help forwarding ftp port

bulkmania · April 22, 2013, 4:30pm

Hello, i tried all the tutorials i found on net and this forum, nothing seems to work.

I have a PPPoE connection, and a private nat behind mikrotik:
No firewal.. ftp port of mikrotik is disabled

interface print
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE MTU L2MTU MAX-L2MTU

0 R ether1-gateway ether 1500 1600 4076
1 R ether2-master-local ether 1500 1598 2028
2 ether3-slave-local ether 1500 1598 2028
3 R ether4-slave-local ether 1500 1598 2028
4 R ether5-slave-local ether 1500 1598 2028
5 wlan1 wlan 1500 2290
6 R bridge-local bridge 1500 1598
7 R rcs pppoe-out 1480

ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; FTP fw
chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=21 protocol=tcp in-interface=rcs dst-port=21
1 chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=20 protocol=tcp in-interface=rcs dst-port=20
2 ;;; FTP passive
chain=dstnat action=dst-nat to-addresses=192.168.0.100 protocol=tcp dst-port=10500-10550
3 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=rcs

In this scenario ftp is working good from command prompt but is not working from any browser at all.

Did i miss something ?
Regards

cbrown · April 23, 2013, 11:17am

It works from CLI but not your browser? What do you mean?

bulkmania · April 23, 2013, 11:26am

as ftp, from a linux or win with ftp command is connecting and is working, but from a browser (no mater what… mozilla, opera… etc) the page: ftp://external.ip.of.mktk is not opening… is opening of course from local network.. but i need from outside. I suppose is miss some more ports to forward or.. something else.

PS: Before this mktk was an old router dlink who did this job with only 2 clicks… now i’m trying with mktk for 2 days with no result.

cbrown · April 23, 2013, 11:28am

Post /export compact so everyone can look at your entire config.

bulkmania · April 23, 2013, 11:34am

/export compact

apr/23/2013 14:30:49 by RouterOS 5.24

software id = 7VBL-8T51

/interface bridge
add admin-mac=D4:CA:6D:5F:44:9D auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n disabled=no distance=indoors frequency=2457 ht-ampdu-priorities=0,1,2,3,4,5,6,7 l2mtu=2290 mode=ap-bridge ssid=dlink wireless-protocol=any
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway name=rcs password=xxxxxxxxxxxxx use-peer-dns=yes user=xxxxxxxxxxxx
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap group-ciphers=tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=Txxxxxxxxxxxxxx wpa2-pre-shared-key=
xxxxxxxxxxxxxxxx
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=default-dhcp ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/interface wireless align
set receive-all=yes ssid-all=yes
/ip address
add address=192.168.0.1/24 comment="default configuration" interface=bridge-local
/ip arp
add address=192.168.0.222 interface=bridge-local mac-address=6C:62:6D:1F:73:C6
add address=192.168.0.100 interface=bridge-local mac-address=00:D0:4B:88:34:E7
/ip dhcp-client
add comment="default configuration" disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.0.0/24 comment="default configuration" dns-server=192.68.0.1,8.8.8.8 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=213.154.124.1,193.231.252.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" disabled=yes protocol=icmp
add chain=input comment="default configuration" connection-state=established disabled=yes
add chain=input comment="default configuration" connection-state=related disabled=yes
add action=drop chain=input comment="default configuration" disabled=yes in-interface=ether1-gateway
/ip firewall nat
add action=dst-nat chain=dstnat comment="FTP fw" dst-port=21 in-interface=rcs protocol=tcp to-addresses=192.168.0.100 to-ports=21
add action=dst-nat chain=dstnat dst-port=20 in-interface=rcs protocol=tcp to-addresses=192.168.0.100 to-ports=20
add action=dst-nat chain=dstnat comment="FTP passive" dst-port=10500-10550 protocol=tcp to-addresses=192.168.0.100
add action=masquerade chain=srcnat comment="default configuration" out-interface=rcs to-addresses=0.0.0.0
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip neighbor discovery
set ether1-gateway disabled=yes
set wlan1 disabled=yes
/ip proxy
set max-cache-size=none
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8888
set ssh port=2222
/snmp
set enabled=yes location=tanasescu trap-community=public
/system clock
set time-zone-name=Europe/Bucharest
/system leds
set 0 interface=wlan1
/system logging
add topics=firewall
/system ntp client
set enabled=yes mode=unicast primary-ntp=194.102.255.19 secondary-ntp=80.96.120.253
/system routerboard settings
set cpu-frequency=360MHz
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local

Sob · April 23, 2013, 7:59pm

Command-line ftp client on Windows uses active mode, browsers use passive. And because you have disabled ftp helper under /ip firewall service-port, then unless you configured ftp server with correct external address, it sends 192.168.0.100 to passive clients and it can’t work. You can verify that using any ftp client where you can select transfer mode and see the logs, or using http://ftptest.net.

To fix it:
a) if you don’t need SSL, you can just enable ftp helper
b) if you require SSL support, then you have to configure the server with your external address, so that it can send it to clients

bulkmania · April 24, 2013, 5:08am

The FTP Is a LaCIE hard drive in fact and is not have many options, and worked with a 20$ dlink wifi router with just forward port until now when i recommended mktk - looks bad for me to not fix this.

Sob · April 25, 2013, 2:56am

Go to IP->Firewall->Service Ports, enable ftp and it should work.

bulkmania · May 2, 2013, 5:26am

and is not working.. i need ftp behind mikrotik… that ftp is for mktk as i know.

Still is working from cli… somehow from web is using something else ? i must insist, before this mktk was an old dllink how had only port forward.. nothing special and worked in both ways.

Sob · May 2, 2013, 12:01pm

So did you actually try to enable it, or you just skipped that, because you’re sure it’s not what you need? Because it really is what you need and it’s exactly the same thing your old D-Link used. Except there it was probably always enabled and you couldn’t disable it at all.

Let me show you the most simple example (you don’t even need to forward anything else except port 21):

/ip address
add address=192.0.2.10/24 interface=WAN
add address=192.168.56.1/24 interface=LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat dst-address=192.0.2.10 dst-port=21 \
    protocol=tcp to-addresses=192.168.56.101
/ip firewall service-port
set ftp disabled=yes ports=21

When client sends PASV command, this is what it gets back:

227 Entering Passive Mode (192,168,56,101,26,102)

That won’t work, because 192.168.56.101 is internal address. But when you change it a bit:

/ip firewall service-port
set ftp disabled=no ports=21

Then the reply is:

227 Entering Passive Mode (192,0,2,10,139,110)

And everything works great (except SSL).

bulkmania · June 7, 2013, 9:50am

Sorry for the delay but the dude wanted something quick to work and he put a dlink router.

No i can test it and is working… true, ftp should be enabled in services (thanks for that idea) and i suppose it needs more than 21 and 20 port to work from any browser… I mapped all ports from 0-1000 and is working from anything.

Thanks for your help - you’re a great and helping community…