Firewall and FTP

Hi everybody,

I´m new to Mikrotik and trying to set up my first router configuration but I´m struggling with firewall rules to allow passive outgoing FTP connection. I need to filter outgoning traffic.
I used Wireshark and RouterOS log and found out, that connections are initialised on dst. port 21, but then random port 30000+ is used for related connection. However this connection is somehow not allowed by permit related or established.
I have read the thread below, but I found nothing new to me.
http://forum.mikrotik.com/t/firewall-problem/40496/1

My firewall rules:
chain=forward action=accept protocol=tcp out-interface=ether1-gateway dst-port=80
chain=forward action=accept protocol=tcp out-interface=ether1-gateway dst-port=443

2 ;;; OUT - ftp connection
chain=forward action=accept protocol=tcp out-interface=ether1-gateway dst-port=21 connection-type=ftp

chain=forward action=accept protocol=icmp out-interface=ether1-gateway
chain=forward action=accept protocol=udp out-interface=ether1-gateway dst-port=500
chain=forward action=accept protocol=udp out-interface=ether1-gateway dst-port=4500
chain=forward action=accept protocol=udp out-interface=ether1-gateway dst-port=123
chain=forward action=accept protocol=udp out-interface=ether1-gateway dst-port=53
chain=input action=accept protocol=icmp
chain=input action=accept connection-state=established in-interface=ether1-gateway
chain=input action=accept connection-state=related in-interface=ether1-gateway

12 ;;; OUT BEFORE established + related
chain=forward action=log out-interface=ether1-gateway log-prefix=“FW_BF”
13 ;;; OUT - established
chain=forward action=accept connection-state=established out-interface=ether1-gateway
14 ;;; OUT - related
chain=forward action=accept connection-state=related out-interface=ether1-gateway
15 ;;; OUT AFTER established + related
chain=forward action=log out-interface=ether1-gateway log-prefix=“FW_AFTR”
16 ;;; IN AFTER established + related
chain=input action=log in-interface=ether1-gateway log-prefix=“”
17 X ;;; OUT - PERMIT ALL !!!
chain=forward action=accept out-interface=ether1-gateway
18 ;;; OUT - deny all
chain=forward action=drop out-interface=ether1-gateway
19 ;;; IN - deny all (default configuration)
chain=input action=drop in-interface=ether1-gateway

RB450G, RouterOS 5.21

Thank for any advice,

Jarek

Hi,
You should make a dst-nat rule in IP->Firewall->NAT
type:tcp
Action dst-nat
To address: your ftp server
to port: 21

Hi,
jadu, I don´t have FTP server inside my internal network. I just want to access FTP server placed outside my network from FTP client. (LAN->WAN, not WAN->LAN traffic).
I need to filter outgoing traffic, but need to allow users to use FTP clients. All rules (TCP 80, 443, UDP 500 etc.) work fine, but the FTP doesn´t. Dst. port 21 works, but connection on port 30000+ related to port 21 connection doesn´t work.

Rules, that should allow FTP connection on port 21 and related/established connections, perhaps:
chain=forward action=accept protocol=tcp out-interface=ether1-gateway dst-port=21 connection-type=ftp
chain=forward action=accept connection-state=established out-interface=ether1-gateway
chain=forward action=accept connection-state=related out-interface=ether1-gateway

The same problem was solved here: viewtopic.php?f=13&t=44743
But it doesn´t work to me.

Regards,

Jarek

Same as someone said in that other topic, why are you blocking outgoing traffic?
Try to disable your 18-th rule, try after disabling this rule if fpt is working.
Let me know

Now i saw that you have something else on your related/established connections.
You must have on chain input and try just with chain, connection state and action, without all other stuff.

Thank you, I changed the general rule for FTP a bit and now it works.

Working set of rules:
chain=forward action=accept protocol=tcp out-interface=ether1-gateway dst-port=21
chain=forward action=accept connection-state=established out-interface=ether1-gateway
chain=forward action=accept connection-state=related out-interface=ether1-gateway


Jarek