FTP not working

RouterOS General
1

Hello, there is a problem. With my CCR1009 not get to the external ftp sever. RouterOS 6.37.1 deny rules do not exist. The ftp service is enabled. Here print

[nafanasev@MikroTik] > system telnet ftp.adobe.com 21            
Trying 192.150.16.26...
telnet: Unable to connect to remote host: Connection timed out

Welcome back!
[nafanasev@MikroTik] > ip service print 
Flags: X - disabled, I - invalid 
 #   NAME      PORT ADDRESS                                      
 0 XI telnet      23
 1   ftp         21
 2 XI www         80
 3 XI ssh         22
 4 XI www-ssl    443                                             
 5 XI api       8728
 6   winbox    9013
 7 XI api-ssl   8729                                             
[nafanasev@MikroTik] > ip firewall filter print                  
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    chain=forward action=fasttrack-connection 
      connection-state=established,related log=no log-prefix="" 

 2    ;;; winbox enable
      chain=input action=accept protocol=tcp in-interface=ether1 
      log=no log-prefix="" 

 3    ;;; lock_external_dns_isp1
      chain=input action=drop protocol=udp in-interface=ether1 ds
      log=no log-prefix="" 

 4    ;;; torrent
      chain=forward action=drop p2p=all-p2p connection-limit=1,32
      log-prefix="all_torrent" 

 5    ;;; torrent
      chain=forward action=drop protocol=udp dst-address=192.168.
      in-interface=ether1 dst-port=1025-65535 content=d1:ad2:id20
      packet-size=95-190 log=no log-prefix="" 

 6 XI  ;;; torrent
      chain=forward action=drop protocol=udp dst-address=192.168.
      in-interface=ether1 dst-port=1025-65535 content=d1:ad2:id20
      packet-size=95-190 log=no log-prefix="" 

 7    ;;; torrent
      chain=forward action=drop protocol=tcp dst-address=192.168.
      in-interface=ether1 dst-port=2710 content=info_hash= log=no

 8 XI  ;;; torrent
      chain=forward action=drop protocol=tcp dst-address=192.168.
      in-interface=ether1 dst-port=2710 content=info_hash= log=no
2

on firmware 6.35 was the same problem. The ISP says that he’s fine and nothing is closed. Check through the other ISP can’t. any external ftp servers do not work. on my other mikrotik this is not a problem(similar configuration).

3

What no one knows? :confused:

4

Not without a crystal ball. What you posted is cut off at the right. But even from that it’s clear that problem is not in firewall filter (if those nine rules is all what you have there).

