikely to work at all.
I will have a look later on and report back. As i suspected about the bold italic text in mikrotik 2. I will remove it.
It’s bugging me, because clients can connect. The only problem i have is connecting form mikrotik 2. And like i said, sometimes it works, but most of the times, it doesn’t.
I have also removed on mikrotik2 the bold/italic lines and removed the filter rule on both mikrotiks. Still no success on connecting to FTP1 or FTP2 from network behind mikrotik2. I tested on clients and it does work. But the mikrotik2 to mikrotik1 is causing me headaches.
Let me correct myself … I can connect to FTP1 and FTP2 from network2! But when the command is sent to fetch the direcotries and files, it gets disconnected and the connection is lost!
Yes, that’s what I meant. Find a log on client and check what command is used before getting directory listing. Is it PASV or PORT? Should be PASV. If not, try to find some option to change it (look for “passive mode”).
On the client i do have “passive mode” in the settings for the connection. It’s funny. Because it works and it doesn’t at the same time. And the only difference is that my clients don’t have a mikrotik router. I have a spare mikrotik at my office. Will take it home tomorrow and set it up just to test mikrotik to mikrotik connection. If it’s going to work, than the problem must be on my ISP modem … Since both mikrotiks are connected to the same one.
Better find what you have in logs, exact commands. It can still use the other if first one fails. There could be also some useful message. You want to see PASV command followed by response “227 Entering Passive Mode (a,a,a,a,p,p)”, where a.a.a.a is public address of Mikrotik1 (p is port split in half, but it’s dynamic, so not of much use). It should be right before listing command, either LIST or MLSD (response to that might contain some useful info too).
That’s weird, because after “200 Type set to A” should come either PASV or PORT, but here it looks as if client didn’t send it at all. But knowing TC well enough, I’m sure it does. So the question is where it got lost.
There are two things. Either SFTP, which is completely different protocol (based on SSH), and there may be some reason why clients couldn’t use it. Or FTPS, which is FTP with encryption, but it doesn’t make things easier.
I must remind you … If you look at the picture. Clients can connect and upload files. Its networks 2 that can’t connect to network 1 … So the network 1 must be working ok. otherwise clients from internet would not be able to connect. It’s network 2 that is causing me headache. From that network the connection doesn’t work. I will setup mikrotik at home to see if i can connect from network 2 to my home ftp and from home to FTP 1 and FTP 2 in network 1.
But it’s not your router’s config (network 2), it has nothing that could influence it (even those two wrong dstnat rules you had there did essentially nothing when connecting to network 1). If something is blocking it, it would have to be something in ISP’s network between your two networks (I don’t know if it’s just one router or if there’s longer path). But I don’t see why. Perhaps with standard port, something could be sticking its nose in it, but it’s less likely for non-standard ones. And why would they even do it, and only for local traffic. It doesn’t make sense.
Exactly what i am saying.It doesn’t make sense at all why it’s not working. I am 99,99% sure its my ISP modem. The two mikrotiks are both on a 50cm cables and are practically together …
Thank you for your time!
If you’re ready to go a bit advanced, you can catch some packets and check if/how ISP’s router interferes. Use Tools->Packet Sniffer on WAN interfaces, limit it to port 333 and save captured packets to file. Then get Wireshark and compare captures from both routers, if all packets from router 2 reached router 1 and if they are the same. You’re really only interested about the end, before it breaks.
i don’t know why i didn’t check this first … The logs … I guess it has someting to do with the “passive” settings and ports.
ftp2_ dstnat: in:ether1 out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), ExtIpOfNetwoork2:51682->ExtIpOfNetwoork1:333, len 52
It’s trying every port from 51682 till 51970 at this moment and its still going …
