I am connecting to an outside FTP Server in Passive mode.
I can successfully log on tot he FTP server on standard port 21.
Data is using ports 50000-52000.
I have access and dst-nat rules explicitly for the data ports but still unable to get data connection.
From the config I have the following access and nat rules applied;
add action=accept chain=forward connection-state=established,related,new dst-address= dst-port=21 in-interface= protocol=tcp
add action=accept chain=forward dst-address= dst-port=50000-65535 in-interface=ether1- protocol=tcp
Do you have the ftp helper in /ip firewall service ports enabled?
With that helper the data connection would be classified as “related” and allowed by firewall rules. Normally you wouldn’t need the explicit rules for ftp-data.
Yes I have - in IP => Firewall => Service Ports ftp on port 21 is Enabled.
With everything I have read on the forums I agree this should work but running a trace at the ftp server end I can see the initial connection on port 21 then the server is trying to communicate back on a 50000+ port number and the client is not receiving/responding to the request and the data connection times out.
Also I have noticed the packet tracer is not showing the traffic on the Micro Tik and I am not able to install wireshark on the ftp client machine.
Appreciate the help - any other suggestions ?
Thanks
You mentioned “server is trying to communicate back”, that’s an active data connection. Passive is when the client initiates the data connection. So the direction is opposite for active & passive.
Another problem of ftp: security. Have you considered using scp (ssh copy) for file transfers? Since there is a single channel, such issues don’t arise.
A firewall log view at the ftp server end see’s the initial connection on port 21 and a response is sent back with the data channel port number.
The client does not respond. Well no traffic is received at the firewall I am viewing the log from.
If I then run a directory list no traffic is seen in the log as being received from the client.
I do see traffic from the server every 30 seconds or so which I believe is the server trying to determine if the client is still there.
So to me it definitely appears that the passive port number being used is not passing through the MT ?
I basically already had all of that - here is what I have; #Filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,new dst-address=162.168.0.35 dst-port=21 in-interface=ether1-WAN protocol=tcp #Nat
add action=dst-nat chain=dstnat connection-type=ftp dst-address= dst-port=21 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.0.35
And I still get the same situation of data channel not communicating.
I finally had time to sit down and think about this problem.
I should not need any NAT rules or filter rules
This is an inside PC establishing a ftp session with an external ftp server through the MT
Service port ftp is enabled - disabling this stops ftp access outside completely
Established and related are applied for input and forward
I added rules for input and forward to allow new connections and tested with no change so removed them.
That is all that SHOULD be needed.
I added an accept forward rule for ports 1024-65535 for established, related and new connections to the ftp client PC (Which should not be needed)
I should NOT need a NAT rule for port 21 as the connection is initiated from inside. (Only required if connecting from outside to internal ftp server)
We are not using Fasttrack.
Here is the current config;
Based on your previous posts I was under the impression that the ftp server was internal & behind nat…
So if you want to access external ftp with passive data connection, all connection will be from in to out-side. Then you don’t need dst-nat to internal network. The masq in place will be enough.
You’re connecting from “162.168.0.35”? (Following networks are allowed to internet: ether2-LAN1-Test-data, ether6-LAN2-DATA, ether7-LAN2-VOICE, pptp-in-XYZCO)
If so, the initial ftp connection will be allowed by
add action=accept chain=forward in-interface=ether6-LAN2-DATA
and following data connection by
add action=accept chain=forward connection-state=established,related
Note: currently you have double nat: to 192.168.120.2 and later to public ip. If you can avoid it.
Thanks for your reply but I already have all required rules in place but the passive channel is not working.
Yes you are correct I am initiating the ftp request from 192.168.0.35
This is on interface ether6-LAN2-DATA
From the running config I have;
add action=accept chain=input in-interface=ether6-LAN2-DATA (this allows the ftp out to the internet)
add action=accept chain=forward connection-state=established,related (this should allow the data connection to be established)
So that SHOULD be all that is required. But still it fails.
Double NAT - yes, but I have no control over this and can not change. From what I can see all traffic received on the outside interface is just natted to 192.168.120.2 and passed through. While not how I would prefer to do things I do not believe this is the cause of my problem ?