5
  1. Other mikrotik is tested via same ISP?
  2. Put here export of your config. As variant you redirect 21 port with dst-nat.
  3. Setup local FTP and try connect to it.
6
  1. haven’t checked other mikrotik on this ISP, because it is the remote site. To check can only in the end of the week.
  2. I deleted some incriminating lines that are not relevant to the case. If i disable all deny rules, trouble still be.
# dec/06/2016 00:05:00 by RouterOS 6.37.1
#
/interface bridge
add name=bridge_main
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full comment=isp1
set [ find default-name=ether2 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full comment=isp2
set [ find default-name=ether3 ] comment=most_to_hostel
set [ find default-name=ether4 ] comment=to_gs1900 master-port=ether3
set [ find default-name=ether5 ] comment=to_2011_management
/interface pppoe-client
add comment=isp2 disabled=no interface=ether2 name=pppoe-out1 password=\
    use-peer-dns=yes user=derevo
/ip neighbor discovery
set ether1 comment=isp1
set ether2 comment=isp2
set ether3 comment=most_to_hostel
set ether4 comment=to_gs1900
set ether5 comment=to_2011_management
set pppoe-out1 comment=isp2
/interface vlan
add interface=bridge_main name=vlan2 vlan-id=2
add interface=bridge_main name=vlan3 vlan-id=3
/ip pool
add name=dhcp_pool1 ranges=192.168.88.60-192.168.88.240
add name=dhcp_pool2 ranges=192.168.10.10-192.168.10.245
add name=dhcp_pool3 ranges=192.168.11.10-192.168.11.245
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 authoritative=yes disabled=no \
    interface=bridge_main lease-time=4d name=dhcp1
add add-arp=yes address-pool=dhcp_pool2 authoritative=yes disabled=no \
    interface=vlan2 lease-time=4d name=dhcp2
add add-arp=yes address-pool=dhcp_pool3 authoritative=yes disabled=no \
    interface=vlan3 lease-time=4d name=dhcp3
/queue simple
add burst-threshold=4M/5M burst-time=10s/10s max-limit=2M/3M name=\
    for_hostel_10.0 target=192.168.10.0/24
/interface bridge port
add bridge=bridge_main interface=ether3
add bridge=bridge_main interface=ether5
add bridge=bridge_main interface=ether6
add bridge=bridge_main interface=ether7
add bridge=bridge_main interface=ether8
/ip address
add address=62.213.0.1/25 comment=isp1 interface=ether1 network=\
    62.213.0.1
add address=192.168.88.1/24 comment=local-work interface=bridge_main network=\
    192.168.88.0
add address=192.168.10.1/24 comment=local-hostel interface=vlan2 network=\
    192.168.10.0
add address=192.168.11.1/24 comment=local-coworking interface=vlan3 network=\
    192.168.11.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=\
    62.213.0.1,8.8.8.8,85.0.1.1,192.168.88.1
/ip dns static
add address=192.168.88.10 name=server02
/ip firewall address-list
add address=192.168.88.0/24 list=88.0/24
add address=192.168.10.0/24 list=10.0/24
add address=192.168.11.0/24 list=11.0/24
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=input comment="winbox enable" dst-port=9013 \
    in-interface=ether1 protocol=tcp
add action=drop chain=input comment=lock_external_dns_isp1 dst-port=53 \
    in-interface=ether1 protocol=udp
add action=drop chain=forward comment=torrent connection-limit=1,32 \
    log-prefix=all_torrent p2p=all-p2p
add action=drop chain=forward comment=torrent content=d1:ad2:id20: disabled=\
    yes dst-address=192.168.10.0/24 dst-port=1025-65535 in-interface=ether1 \
    packet-size=95-190 protocol=udp
add action=drop chain=forward comment=torrent content=d1:ad2:id20: \
    dst-address=192.168.11.0/24 dst-port=1025-65535 in-interface=ether1 \
    packet-size=95-190 protocol=udp
add action=drop chain=forward comment=torrent content="info_hash=" disabled=\
    yes dst-address=192.168.10.0/24 dst-port=2710 in-interface=ether1 \
    protocol=tcp
