Can't access any external ftp server #2

DBob · June 20, 2011, 8:37pm

Hi all again!

I had to open an another topic, because the previous had been locked (without a solution).

So, my problem is that if I enable FTP port forward (20-21 + passive ports) to a IP address on the LAN side, I can’t connect outside. Here is some output, then I will continue.

[admin@RB450G] /ip firewall nat> print all 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=DIGI 

 1   chain=dstnat action=dst-nat to-addresses=192.168.1.69 to-ports=20-21 protocol=tcp dst-port=20-21 

 2   chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.69 out-interface=LAN1 dst-port=20-21 

 3   chain=srcnat action=src-nat to-ports=20-21 protocol=tcp src-address=192.168.1.69 out-interface=DIGI src-port=20-21 

 4   chain=dstnat action=dst-nat to-addresses=192.168.1.69 to-ports=50000-50100 protocol=tcp dst-port=50000-50100 

 5 D chain=dstnat action=dst-nat to-addresses=192.168.1.70 to-ports=63904 protocol=udp dst-address=188.143.58.71 dst-port=63904 

 6 D chain=dstnat action=dst-nat to-addresses=192.168.1.69 to-ports=54123 protocol=tcp dst-address=188.143.63.172 dst-port=54123 

 7 D chain=dstnat action=dst-nat to-addresses=192.168.1.69 to-ports=54123 protocol=udp dst-address=188.143.63.172 dst-port=54123

So, If rule #1 is disabled, then I can connect everywhere, but no one can connect to the other side of the router.

If I enable every rule, I can’ connect outside, but due to rule #2 and the power of hairpin nat, I can connect to my server using wan side host. But connecting other FTPs I can see, that actually I connecting to my server! Server is available from outside.

And if I enable rule #1, but disable rule #2, I can’t access my server from inside, because there is no hairpin nat…but I still cannot connect to other FTPs. Server still available from outside.

Rule #3 seems to be dummy, it hasn’t been applied to any pocket yet according to the stats.

In short: It seems to me at the moment, there is something wrong, because I had to choose between “connecting” or “being connectable” and a won’t accept this is the way it should be. Which rule I had to edit and WHY (maybe this is the most important, the “whys”).

Thanks for your help.

fewi · June 20, 2011, 9:17pm

Delete rule #3. It is unnecessary, and traffic doesn’t fall through top it because rule 0 catches it.

Change rule #1 to this:

chain=dstnat action=dst-nat to-addresses=192.168.1.69 protocol=tcp dst-port=20-21 dst-address-type=local

You can remove the to-ports because they are unnecessary. dst-address-type=local fixes your issue. The rule as you have it now says “whenever you see traffic for tcp/20 or tcp/21, rewrite the destination IP address in the header to 192.168.1.69”. This obviously matches ANY FTP request going through the router, including going to some FTP site out on the Internet. ‘dst-address-type=local’ means “but only if the destination IP address before rewriting is an IP address assigned to a router interface”. That will still match all FTP traffic to your FTP site because it’ll be referencing the WAN IP of the router, but won’t match FTP requests to other FTP servers. If you have a static IP on your WAN interface you can add ‘src-address=1.1.1.1’ instead and leave out the dst-address-type, but since you’re using masquerade I’m assuming your WAN IP is dynamic.

petrn · June 20, 2011, 10:28pm

Have you been waiting 5 years for solution? I call that patience …

DBob · July 5, 2011, 9:08pm

@fewi:
Thank you for your quick reply, and explanation. It is now working flawless!

@petrn:
No, I searched the forum for solution at yesterday afternoon, but I’ve found only a closed topic, without any answers.