FTP client blocked

robmaltsystems · October 4, 2023, 11:10am

At a client, they have a Mikrotik router with a Windows server running FTP server and a variety of Windows clients. Port forwarding set-up for FTP which works fine - can connect to FTP server from an external computer. It’s used for a backup of a website.

The problem is that you can’t connect to external FTP from the network - just times out. If I disable out the port forwarding rule below then it starts working:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=21 protocol=tcp to-addresses=192.168.88.197

192.168.88.197 is the IP address of the FTP server. I’m peripherally aware of the way FTP clients work with active and passive connections so know that FTP establishes an incoming connection back.

This is my only FTP server configuration on RouterOS that I’ve used. On my development network @ home, I don’t use RouterOS for my main firewall - it’s the Virgin Media Superhub. That’s got port forwarding setup on port 21 and that works fine. So is something specific to RouterOS.

Any ideas?

llamajaja · October 4, 2023, 3:03pm

https://forum.mikrotik.com/viewtopic.php?t=179343

robmaltsystems · October 5, 2023, 3:20pm

That will take a bit of time to read

llamajaja · October 5, 2023, 8:58pm

concentrate on hairpin nat.
loopback button doesnt exist on MT RoS, you have to add the functionality manually.
your destination nat rule is incomplete as well.
do you have a fixed wanip static or dynamic answer will help guide you

robmaltsystems · December 14, 2023, 9:38pm

Okay finally got a bit of time to look at this and bit of a can of worms. You said the dst-nat rule was incomplete. Is this any better? WAN IP used to be dynamic but it happens to be static now the client has moved to VM Business link.

add action=dst-nat chain=dstnat dst-port=21 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.197 to-ports=21

I still need to do some reading of this hairpin issue as I’m about to replace my Virgin Media Superhub with a hAP ax2 router so I’m using RouterOS all the time at home. I do have a bit of port forwarding going on so need to understand deeper.

k6ccc · December 14, 2023, 10:58pm

Yes, that is better. The original problem is that your NAT rule was forwarding ALL port 21 traffic to your own FTP server. Kind of a problem when you were trying to reach some external FTP server.