FTP-DATA connection (active mode) using different IP

jtommasi · January 8, 2015, 5:47pm

Hi Guys:

If a Mikrotitk has more than one IP address and we try to open a FTP connection (in active mode) to the IP associated to an interface that is not the output interface for the reply packets, we can login with no problem using TCP port 21 , but when we send a command like “ls” the Mikrotik tries to open FTP-DATA connection (TCP port 20) using the source address of the output interface instead of using the original IP address we connected to.

Is that the correct behaviour? The problem is that when we have firewals bewteen the client and the router, the FTP-DATA connection is not detected as “related” so can be blocked.

Regds,

Julio Tommasi

Sob · January 8, 2015, 8:06pm

I don’t think it’s prohibited by any specification. FTP is an old protocol, it predates widespread use of paranoid firewalls and does not care much about this kind of stuff. But it’s definitely a bad idea to do it nowadays, because it’s going to break things.

I understand that it’s MikroTik’s own FTP server in RouterOS doing this. You should probably suggest to them to fix it and bind outgoing data connections to correct address.