ftp server works i LAN, WAN not

RouterOS Beginner Basics
1

Hello everyone !

Using Hap ac2 RBD52G-5HacD2HnD-TC, attached usb flash drive. Configured partition, users, in ip-services default ftp ports is changes to 221, also included in firewall.

chain=input action=accept protocol=tcp in-interface=ether1-WAN dst-port=221 log=no log-prefix=""

In local network (lan) ftp is working, when trying to access via WAN port can't connect
ftp client error:TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (78,83,109,95,236,214).
Command: LIST
Response: 425 Can't build data connection
Error: Failed to retrieve directory listing

Probably have to configure passive ports. Can't find which passive ports mikrotik ftp server uses, or where I can change them, so they be opened via firewall.
If I open ports 1-65535 ftp works via WAN, but I think that is not correct.

I have two ftp servers on computers in local network, which ports are opened and works perfectly, but for mikrotik ftp server can't find information.
This is current rules in firewall

# nov/07/2019 13:54:08 by RouterOS 6.45.7
# software id = G8AC-QXNU
#
# model = RBD52G-5HacD2HnD
# serial number = A6470AE67982
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="http WAN" dst-port=8080 protocol=tcp
add action=accept chain=input comment="https WAN" dst-port=58291 protocol=tcp
add action=accept chain=input comment="ftp router" dst-port=2221 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=input dst-port=20 in-interface=ether1-WAN protocol=\
    tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=transmission dst-port=9091 \
    in-interface=ether1-WAN protocol=tcp to-addresses=10.10.10.7 to-ports=\
    9091
add action=dst-nat chain=dstnat comment="rdp pc" dst-port=53389 in-interface=\
    ether1-WAN protocol=tcp to-addresses=10.10.10.2 to-ports=3389
add action=dst-nat chain=dstnat comment="ftp storage" dst-port=2121 protocol=\
    tcp to-addresses=10.10.10.7 to-ports=21
add action=dst-nat chain=dstnat comment="ftp pc" dst-port=21 protocol=tcp \
    to-addresses=10.10.10.2 to-ports=2121
add action=dst-nat chain=dstnat comment="https storage" dst-port=8443 \
    in-interface=ether1-WAN protocol=tcp to-addresses=10.10.10.7 to-ports=\
    443
add action=dst-nat chain=dstnat comment=torrent dst-port=44222 in-interface=\
    ether1-WAN protocol=tcp to-addresses=10.10.10.2 to-ports=44222
add action=dst-nat chain=dstnat comment=WOL disabled=yes dst-port=9 \
    in-interface=ether1-WAN protocol=udp to-addresses=10.10.10.2 to-ports=9
add action=dst-nat chain=dstnat comment=netgear dst-port=8888 in-interface=\
    ether1-WAN protocol=tcp to-addresses=10.10.10.11 to-ports=8888
add action=dst-nat chain=dstnat comment="ssh storage" dst-port=2222 \
    in-interface=ether1-WAN protocol=tcp to-addresses=10.10.10.7 to-ports=\
    22
add action=dst-nat chain=dstnat comment="ftp passive pc" dst-port=40000-40400 \
    in-interface=ether1-WAN in-interface-list=all protocol=tcp to-addresses=\
    10.10.10.2 to-ports=40000-40400
add action=dst-nat chain=dstnat comment="ftp passive storage" dst-port=\
    50000-50400 in-interface=ether1-WAN protocol=tcp to-addresses=\
    10.10.10.7 to-ports=50000-50400
add action=dst-nat chain=dstnat comment="http WAN" disabled=yes dst-port=8080 \
    in-interface=ether1-WAN protocol=tcp to-addresses=10.10.10.1 to-ports=\
    8080
add action=netmap chain=dstnat comment=wol dst-port=9 protocol=udp \
    to-addresses=10.10.10.2

Thanks in advance !

2

It is not recommended to open local services to internet! It is a security risk.
When you want to run an FTP server, it is better to use a dedicated device like Raspberry Pi for it.

3

I probably wouldn’t choose RouterOS as ftp server either. But if you really want it, just add your non-standard port 2221 as ftp service port in IP->Firewall->Service Ports. It will tell conntrack’s ftp helper to watch it and connections to data ports will get connection-state=related.

4

@pe1chl
I have dedicated ftp server, I just want to make this mikrotik ftp server working.

@Sob
Yes, I made this (221). Temporary I opened ports 1-65535 and in firewall-connection menu
observer what ports are used, when working with ftp client.
They are different, sometimes 40 000, sometimes 30000, then 50000 and etc etc.
So basically everything (1-65535) should be opened, to make this ftp works.

I can’t believe that there is no options to change mikrotik ftp server settings :confused:

5

That’s not what I wrote. You do not need to specifically open passive ports, they will be opened automatically if you do what I suggested.

6

As Sob notes, an FTP server will negotiate the ports with the client and through the FTP Alg on the router will coordinate opening the ports required. One does not need open up any ports on the firewall other than 20 or 21 or both…

It is only acceptable in this day and age to have an FTP server that requires (secure) HTTPS type login with username and password,
limits the number of users, and limits login attempts.
Its even better to limit which WANIPs can access your FTP server via the router.

7

You can do to your own router whatever you like, I only recommend you not to do it.
There could be a security vulnerability in the FTP server that leaks your password or other sensitive info, it would not be the first time that this happens.
It is not a good idea to expose RouterOS services to the internet unless absolutely required (e.g. VPN services), “just for the fun of it” is not a very good reason…
Keep ftp, telnet, ssh, winbox, api etc inaccessible from internet, and if you need access at least do it via a VPN and/or a filter on fixed external address of an admin.

8

Do not disagree with Pe1.. but people still want to do these things…

I should add that I would put the FTP server on its own VLAN and specifically only allow access to the internet and thus not to any other device behind your router or networks.
At least that should isolate things somewhat.

9

I am sorry, bu don’t understand what I should do. I set ftp service on different than default tcp port.
Tried several times with different firewall rules, the only way when it works, was when all ports where opened.

10

Did you notice that there are two different places?

IP->Services->ftp
IP->Firewall->Service Ports->ftp

You need to update both, did you? In the latter, you want to add your port, but also keep original 21.

11

No I don’t, sorry.
Thanks very much, everything works !

12

Use plain FTP in your client. ROS seems not supporting ftp over TLS.