I appreciate you assisting - any other suggestion or any advice on how I can see what is actually blocking the data channel ports. With iptables on Linux I used to use tail -f /var/log/messages to view rule issues - is there something similar on MT ?
Have you tried a public FTP server that supports passive connections to rule out misconfiguration on the server side? A Linux based system makes testing passive connections easy enough (Username is anonymous):
ftp -p speedtest.tele2.net
Also, this FTP session doesn’t involve TLS does it? If so, it’s possible MTU is your issue - with a PPPoE based Internet connection your MTU may be lower than the servers therefore the data packets would fall on the floor and require fragmentation by the server. If the server doesn’t respect or hear ICMP too big messages the server would never fragment them. If TLS isn’t involved then the PPP server would be the point of fragmentation and it is unlikely that it would be dropping the packets (although I believe it can be configured to do so - this would be at your ISP and I highly doubt they’d do it because of the flood of support tickets it would likely cause).
Thanks for the suggestion.
(Not sure what the -p option on ftp is ?)
I tried from home: ftp -A speedtest.tele2.net and was able to run a dir command successfully
I then tried from the site with the MT:
ftp -A speedtest.tele2.net
Connected to speedtest.tele2.net.
220 (vsFTPd 2.3.5)
331 Please specify the password.
230 Login successful.
Anonymous login succeeded for administrator@
ftp> dir
500 Illegal PORT command.
425 Use PORT or PASV first
ftp> quote PASV
227 Entering Passive Mode (90,130,70,73,89,114).
ftp> dir
425 Failed to establish connection.
ftp>
So I have the same problem - unable to open the data channel for passive connection.
Thank you for your response - open to any other suggestions.
The -p just tells the Linux FTP client to go right to passive mode. No PASV necessary. The -A option is saying to go to active mode. It’s very curious that your PAT is getting blocked to the PASV ports. At least we know it’s happening to a known good FTP server too.
What OS is the client machine? Is their any chance it is manipulating the outbound request (or denying it)? It is possible to log a firewall rule this can be difficult to do on something like a global PAT (masquerade) rule though. You may want to place a masquerade rule above that one for traffic destined to the FTP server and log that traffic. It may provide the insight you are looking for.
On a windows box the -A is the auto anonymous log in.
In this thread you will see I tried to establish a ftp connection on port 28834
This was received at the firewall where the ftp server is located so the port can get through the MT
The problem is, I believe, how the MT is handling related and established connections.
The passive data connection is related to the ftp connection on port 21 but the connection fails.
So still pointing to MT issue.
Thanks
Any chance the windows firewall is running? It’s different to “connect” via FTP (control) on a different port than the follow-up data connection that it’s instructed to navigate to via the PASV message. Alternatively, a packet capture on the client would be interesting to look at as a next step. I have very similar rules as you do, established/related back in and masquerade to the Internet although I’m not in a double NAT situation for IPv4 (yet). The only difference in software is that I run a current revision (6.43 - stable) of Mikrotik software. It appears you’re still on 6.39 but I don’t think any FTP specific bugs were addressed in that time period.
Are you able to boot a Linux machine and test with that (a VM would be fine) just to rule the client software out?
ip firewall nat <numbers> set log=yes
Will turn on logging to syslog for the rule specified for “.”
I am a 3rd party software supplier trying to exchange data - I do not have access to create a new VM.
The command: ip firewall nat set log=yes
Would I apply this to the following rules? ;
add action=masquerade chain=srcnat out-interface=ether1-FUSION-WAN
add action=accept chain=input comment=“Allow Established & Related” connection-state=established,related
add action=accept chain=forward connection-state=established,related
or if not what rules would you suggest ?
Yes Windows firewall is running but I temporarily added an any/any rule to both input and output rules and no difference so I removed the rules. So I don’t think this is the issue.
You say: Is the IP service for FTP also enabled directly on the firewall (Mikrotik)? I wonder if it’s eating the packets. (/ip service export)
Under IP ==> Services there is no export option
I am not sure what you are asking ?
ftp is enabled in IP ==> Services
ftp is enabled in IP ==> Firewall ==> Service ports
Could you clarify what you were meaning with /ip service export please
Thanks