Hello, this is my first post here. So let me make my question.
What I want is to send a ftp over explicit TLS. It’s necessary to send it through the port 21. I send ftp (without TLS) and there is no problem. The problem appears when I try to send ftp over TLS.
Thanks in advanced
What exactly do you want?
a) Use TLS with RouterOS FTP server. You can’t, it’s not there.
b) Use TLS with some other FTP server connected behing router with RouterOS. It’s no problem, you just have to properly configure both server and router. That means to configure static passive ports range on server, forward those ports from router to server, and tell server which public address it should send to clients.
c) Use TLS with FTP client connecting through RouterOS router to some external FTP server. No problem, nothing special required, except allowing outgoing traffic. Just make sure you use passive mode.
Thanks for your response, the option is C).
Why do I do to allow outgoing traffic?, I enabled port 21 (service port) and I don´t know if I must do something more, because ftp works when it goes alone.
As you probably know, FTP uses one control connection and then multiple data connections (one for each file transfer or directory listing). Data connections are either active (server connects to address and port provided by client) or passive (client connects to address and port provided by server). It’s nightmare for firewalls.
If there’s unencrypted control connection, they can inspect all commands and dynamically allow data connections. If you have encrypted control connection, they have no idea what happens and data connections look as random ones. Active data connections should at least come from port 20. But you generally can’t use active connections with clients, because most are behind NAT and have incoming connections blocked. Passive data connections come from client to server and they looks pretty much random. So if you block outgoing connections by default, it does not go well together with encrypted passive mode FTP.
If you can configure your router and FTP client, you can use active mode. For that, you’d need the same as you’d need for configuring passive mode on server side, i.e. forward range of ports to client device, tell FTP client about them and the right public address. But not all clients support this.
ok, I’ll prove it. Thanks for your quick answer