FTP only for LAN

albagen · June 2, 2007, 3:53pm

Hi

Read everything on manual and on the forum about FTP but something is missing me. Tried evey example presented on the forum and still no go.

I ftp to the routerboard with no problem, I want a computer in LAN to serve as FTP server for all LAN users (not for the internet, LAN only), but I cannot make it work.

By manual&forum I know I have to redirect ports in nat and rules in firewall/filter for input chain and for new/established/related connections, and also to drop connections.

Well, here I am asking support guys, something is wrong and I can’t manage to solve it. I have put FTP rules in top of filter and nat sections of firewall, so that no obstacles exist for FTP inside the LAN. Still it doesn’t work. Below are the rules:

Filter
0 ;;; Allow FTP
chain=input src-address=20.0.0.0/24 protocol=tcp dst-port=20-21 connection-state=invalid action=drop
1 chain=input src-address=20.0.0.0/24 protocol=tcp dst-port=20-21 connection-state=new action=accept
2 chain=input src-address=20.0.0.0/24 protocol=tcp dst-port=20-21 connection-state=related action=accept
3 chain=forward src-address=20.0.0.0/24 protocol=tcp dst-port=20-21 connection-state=new action=accept
4 chain=forward src-address=20.0.0.0/24 protocol=tcp dst-port=20-21 connection-state=established action=accept

Nat
0 chain=dstnat src-address=20.0.0.0/24 protocol=tcp src-port=20-21 dst-port=20-21 action=dst-nat to-addresses=20.0.0.0-20.0.0.255 to-ports=20-21

Mangle
3 chain=prerouting in-interface=ether2 src-address=20.0.0.0/24 protocol=tcp dst-port=20-21 action=mark-connection new-connection-mark=ftp_conn passthrough=yes
4 chain=prerouting in-interface=ether2 src-address=20.0.0.0/24 protocol=udp dst-port=20-21 action=mark-connection new-connection-mark=ftp_conn passthrough=yes
5 chain=prerouting connection-mark=ftp_conn action=mark-packet new-packet-mark=ftp passthrough=no

IP/Service
1 ftp 21 20.0.0.0/24

Firewall/Service ports
0 ftp 21

I have no routing, no bridging, the network is simple: ADSL–>RB532–>AP (transmitter)–>APs (clients)–>Computers. I just mangle ftp packets, like http packets.

When I try to connect with a client’s computer for testing a FTP server, the Filezilla client displays the message “Connection established, waiting for welcome message…”

I don’t know why this is not working. Any help is appreciated guys, I need this service but I’m in the end of my resources, just cannot make it work. Maybe I tried so much examples, so that I miss a very small detail that is causing this mess. If you need any details about config, let me know.

Thanks in advance.

B.

albagen · June 3, 2007, 1:02pm

At least any hint like “read the manual”, you can google, you’re wrong, nothing can be made, etc. etc… I wouldn’t like my first post to this forum to go unanswered.

Or is it that MikroTik doesn’t care if FTP function doesn’t work for what I asked, enough that it works for the routerboard itself?

B.

gyoztes · June 3, 2007, 7:38pm

try to use firewall “connection-type=ftp” parameter, not the port numbers, i thing it is easyer, and maybe workable. i use it when i limit the users ftp speed, and it is work.

gyoztes

albagen · June 3, 2007, 10:23pm

Thanks for the reply.

I don’t think it works that way. And I don’t think MikroTik works either with FTP on the LAN side. I’ve tried everything. Or at least dst-nat doesn’t work in this scenario or maybe it’s the .43 version that has bugs in this regard.

Actually I managed to link with a test ftp server, but not through the router, through my AP–>AP transmitter–>AP of the client (where the test ftp server is). The router doesn’t recognize the link (no packets processed at all) and I’m working to make this happen (it will take time, of course, if it can be done at all).

I wonder how come there is no people doing this with MT??? An internal ftp server is a basic thing, so I’m really surprised from this vague response from forum’s users.

Anyway, if I manage to succeed, I’ll post the complete configuration.

B.

jgellis · June 6, 2007, 5:10am

Maybe I’m not reading your post correctly, but here’s my piece based on my understanding of what you are trying to accomplish…

FTP only uses ports 20-21 to setup the connection, after that it switches to a random high port.
Instead of trying to explicitly ALLOW FTP from internal addresses, it would be easier to DROP connections to TCP 20/21 coming from the WAN interface. This would prohibit anyone on the internal network from running an externally accessible FTP server, but would not interfere with internal usage.
/ip firewall filter add chain=forward protocol=tcp dst-port=20-21 in-interface=ether1 action=drop

Additionally, to protect your MT FTP server from the entire network, disable the FTP service:
/ip service set ftp disabled=yes
Or to only protect the MT FTP from the external network:
/ip firewall filter add chain=input protocol=tcp dst-port=20-21 in-interface=ether1 action=drop

albagen · June 7, 2007, 12:05pm

Thanks for the reply, it was just in time. I noticed last night that a client at a very late hour was using the internal ftp server connection to download from an external ftp server and not the regular connection (I mean the simple queue and ftp queue). I added the rule you suggested (the last one) to block ports 20-21 from WAN and will see what happens, but I guess it’ll just be fine. The point is to have my FTP server serve only locally.

But, I have a question, will this rule drop all ftp connections from WAN? I mean, will this allow clients to download from outside FTP servers using port 80 (or any other)? If this blocks totally ftp from WAN, I guess clients will not be allowed to use ftp servers from outside and will have just the option of http downloads, if such an option exists, right?

Regards
B.

[edit] yes, the rules are fine, ftp traffic from internet is prohibited to pass through local ftp channels.