add action=drop chain=forward comment=torrent content="info_hash=" \
    dst-address=192.168.11.0/24 dst-port=2710 in-interface=ether1 protocol=\
    tcp
/ip firewall mangle
add action=mark-connection chain=input comment=isp1 dst-address=\
    62.213.117.250 in-interface=ether1 new-connection-mark=isp1_input \
    passthrough=no
add action=mark-routing chain=output comment=isp1_route connection-mark=\
    isp1_input connection-state=new new-routing-mark=isp1 passthrough=no
add action=mark-connection chain=input comment=isp2 in-interface=pppoe-out1 \
    new-connection-mark=isp2_input passthrough=no
add action=mark-routing chain=output comment=isp2_route connection-mark=\
    isp2_input connection-state=new new-routing-mark=isp2 passthrough=no
add action=mark-routing chain=prerouting comment=work dst-address-list=\
    !88.0/24 new-routing-mark=work passthrough=no src-address=192.168.88.0/24
add action=mark-routing chain=prerouting comment=hostel dst-address-list=\
    !10.0/24 new-routing-mark=hostel passthrough=no src-address=\
    192.168.10.0/24
add action=mark-routing chain=prerouting comment=coworking dst-address-list=\
    !11.0/24 new-routing-mark=coworking passthrough=no src-address=\
    192.168.11.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=netmap chain=dstnat comment=rdp_server01 dst-port=3388 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.5 to-ports=3389
add action=netmap chain=dstnat comment=rdp_server03 dst-port=3387 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.4 to-ports=3389
add action=netmap chain=dstnat comment=owncloud_server02 dst-port=8888 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.10 to-ports=80
add action=netmap chain=dstnat comment="video hostel" dst-port=34567 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.15 to-ports=\
    34567
add action=netmap chain=dstnat comment=video dst-port=80 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.88.15 to-ports=80
add action=netmap chain=dstnat comment="video coworking" dst-port=34568 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.88.14 to-ports=\
    34567
/ip route
add comment=isp1 distance=1 gateway=62.213.0.1 routing-mark=isp1
add comment=isp2 distance=1 gateway=pppoe-out1 routing-mark=isp2
add check-gateway=ping comment=work_isp1 distance=10 gateway=62.213.0.1 \
    routing-mark=work
add check-gateway=ping comment=work_isp2 disabled=yes distance=11 gateway=\
    pppoe-out1 routing-mark=work
add check-gateway=ping comment=hostel_isp1 distance=10 gateway=62.213.0.1 \
    routing-mark=hostel
add check-gateway=ping comment="hostel_isp2_no internet" disabled=yes \
    distance=11 dst-address=192.168.88.1/32 gateway=pppoe-out1 routing-mark=\
    hostel
add check-gateway=ping comment=coworking_isp1 distance=10 gateway=\
    62.213.0.1 routing-mark=coworking
add check-gateway=ping comment=coworking_isp2 disabled=yes distance=11 \
    gateway=pppoe-out1 routing-mark=coworking
add comment=managment_isp1 distance=1 gateway=62.213.0.1
add comment=managment_isp2 disabled=yes distance=1 gateway=pppoe-out1
add comment=netwatch_isp2 distance=1 dst-address=8.8.4.4/32 gateway=\
    pppoe-out1
add comment=netwatch_isp1 distance=1 dst-address=8.8.8.8/32 gateway=\
    62.213.0.1
/ip service
set telnet disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=9013
set api-ssl disabled=yes
/ip traffic-flow
set active-flow-timeout=1m cache-entries=32k interfaces=ether1
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
set 3 action=disk
add action=disk disabled=yes topics=firewall
add disabled=yes topics=tftp
/system routerboard settings
set protected-routerboot=disabled
  1. I see my files, ftp://my_external_ip, or i must setup ftp server in local and redirect port, to check this?
7

