Hi, Can someone maby help me?

Ik setup my firewall and NAT to access mij FTP on my LAN.
This works

But…
a FTP client on a PC or MAC can not connect to FTP servers on the WAN.

A aditional NAT rule and disable the existing on. resolves this issue.
I would like to have both

is this possible?

I.m behiend a NAT on a DMZ port.

/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=forward comment=ftp dst-address=192.168.88.254 dst-port=21 protocol=
tcp
add chain=forward comment=“webdav https” dst-address=192.168.88.254 dst-port=
5005 protocol=tcp
add chain=forward comment=“audio station” dst-address=192.168.88.254 dst-port=
5000 protocol=tcp src-port=“”
add action=drop chain=forward comment=“vlan2 niet naar vlan1” dst-address=
192.168.88.0/24 src-address=192.168.100.0/24
add action=drop chain=input comment=“default configuration” in-interface=
ether1-gateway
add chain=forward comment=“default configuration” connection-state=related
add chain=input comment=“default configuration” connection-state=related
add chain=forward comment=“default configuration” connection-state=established
add action=drop chain=forward comment=“default configuration” connection-state=
invalid
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway
add action=masquerade chain=srcnat out-interface=ether1-gateway src-address=
192.168.100.0/24
add chain=dstnat comment=“ftp extern benaderen” disabled=yes dst-port=21
protocol=tcp to-addresses=192.168.88.0/24
add action=dst-nat chain=dstnat comment=“FTP Server Command” dst-port=21
protocol=tcp to-addresses=192.168.88.254 to-ports=21
add action=dst-nat chain=dstnat comment=“FTP server Data” dst-port=55536-55543
protocol=tcp to-addresses=192.168.88.254 to-ports=55536-55543
add action=dst-nat chain=dstnat comment=webdav dst-port=5005 protocol=tcp
to-addresses=192.168.88.254 to-ports=5006
add action=dst-nat chain=dstnat dst-port=5000 protocol=tcp to-addresses=
192.168.88.254 to-ports=5000

thnx for the help.

try enable upnp

? sorry i’m a beginner

upnp-enabled
allow to disable externa interface = off
show dummy rule = on
interface = ether1-gateway
external
forced external ip = WAN ip

No differance

:global ext nameofextinterface
:global int nameofintinterface

Edit above

/ ip upnp { :foreach x in=[ interfaces find ] do={ interfaces remove $x }; interfaces add interface=$ext type=external; interfaces add interface=$int type=internal; set enabled=yes allow-disable-external-interface=no show-dummy-rule=yes }Edit, cut and paste (not tested, but should work)

Edit: Your client also need to support upnp (like windows7/8 etc)

Ok.
internal interface is bridge-local
external = ether1-gateway
client is Mac and win 8
forced external ip is WAN ip.

but nothing. no connection.

/ip upnp
set allow-disable-external-interface=no enabled=yes
/ip upnp interfaces
add forced-external-ip=x.x.x.x interface=ether1-gateway type=external
add interface=bridge-local type=internal

i’m trying with filezila pasivemode

ah… to this setup, you should have upnp also switched on to your external gateway. I did not se that you was behind nat/nat. This make the situation a bit more different. Also remember to switch on service port in firewall (ftp - 21)

The problem is with the disabled nat rule…

When i enable this i can go out no problem but
my own FTP server not reachable anymore.
When i disable the NAT rule my server works fine but i can not connect to the external server.

/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway
add action=masquerade chain=srcnat out-interface=ether1-gateway src-address=
192.168.100.0/24
add chain=dstnat comment=“ftp extern benaderen” disabled=yes dst-port=21
protocol=tcp to-addresses=192.168.88.0/24
add action=dst-nat chain=dstnat comment=“FTP Server Command” dst-port=21
protocol=tcp to-addresses=192.168.88.254 to-ports=21
add action=dst-nat chain=dstnat comment=“FTP server Data” dst-port=55536-55543
protocol=tcp to-addresses=192.168.88.254 to-ports=55536-55543
add action=dst-nat chain=dstnat comment=webdav dst-port=5005 protocol=tcp
to-addresses=192.168.88.254 to-ports=5006
add action=dst-nat chain=dstnat dst-port=5000 protocol=tcp to-addresses=
192.168.88.254 to-ports=500

My LAN is on a DMZ from my ISP
. Does the Upnp from the ISP anything on the DMZ?

Actually, this depends on the settings from your ISP. I don’t know if “he” support upnp.

Is it possible to get a official IP insisted of the DMZ IP?

What does this rule do?

add chain=dstnat comment="ftp extern benaderen" disabled=yes dst-port=21 \
protocol=tcp to-addresses=192.168.88.0/24

If your internal server is 192.168.88.254, then add an “in-interface=ether1-gateway” parameter to this rule. Otherwise, your internal clients will not be able to access any external FTP ips.

add action=dst-nat chain=dstnat comment="FTP Server Command" dst-port=21 \
protocol=tcp to-addresses=192.168.88.254 to-ports=21 in-interface=ether1-gateway

this rule:

add chain=dstnat comment="ftp extern benaderen" disabled=yes dst-port=21 \
protocol=tcp to-addresses=192.168.88.0/24

i created to test the ftp function but i dont need it anymore.
Your answer fixed the problem.
“then add an “in-interface=ether1-gateway” parameter to this rule.”

thnx