Hello. I have broken my head.
I Have ftp server with SSL. Inside LAN everything works fine, users can connect and get data from server.
If I want to connect via Internet, connection refuses (Server sent passive reply with unroutable address “my local ftp-server address”) after establishing.
I set up dstnating public IP via 21/tcp to local IP, according to “https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Port_forwarding_to_internal_FTP_server”. Also my firewall has rule to accept establishing and relating, ftp helper enabled (ip firewall service-port).
If I open all ports for dstnat I am able to connect to ftp via internet, but it’s unsecured.
You’ll need to set that to the public IP and hairpin local FTP traffic that goes to passive mode. Alternatively, some FTP servers like FileZilla can intelligently set the local address to the LAN IP for local connections to remove the need for hairpin NAT.
All said, you could deploy IPv6 and have your clients connect via that protocol. You may find that more reliable and not reliant on hairpin NAT if your server cannot make that adjustment intelligently in software.
Lastly, you could just SSH and it’s copy functionality for secure file transfers. It is much more friendly to NAT use and can be easier to automate with keys.