Hi,
need help for create a nat rule that allow ftp connection to my serve from Ip Pubblic i’ve tried to create it, but if i try to upload file via FTP from my server, after activate NAT rule, it’s impossibile to upload file
- You could save yourself a lot of trouble switching to a more modern protocol like SSH
- If you insist on sticking with FTP, be prepared for a battle with NAT while learning about FTP
If you insist on using FTP, you can run it over IPv6. This greatly eases the firewall configuration by only requiring ports to be opened for both passive and active modes. All of which can be handled easily by the IPv6 firewall filter.
If you insist on using FTP and you require it to work over IPv4. In active mode, FTP requires the client to open a port and the server connects back to the client. This requires the client to manage traversing NAT. Depending on the client being used that may or may not work. Here is a list of requirements for active mode:
- Destination NAT the control traffic on port 21 to your FTP server
- Enable the FTP server to establish new connections outbound on ports > 1024
For passive mode, you’ll need to handle NAT traversal. I believe FileZilla has a lot of “knobs” that you can turn to make this work. The FTP server has to tell the client what public IP to connect back to and on what port. You’ll need to set the public IP either manually or use an IP discovery mechanism, I think FileZilla has one built-in. You’ll also need to set a range of ports for forwarding. For the sake of example, let’s pick TCP ports 51000 - 52000.
- Destination NAT the control traffic on port 21 to your FTP server
- Destination NAT incoming connections on ports 51000 - 52000 to your FTP server.
/ip firewall nat chain=dstnat action=dst-nat in-interface=WAN dst-port=21 to-addresses=192.168.1.11
/ip firewall nat chain=dstnat action=dst-nat in-interface=WAN dst-port=51000-52000 to-addresses=192.168.1.11
/ip firewall filter add chain=input in-interface=WAN protocol=tcp dst-port=21,51000-52000
Last, use the Interwebs. Here is a web-site you can use to verify it works: https://ftptest.net/
Forget active mode, it’s dead in today’s internet. It still works with properly configured clients, but you can’t expect regular users to be able to do it. The key to success is properly configured server for passive mode.
Instructions given by idlemind are correct, except this rule:
/ip firewall filter add chain=input in-interface=WAN protocol=tcp dst-port=21,51000-52000
needs to use chain=forward, because input is only for traffic to router itself. And IMHO it’s better to just use one common rule for all forwarded ports:
/ip firewall filter add action=accept chain=forward connection-nat-state=dstnat
Doh, thanks Sob. Also, I think the second rule is inverted in the new default configuration so all dst-nat traffic falls to accept. With that it’s probably not even needed as a firewall filter.
ok, if i would bind ip address that allow only to connect to my ftp-filezilla server? (or MAC address)
If you use plain FTP (no encryption) then you only need to port forward tcp 21. The FTP Helper service will dynamically forward inbound ports, and also translate your private IP to public.
If you use encrypted FTP, you have to set up port forwarding for the destination ports and also define these ports in Filezilla, as well as define your public IP in Filezilla.