IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Good Morning,

I am hoping you all can assist with this very frustrating issue. I am attempting to set up an FTP server in our in-house server via Filezilla. On Filezilla’s configuration I am using Listening Port= 21 and in passive mode am using port range 980-990. I have already set up the windows firewall rules to allow both incoming and outgoing communication through both these FTP ports. Worthy mentioning here that I have another software system in place that uses an API that communicates through port 3691 TCP/UDP. I was able to successfully open this port up and our API works like a charm. When I try and replicate the process for our FTP server I cannot get the port open. Can anyone assist with clarifying the procedures for this? Here is the latest setup I did on the mikrotik server (reading your forums and videos ive tried a few different setups):

1. Logged into router and went to IP>Firewall>Nat tab at the top
2. I added a New NAT rule.
3. a- Chain= dstnat
   b- Protocol= (6) tcp
   c- In.Interface= ether1-gateway (I dont see an option for WAN, and I was not the original IT guy that set up the network. As far as I can tell in this crummy UI that mikrotik offers, the IT guy bridged the connections)
   d- action= dst-nat
   e- To Address= 10.1.10.120
   f- To Ports = 980

Any thoughts would be immensely useful! thanks!

Be careful with the words, sir!

If your WAN is ether1-gateway (it probably is, unless you have PPPoE on top of that), then:

a) If you use plaintext FTP with no encryption, this should be enough:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=21 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.10.120

b) If you have encrypted FTP (with certificate), you need to forward all ports:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=21,980-990 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.10.120

And you also have to configure FTP server to send correct public address in replies to PASV commands.

Other problem could be if you’d forward port(s) using dstnat, but didn’t let them through firewall filter.

My issue is the age of the OS you are using.
Not sure which product you are using but the latest is, 6,42.4…

Agreed. Unfortunately I was just brought on as a contracted consultant for other stuff, and despite my efforts to give the IT here a wide-berth I have come toe-to-toe with it. The original IT guy that set everything up has disappeared and based on what I’ve seen so far it looks like he ran a sloppy operation. The router probably is one of the more updated systems in this office, its kind of tragic. I have updated it already, and am just waiting for the end of business day today to restart the network so i dont affect the daily workload.

Thanks man!

Do you use WinBox? I’m almost in love with that thing. Nice, powerful, intuitive, … at least for me.

If you use plaintext FTP, conntrack helper will snoop in control connection (if it’s on standard port) for any PASV/PORT commands, mark data connections as “related” and change addresses if needed. So in that case, forwarding just port 21 is enough.

For filter, you can have universal rule to allow all dstnatted connections:

/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept

Also make sure that you allow packets with connection-state=related. It’s usually part if first standard rule.

You can also do (in Terminal):

/export hide-sensitive

and post the config here. If you think that the config might be a mess, then who knows what might be wrong, and it’s hard to guess, because RouterOS gives you plenty of ways how to shoot yourself in foot.

You the man! thanks Sob. It looks like the IP filter worked. It does beg the question why my API works without an IP filter but the FTP didnt, but I’ll take a W where I can right now.

thanks again

Winbox Fantasies By SoB, coming soon to a bookstore near you!!!
“ten things you can do with a naughty terminal but would never tell your mother”


About the NRA dangers of RouterOS, its a surprise I have any toes left!!

Sob do you mean use the FTP alg in ROUTEROS and simply dstnat the standard FTP port (was wondering as that is all I have had to do with any number of routers).

Well, I sure did create some naughty configs with WinBox.

And with FTP, if it’s the old unencrypted one, the answer is yes. Dstnat port 21, don’t forget to allow related connections and you’re all set. Router will read all required info from control connection. Which also shows why you shouldn’t use unencrypted FTP, because if router can read everything in control connections (including password, but router doesn’t care about that), then anyone else on the way can do the same.

For Passive Mode, you do have to forward the Passive Ports as well as the FTP Port.