One thing, routing marks are per-packet, so you do not want connection-state=new in these rules:

/ip firewall mangle
add action=mark-routing chain=output comment=isp1_route connection-mark=isp1_input connection-state=new new-routing-mark=isp1 passthrough=no
add action=mark-routing chain=output comment=isp2_route connection-mark=isp2_input connection-state=new new-routing-mark=isp2 passthrough=no

But it should not be causing your current problem, because if first packet of outgoing connection takes default route from main table to one of ISPs, next one will go there too.

8

and like the best? Established?

9

I mean to setup ftp server in one of three local lans (192.168.10.x, 192.168.11.x,192.168.88.x) to check if it is either router problem or provider.

10

Some notice:

add action=drop chain=forward comment=torrent connection-limit=1,32 log-prefix=all_torrent p2p=all-p2p

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
Matches connections per address or address block up to and including given value. Should be used together with connection-state=new and/or with tcp-flags=syn because matcher is very resource intensive.
Plus you allow 1 conenction per 1 address. But FTP protocol can produce few connections for same IP using different ports.
Try disable this rule or change 1 to 10 or something like this.

11

About the connection-state in marking rules, just remove it:

/ip firewall mangle
add action=mark-routing chain=output comment=isp1_route connection-mark=isp1_input new-routing-mark=isp1 passthrough=no
add action=mark-routing chain=output comment=isp2_route connection-mark=isp2_input new-routing-mark=isp2 passthrough=no

You want the routing marked for all packets of those connections.

12

i tried to disable this rules, or change connection limit to 10. no effect. after this change needs reboot? i think not.

13

I created a FTP server in my local and it works…

inclined to think that the problem is in the routes, or firmware. Remotely upgrade I don’t want to do it closer to the weekend. All routes the second ISP disabled, everything works through the first…

14

no effect

15

upgrade to last firmware(6.37.3) did not bring effect
downgrade to 6.36.4 (stable) too

16

Can you post output of “/ip route print detail”, to see how it looks on live system with pppoe client connected?

17

In search of a problem, I deleted the second ISP

 ip route print detail 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  ;;; work_isp1
        dst-address=0.0.0.0/0 gateway=62.213.0.1 
        gateway-status=62.213.0.1 reachable via  ether1 check-gateway=ping distance=10 
        scope=30 target-scope=10 routing-mark=work 

 1 A S  ;;; hostel_isp1
        dst-address=0.0.0.0/0 gateway=62.213.0.1
        gateway-status=62.213.0.1 reachable via  ether1 check-gateway=ping distance=10 
        scope=30 target-scope=10 routing-mark=hostel 

 2 A S  ;;; coworking_isp1
        dst-address=0.0.0.0/0 gateway=62.213.0.1 
        gateway-status=62.213.0.1 reachable via  ether1 check-gateway=ping distance=10 
        scope=30 target-scope=10 routing-mark=coworking 

 3 A S  ;;; managment_isp1
        dst-address=0.0.0.0/0 gateway=62.213.0.1
        gateway-status=62.213.0.1 reachable via  ether1 distance=1 scope=30 
        target-scope=10 

 4 A S  ;;; netwatch_isp1
        dst-address=8.8.8.8/32 gateway=62.213.0.1 
        gateway-status=62.213.0.1 reachable via  ether1 distance=1 scope=30 
        target-scope=10 

 5 ADC  dst-address=62.213.0.1/24 pref-src=62.213.0.1 gateway=ether1 
        gateway-status=ether1 reachable distance=0 scope=10 

 6 ADC  dst-address=192.168.10.0/24 pref-src=192.168.10.1 gateway=vlan2 
        gateway-status=vlan2 reachable distance=0 scope=10 

 7 ADC  dst-address=192.168.11.0/24 pref-src=192.168.11.1 gateway=vlan3 
        gateway-status=vlan3 reachable distance=0 scope=10 

 8 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge_main 
        gateway-status=bridge_main reachable distance=0 scope=10

don’t know what to do with it, ready for drastic measures

18

You mean it doesn’t work even with just one active ISP? I though it did:

Or did you just mean that with second ISP disabled, it has to go to first one?

Looking at your config again and your active routes, where did this one go?

/ip route
add comment=isp1 distance=1 gateway=62.213.0.1 routing-mark=isp1

You need it, if you still have these rules:

/ip firewall mangle
add action=mark-connection chain=input comment=isp1 dst-address=62.213.117.250 in-interface=ether1 new-connection-mark=isp1_input passthrough=no
add action=mark-routing chain=output comment=isp1_route connection-mark=isp1_input new-routing-mark=isp1 passthrough=no

Without it, you tell router to use “isp1” routing table, but you don’t have any.

19

everything works through the first ISP

Yes, sorry, I noticed it and corrected long ago. But it did not help me.

In any case, since all traffic goes through the first provider, I disabled mangle rules.

Finally i have simple config: one ISP, NAT, one active static route, no firewall/mangle rules. Ftp not working. :open_mouth:

20

Can perhaps ISP be blocking FTP? Did you try to disconnect router, directly connect some PC instead and test it from there?