ftp Port fowading

RouterOS Forwarding Protocols
1

Hey ok i have my port forwarding setup like this chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=20-21 protocol=tcp dst-port=20-21 and well i have the pcc module that i setted up to use my two adsl routers as fail over and to split traffic but if i want to foward ftp traffic to my ftp server aka my freenas box it doesn’t work!! it keeps on dropping the connection! any help will greatly be appreciated

2

where you are trying to connect to your NAS from? internet ?
if so? incoming connection should always get back from the same source. means if the request came from DSL modem1 then it must get out thru the same connection other wise the session will be dropped. to fix this you need ether to bypass your NAS server from load balancing or you need to mark you incoming FTP session to be Prerouted to the same incoming WAN interface

3

ok how do i mark it or bypass it what would be the best?

4

bypassing it would be much easier of course.

but in this case you will be able to access your FTP from one modem only.
so in your dst-nat rule you need to specify the in-interface or dst-address which would be corresponded to WAN1 or WAN2

5

ok nope then i need to make them work from both routers wan1 and wan2! if possible

6

post your mangle, NAT and route configurations

7

mangle:

0 chain=input action=mark-connection new-connection-mark=wan1_conn
passthrough=no in-interface=ether1-Mweb-Router

1 chain=input action=mark-connection new-connection-mark=wan2_conn
passthrough=no in-interface=ether3-I.S-Router

2 chain=output action=mark-routing new-routing-mark=to_wan1 passthrough=no
out-interface=ether1-Mweb-Router

3 chain=output action=mark-routing new-routing-mark=to_wan2 passthrough=no
out-interface=ether3-I.S-Router

4 chain=prerouting action=accept dst-address=41.134.110.0/28
in-interface=ether1-Mweb-Router

5 chain=prerouting action=accept dst-address=196.212.100.0/28
in-interface=ether3-I.S-Router

6 chain=prerouting action=mark-connection new-connection-mark=wan1_conn
passthrough=yes dst-address=!192.168.88.0/24
in-interface=ether2-Main-LAN
per-connection-classifier=both-addresses:2/0

7 chain=prerouting action=mark-connection new-connection-mark=wan2_conn
passthrough=yes dst-address=!192.168.88.0/24
in-interface=ether2-Main-LAN
per-connection-classifier=both-addresses:2/1

8 chain=prerouting action=mark-routing new-routing-mark=to_wan1
passthrough=no in-interface=ether2-Main-LAN connection-mark=wan1_conn

9 chain=prerouting action=mark-routing new-routing-mark=to_wan2
passthrough=no in-interface=ether2-Main-LAN connection-mark=wan2_conn


nat:
0 chain=srcnat action=masquerade out-interface=ether1-Mweb-Router

1 chain=srcnat action=masquerade out-interface=ether3-I.S-Router

2 chain=dstnat action=dst-nat to-addresses=192.168.88.254 to-ports=20-21
protocol=tcp dst-port=20-21

routes:

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 41.134.110.9 1
1 A S 0.0.0.0/0 196.212.100.145 1
2 A S 0.0.0.0/0 41.134.110.9 1
3 S 0.0.0.0/0 196.212.100.145 2
4 ADC 41.134.110.0/28 41.134.110.11 ether1-Mweb-Router 0
5 ADC 192.168.88.0/24 192.168.88.1 ether2-Main-LAN 0
6 ADC 196.212.100.144/28 196.212.100.148 ether3-I.S-Router 0

8

Greetings.

Try to paste this code to your terminal.
the 1st 2 lines are fixing your original records number 4, and 5 where you assigned wrong in-interface to the rule

the 2nd 2 lines are to ignore packets generated by router from being balanced, mangle output will take care of routing this packet to the right interface where you already marking connections coming to each interface

/ip fire man set 4 chain=prerouting action=accept dst-address=41.134.110.0/28 in-interface=ether2-Main-LAN
/ip fire man set 5 chain=prerouting action=accept dst-address=196.212.100.0/28 in-interface=ether2-Main-LAN

/ip fire man add chain=prerouting src-address=41.134.110.0/28 protocol=tcp src-port=20-21 action=accept place-before=6
/ip fire man add chain=prerouting src-address=196.212.100.0/28 protocol=tcp src-port=20-21 action=accept place-before=6
9

ok did it but no luck with my ftp should i do a nat rule aswell?

10 
/ip fire man
set 0 passthrough=yes
set 1 passthrough=yes
set 2 passthrough=yes
set 3 passthrough=yes

/ip fire man
add action=mark-connection chain=forward connection-state=new in-interface=ether1-Mweb-Router new-connection-mark=outside1_connection passthrough=no
add action=mark-connection chain=forward connection-state=new in-interface=ether3-I.S-Router new-connection-mark=outside2_connection passthrough=no
add action=mark-routing chain=prerouting connection-mark=outside1_connection new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=outside2_connection new-routing-mark=to_wan2 passthrough=no

/ip fire nat
add place-before=0 chain=src-nat connection-mark=wan1_conn action=src-nat to-addresses=[put your router eth1 public address here]
add place-before=0 chain=src-nat connection-mark=wan2_conn action=src-nat to-addresses=[put your router eth2 public address here]

if this did not work. refer to the topic
http://forum.mikrotik.com/t/load-balance-mangle-question/44273/1

11

ok sorry didn’t check if the server was on ok but what i did was i added this rule in my nat

2 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=20-21
protocol=tcp dst-port=20-21

and in my service ports in my firewall i activated ftp helper and my ftp seems it is working!

but now another question my one brilliant programmer used the public ip address for ftp access hardcoded in the program is there a loopback i need to add if they use like any of 196.212.100.148 or 41.134.110.11 on the internal network that it just returns back to my prox without going out and then back in?