You really don’t, if there’s no encryption. If I have:

/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=LAN
add action=accept chain=forward connection-nat-state=dstnat
add action=reject chain=forward reject-with=icmp-admin-prohibited
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat dst-address-type=local dst-port=21 protocol=tcp to-addresses=192.168.80.10

This is log from server:

[23.6.2018 13:37:05] [384] < PASV
[23.6.2018 13:37:05] [384] > 227 Entering Passive Mode (192,168,80,10,239,121)
[23.6.2018 13:37:05] [384] < MLSD
[23.6.2018 13:37:05] [384] > 150 Opening passive mode data connection for listing of "/DriveE".
[23.6.2018 13:37:05] [384] > 226 MLSD command successful.

And this is from client:

PASV
227 Entering Passive Mode (213,x,x,251,239,121)
MLSD
150 Opening passive mode data connection for listing of "/DriveE".
226 MLSD command successful.

Address is correctly changed to public one and connection succeeds, even though there are no other forwarded ports except tcp 21. But again, only without encryption. If there is encryption, then dstnat for data ports and correctly configured WAN address in FTP server are required.

Hello. I’m such a noob on this… clould you please help me.
I have a Telecom operator router /gateway and after i have an mikrotik HPA lite (with another network range different from the operator range, it has a fixed ip gaved by operator router). Connected to the Mikrotik network i have an Seagate Central (network disc) with and FTP server, and i would like to connet to it from outside my home.
I have a dynamic DNS activated on my operator router (no-ip), and i have activated DMZ to the mikrotik fixed ip.
Also i have activated outside port 10100 on operators router for the FTP access. On mikrotik i have redirect port 10100 to the ip of my disc on port 21.
Inside my home i can reach FTP easely, no problem, but when i try to reach from outside my home, i receive “server sent passive reply with unroutable address , using host address instead. Transfer channel can’t be opened. Reason: No connection could be made because the target machine actively refused it. Could not retrieve directory listing” using winscp FTP client and no encryption.

Is it possible to bypass this. could you write IP filter rules so i can make this work (winbox).
I would be much grateful.
Regards

Hi guys!

I want to setup MikroTik on a client side. Client behind the MikroTik must be able to use FTP over TLS in active mode (TCP:21).
Encrypted passive mode works fine, as well as plain passive and plain active modes. The only problem is encrypted active mode.

From what I understand, MiktoTik FTP helper (Firewall - Service Ports - ftp), can’t read what’s inside the packets due to encryption used, and cannot make connections based on info from PORT/PASV commands. So, FTP client can initialize TLS connection and start talking to FTP server, but fails on directory list command (timeout).

Here is client’s log:

200 PROT command successful.
OPTS UTF8 ON
200 UTF8 OPTS ON
CWD /
250 CWD command successful. "/" is current directory.
Connect ok!
Get directory
TYPE A
200 Type set to A.
MODE Z
200 Mode Z ok.
PORT 10,0,0,43,212,201
200 Port command successful.
MLSD
PORT failed, try PASV mode!
PASV

And here is a log from FTP server (the same connection as above; just opposive side of view):

02:54:30, 76, SRV.IP.ADDR.ES, , AUTH TLS
02:54:30, 76, SRV.IP.ADDR.ES, , 234 AUTH command ok; starting SSL connection.
02:54:30, 76, SRV.IP.ADDR.ES, , establishing encrypted session
02:54:30, 76, SRV.IP.ADDR.ES, , USER client-username
02:54:30, 76, SRV.IP.ADDR.ES, client-username, 331 Password required for client-username.
02:54:30, 76, SRV.IP.ADDR.ES, client-username, PASS ****
02:54:30, 76, SRV.IP.ADDR.ES, client-username, logged in as "client-username".
02:54:30, 76, SRV.IP.ADDR.ES, client-username, 230 User client-username logged
02:54:31, 76, SRV.IP.ADDR.ES, client-username, FEAT
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 211-Extensions supported:
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  AUTH TLS
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  CCC
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  CLNT
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  CPSV
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  EPRT
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  EPSV
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  MDTM
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  MFCT
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  MFMT
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  MLST type*;size*;create;modify*;
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  MODE Z
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  PASV
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  PBSZ
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  PROT
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  REST STREAM
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  SBUF
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  SIZE
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  SSCN
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  TVFS
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  UTF8
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  XCRC "filename" SP EP
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  XMD5 "filename" SP EP
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  XSHA1 "filename" SP EP
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 211 End.
02:54:31, 76, SRV.IP.ADDR.ES, client-username, PBSZ 0
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 200 PBSZ=0
02:54:31, 76, SRV.IP.ADDR.ES, client-username, PROT P
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 200 PROT command successful.
02:54:31, 76, SRV.IP.ADDR.ES, client-username, OPTS UTF8 ON
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 200 UTF8 OPTS ON
02:54:31, 76, SRV.IP.ADDR.ES, client-username, CWD /
02:54:31, 76, SRV.IP.ADDR.ES, client-username, change directory "/" --> Access allowed.
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 250 CWD command successful. "/" is current directory.
02:54:31, 76, SRV.IP.ADDR.ES, client-username, TYPE A
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 200 Type set to A.
02:54:31, 76, SRV.IP.ADDR.ES, client-username, MODE Z
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 200 Mode Z ok.
02:54:32, 76, SRV.IP.ADDR.ES, client-username, PORT 10,0,0,43,202,73
02:54:32, 76, SRV.IP.ADDR.ES, client-username, 200 Port command successful.
02:54:32, 76, SRV.IP.ADDR.ES, client-username, MLSD
02:54:53, 76, SRV.IP.ADDR.ES, client-username, 425 Cannot open data connection.
02:54:53, 76, SRV.IP.ADDR.ES, client-username, PASV
02:54:53, 76, SRV.IP.ADDR.ES, client-username, 227 Entering Passive Mode (SRV,IP,ADDR,ES,31,114)

