Hello,
We justbaught a new MikroTic RB2011iL-IN router. We are having some troubles. The only function for this is to be a router between one ckmputer and a NAS system. The NAS need to be accesses via ftp externally. What are the settings we should make to make this work..? Please help to get it sorted. A fixed ip is given and internet is working.
Thank you
Ajith
Have you read this manual? https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Basic_examples
Dear Bartos,
Thank you for your quick reply. I have done giving all the commands for dat-nat and ftp port forwarding as the manual explains. But there was no connection. I will make sure once again doing it resetting the router back to original form as i am not sure if any mistake happened. I will keep it posted.
Thank you for your support
Ajith
Hi
i am not able to give the command: /ip address add address=10.5.8.200/32 interface=Public.
we get result : input does not match any value of interface. Why is this..?
When I check ip address interface our address is there but interface is ether1
Thanks
Ajith
This just means that you don’t have an interface named “Public”
Don’t forget that these guides are just that - guides, and not something you can type in exactly. Your IP addressing will not be the same as the stuff in the guide - especially when the “Public” interface is using a 10.x.x.x private IP address as an example.
FTP is an ancient service built before even TCP/IP was invented, so it has some “interesting” behaviors tied to the legacy of how the Internet worked before it truly became the Internet.
FTP uses the port 21 as a control channel - the ftp session itself, basically - which is used to set up other sockets for the file transfers. So whenever you issue the command to transfer a file (upload or download doesn’t matter) the server and client will open a second connection to actually pass the data. The standard methodology is called “Active” FTP - which means that the client gives an IP address and port number to the server for the transfer. The server then connects to that IP:port and the data is transferred. In today’s world of NAT, this is troublesome because your PC is behind a router, so it’s going to give the wrong IP address to the server (it’ll specify the private IP) - and the router won’t have the specified port open for the server, either… unless the home router is able to inspect FTP session data and notice that the client has requested a data socket. The router will modify the request with the router’s public IP address and port number, so when the server opens the socket, the router can forward the socket to the PC that requested it.
Passive mode means that the server specifies the IP:port and the client connects to that. For servers with a public IP address, this is the preferred method. If the server is also behind a NAT firewall, then the same problem occurs as happens at the client end on active mode. Of course the firewall at the server end can inspect FTP and perform the fixes to make it work.
Now let’s move to the current day, where everything is encrypted. This means that the routers can no longer inspect the FTP sessions for hints about the negotiated data sockets. So you’re going to have to do some more work-arounds for FTP to work if you’re using “secure” FTP. (I use quotes because FTP is a very commonly-exploited service anyway)
Probably the best thing to do is to configure the server to use passive FTP and specify a dedicated range of ports to use for data transfers. This configuration usually also contains a field to tell the server that it is behind NAT and what the public IP address is - so that the server can specify the public IP address in its setup messages. This makes it work when the router cannot inspect the FTP session data to do fixes.
Example - if your FTP server’s actual IP address is 192.168.88.88 and the router’s public IP address is 192.0.2.100, you can do this:
On the server, configure the “public IP” as 192.0.2.100 and to use data port range 11000-11100
On the Mikrotik, you will NAT ports 21 and 11000-11100 to private IP address 192.168.88.88
Or - the easier thing to do would be to use SFTP instead, which uses the same port for everything (port 22). Some systems may call this SCP or SSH file transfer. If this option is available, you should use that instead. It’s more secure AND it’s easier to set up in firewalls and clients.