12

in matter fact your dst-nat rule does not specify any in-interface or dst-address in this case any FTP session will be redirected to your local server which is not good.
so frist fix your outside dst-nat

/ip fire nat add chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=20-21 protocol=tcp dst-port=20-21 dst-address=[put your router public ip 1]
/ip fire nat add chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=20-21 protocol=tcp dst-port=20-21 dst-address=[put your router public ip 2]

This would solve your internal users as well. if it did not work for internal ips! in your nat chain add this rule before zero

/ip fire nat add chain=src-nat dst-address=[put your router public ip 1] action=accept place-before=0
/ip fire nat add chain=src-nat dst-address=[put your router public ip 2] action=accept place-before=0

and Good Luck!

13

thank you very much Sariman it is work beautifully!!!

14

ok one problem i have connections outside like from my house to my office it works but when im at my office and they use my public ip on my private ip to acsess my ftp server and the connection is timing out then

15

my programmer harcoded the program to use ex: ftp://41.134.110.11 in the program and it works fine outside but not on my local subnet. is there a rule or a loopback i need to enter somwhere?

16

Try to use these rule in your preroute chain

/ip fire man add chain=prerouting src-add=192.168.88.0/24 dst-address=[put your router public ip 1] action=accept place-before=0
/ip fire man add chain=prerouting src-add=192.168.88.0/24 dst-address=[put your router public ip 2] action=accept place-before=0
17

ok i keepon getting this erro when pasting it in expected end of command (line 1 collum35)

18

my ip firewall mangel looks like this now

0 chain=input action=mark-connection new-connection-mark=wan1_conn
passthrough=no in-interface=ether1-Mweb-Router

1 chain=input action=mark-connection new-connection-mark=wan2_conn
passthrough=no in-interface=ether3-I.S-Router

2 chain=output action=mark-routing new-routing-mark=to_wan1 passthrough=no
out-interface=ether1-Mweb-Router

3 chain=output action=mark-routing new-routing-mark=to_wan2 passthrough=no
out-interface=ether3-I.S-Router

4 chain=prerouting action=accept dst-address=41.134.110.0/28
in-interface=ether2-Main-LAN

5 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28
src-port=20-21

6 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28
src-port=22

7 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28
src-port=80

8 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28
src-port=81

9 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28
src-port=443

10 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28
src-port=3203

11 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28
src-port=3204

12 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28
src-port=3306

13 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28
src-port=5900-5935

14 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28
src-port=6010

15 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28
src-port=6000-6001

16 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28
src-port=7000

17 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28
src-port=8080-8082

18 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28
src-port=20-21

19 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28
src-port=22

20 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28
src-port=80

21 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28
src-port=81

22 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28
src-port=5900-5935

23 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28
src-port=3203

24 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28
src-port=3204

25 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28
src-port=443

26 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28
src-port=3306

27 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28
src-port=6010

28 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28
src-port=6000-6001

29 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28
src-port=7000

30 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28
src-port=8080-8082

31 chain=prerouting action=mark-connection new-connection-mark=wan1_conn
passthrough=yes dst-address=!192.168.88.0/24
in-interface=ether2-Main-LAN
per-connection-classifier=both-addresses:2/0

32 chain=prerouting action=accept dst-address=196.212.100.0/28
in-interface=ether2-Main-LAN

33 chain=prerouting action=mark-connection new-connection-mark=wan2_conn
passthrough=yes dst-address=!192.168.88.0/24
in-interface=ether2-Main-LAN
per-connection-classifier=both-addresses:2/1

34 chain=prerouting action=mark-routing new-routing-mark=to_wan1
passthrough=no in-interface=ether2-Main-LAN connection-mark=wan1_conn

35 chain=prerouting action=mark-routing new-routing-mark=to_wan2
passthrough=no in-interface=ether2-Main-LAN connection-mark=wan2_conn

19

Use this


/ip fire nat add chain=src-nat dst-address=192.168.88.0/24 action=accept place-before=0
20

ok now im having the following problem port forwarding is working on my router but only from my on public ip address 196.212.100.148 and cannot access it via 41.134.110.10 but if i dissable interface 196.212.100.148 ,41.134.110.10 starts working!
here is my nat print:

0 ;;; Loopback-Connection 1
chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.2 out-interface=ether2-Main-LAN

1 chain=srcnat action=masquerade out-interface=ether1-Mweb-Router

2 I chain=srcnat action=masquerade out-interface=ether3-I.S-Router

3 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=20-21 protocol=tcp dst-address=41.134.110.10 dst-port=20-21