Firewall settings are very basic now, just allowed related and established connections (both IN and FW chains). There are no any drops temporary. And two defconf rules, passthrough and fasttrack. That’s all.

Please help me create a rule for firewall that will allow this kind of conneciton.

Active FTP can only work, if

1. firewall helper can read port commands to forward them between client and server … so no TLS possible
2. one configures certain port range (e.g. 60000-60500) to be forwarded to internal host (either client or server) and also instruct client/server only to use those ports (how exactly depends on particular client/server software). In this case TLS is possible.

Sounds like we need a SUPERHERO to the rescue…
Cue trumpets, fanfare, cheering crowds as Normis the new Avenger rides into the thread announcing Zerotrust cloudflare tunnnel options package for all devices.
Now all can reach servers without publishing public IPs, secure, fun, easy.

Yes, I know it and totally agree.

[*]one configures certain port range (e.g. 60000-60500) to be forwarded to internal host (either client or server) and also instruct client/server only to use those ports (how exactly depends on particular client/server software). In this case TLS is possible.

Could you please suggest NAT or firewall rule for this? Imagine that 8000-8000 port range is used.

I was able to create a NAT entry to make encrypted FTP working in Active mode:

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=LAN1-WAN log=yes log-prefix=FTP-TSL_ protocol=tcp src-address=SER.VER.IP.ADDR src-port=20 to-addresses=10.0.0.43

But it will fail if more than one router user does exist and will use the FTP server. All of requests will be forwarded to the 10.0.0.43 LAN address. Is there a way to fix it? Of course, callback connection must go to the right client IP address (to the client who initiated this connection).

As I already mentioned: create a “normal” DST NAT rule for a range of ports (dst-ports=X-Y) and forward them to one internal client (you can make another DST NAT with different port range for another client). The range doesn’t have to be wide, I guess 10 or 20 ports should be enough for a typical work station. Then configure FTP client of your choice to use forwarded port range (X-Y) for active FTP connections … each FTP client is a bit specific with this regard, probably not all can be properly configured. Here’s example of how to do it for Filezilla: https://wiki.filezilla-project.org/Network_Configuration#Active_mode

Okay, let’s say it all goes like this.. But how to make the rule valid only for one specified client? My rule works for any client, because checks only server address and port.

Normal DST NAT rule would look like this:

/ip firewall nat
add action=dst-nat chain=dstnat comment="active FTP for client1" dst-port=50000-50020 in-interface-list=WAN protocol=tcp to-addresses=<client1 LAN IP address>
add action=dst-nat chain=dstnat comment="active FTP for client2" dst-port=50100-50120 in-interface-list=WAN protocol=tcp to-addresses=<client2 LAN IP address>

So on client1 (whatever the LAN IP address is) you have to instruct FTP client software to only use ports 50000-50020 for the data connection. And similarly ports 50100-50120 for client2.