4 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=22 protocol=tcp dst-address=41.134.110.10 dst-port=22

5 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=80 protocol=tcp dst-address=41.134.110.10 dst-port=80

6 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=81 protocol=tcp dst-address=41.134.110.10 dst-port=81

7 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=443 protocol=tcp dst-address=41.134.110.10 dst-port=443

8 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3203 protocol=tcp dst-address=41.134.110.10 dst-port=3203

9 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3204 protocol=tcp dst-address=41.134.110.10 dst-port=3204

10 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3306 protocol=tcp dst-address=41.134.110.10 dst-port=3306

11 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=5900-5935 protocol=tcp dst-address=41.134.110.10 dst-port=5900-5935

12 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=6000-6001 protocol=tcp dst-address=41.134.110.10 dst-port=6000-6001

13 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=6010 protocol=tcp dst-address=41.134.110.10 dst-port=6010

14 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=7000 protocol=tcp dst-address=41.134.110.10 dst-port=7000

15 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=8080-8082 protocol=tcp dst-address=41.134.110.10 dst-port=8080-8082

16 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=20-21 protocol=tcp dst-address=196.212.100.148 dst-port=20-21

17 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=22 protocol=tcp dst-address=196.212.100.148 dst-port=22

18 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=80 protocol=tcp dst-address=196.212.100.148 dst-port=80

19 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=81 protocol=tcp dst-address=196.212.100.148 dst-port=81

20 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=443 protocol=tcp dst-address=196.212.100.148 dst-port=443

21 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3203 protocol=tcp dst-address=196.212.100.148 dst-port=3203

22 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3204 protocol=tcp dst-address=196.212.100.148 dst-port=3204

23 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=3306 protocol=tcp dst-address=196.212.100.148 dst-port=3306

24 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=5900-5935 protocol=tcp dst-address=196.212.100.148 dst-port=5900-5935

25 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=6000-6001 protocol=tcp dst-address=196.212.100.148 dst-port=6000-6001

26 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=6010 protocol=tcp dst-address=196.212.100.148 dst-port=6010

27 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=7000 protocol=tcp dst-address=196.212.100.148 dst-port=7000

28 chain=dstnat action=dst-nat to-addresses=192.168.88.2 to-ports=8080-8082 protocol=tcp dst-address=196.212.100.148 dst-port=8080-8082


and my mangel print:

0 chain=input action=mark-connection new-connection-mark=wan1_conn passthrough=no in-interface=ether1-Mweb-Router

1 I chain=input action=mark-connection new-connection-mark=wan2_conn passthrough=no in-interface=ether3-I.S-Router

2 chain=output action=mark-routing new-routing-mark=to_wan1 passthrough=no out-interface=ether1-Mweb-Router

3 I chain=output action=mark-routing new-routing-mark=to_wan2 passthrough=no out-interface=ether3-I.S-Router

4 chain=prerouting action=accept dst-address=41.134.110.0/28 in-interface=ether2-Main-LAN

5 chain=prerouting action=accept dst-address=196.212.100.0/28 in-interface=ether2-Main-LAN

6 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=20-21

7 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=22

8 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=80

9 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=81

10 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=443

11 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=3203

12 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=3204

13 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=3306

14 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=5900-5935

15 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=6010

16 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=6000-6001

17 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=7000

18 chain=prerouting action=accept protocol=tcp src-address=41.134.110.0/28 in-interface=ether1-Mweb-Router src-port=8080-8082

19 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=20-21

20 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=22

21 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=80

22 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=81

23 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=5900-5935

24 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=3203

25 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=3204

26 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=443

27 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=3306

28 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=6010

29 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=6000-6001

30 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=7000

31 chain=prerouting action=accept protocol=tcp src-address=196.212.100.0/28 src-port=8080-8082

32 chain=prerouting action=mark-connection new-connection-mark=wan1_conn passthrough=yes dst-address=!192.168.88.0/24 in-interface=ether2-Main-LAN
per-connection-classifier=both-addresses:2/0

33 chain=prerouting action=mark-connection new-connection-mark=wan2_conn passthrough=yes dst-address=!192.168.88.0/24 in-interface=ether2-Main-LAN
per-connection-classifier=both-addresses:2/1

34 chain=prerouting action=mark-routing new-routing-mark=to_wan1 passthrough=no in-interface=ether2-Main-LAN connection-mark=wan1_conn

35 chain=prerouting action=mark-routing new-routing-mark=to_wan2 passthrough=no in-interface=ether2-Main-LAN connection-mark=wan2_conn

and my route print:

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 41.134.110.9 1
1 S 0.0.0.0/0 196.212.100.145 1
2 A S 0.0.0.0/0 41.134.110.9 1
3 S 0.0.0.0/0 196.212.100.145 2
4 ADC 41.134.110.0/28 41.134.110.10 ether1-Mweb-Router 0
5 ADC 192.168.88.0/24 192.168.88.1 ether2-Main-LAN 0

so basically what happens was the connection comes in but it leaves via the other wan connection, how do i make it use the same rout it came in from?