Port 21 forwarding problem

goranr · March 19, 2009, 10:02am

Hello to all.

I’m trying to set up port 21 forwarding on RB450 to our FTP server, but can’t get it working, and now I am stuck because can’t find what else to try - I have read through all the related documents and posts, and still no luck, so maybe someone will be able to help me going and see what I did wrong.

Anyway, LAN (192.168.0.0/24) is connected to ether1, and DSL provider to pppoe-out1 (via ether2). Server’s IP is 192.168.0.200, static public IP is 93.x.x.x, router’s FTP service disabled under IP/services. I can ping FTP server from LAN and NAT is working without a flaw.
Here is my nat and filter firewall config:

[admin@MikroTik] > ip addr pri
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   ;;; default configuration
     192.168.0.205/24   192.168.0.0     192.168.0.255   ether1
 1 D 93.xx.xx.xx/32     212.200.191.127 0.0.0.0         pppoe-out1

[admin@MikroTik] > ip fire filt pri
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Added by webbox
     chain=input action=accept protocol=icmp

 1   ;;; Added by webbox
     chain=input action=accept connection-state=established
     in-interface=pppoe-out1

 2   ;;; Added by webbox
     chain=input action=accept connection-state=related
     in-interface=pppoe-out1

 3   ;;; Added by webbox
     chain=input action=drop in-interface=pppoe-out1

 4   ;;; Added by webbox
     chain=forward action=jump jump-target=customer in-interface=pppoe-out1

 5   ;;; Added by webbox
     chain=customer action=accept connection-state=established

 6   ;;; Added by webbox
     chain=customer action=accept connection-state=related

 7   ;;; Added by webbox
     chain=customer action=drop

[admin@MikroTik] > ip fire nat pri
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Added by webbox
     chain=srcnat action=masquerade out-interface=pppoe-out1

 1   chain=dstnat action=dst-nat to-addresses=192.168.0.200 to-ports=21
     protocol=tcp dst-address=93.xx.xx.xx in-interface=pppoe-out1 dst-port=21

 2   chain=srcnat action=src-nat to-addresses=93.xx.xx.xx to-ports=21
     protocol=tcp src-address=192.168.0.200 out-interface=ether1 src-port=21

If I change dst-nat action to log, then I get the following log record, so I reckon this should be ok.
14:08:30 firewall,info dstnat: in:pppoe-out1 out:(none), proto TCP (SYN), 82.x.x.x:53982->93.x.x.x:x, len 28

Does anyone have an idea?

nest · March 20, 2009, 12:56am

If you’re using passive ftp, you’ll also need to forward port 20 as well as 21?

Ron

Aug · March 20, 2009, 12:59am

0 ;;; Added by webbox
chain=srcnat action=masquerade out-interface=pppoe-out1

1 chain=dstnat action=dst-nat to-addresses=192.168.0.200 to-ports=21
protocol=tcp dst-address=93.xx.xx.xx in-interface=pppoe-out1 dst-port=21

2 chain=srcnat action=src-nat to-addresses=93.xx.xx.xx to-ports=21
protocol=tcp src-address=192.168.0.200 out-interface=ether1 src-port=21

move 1 and 2 before 0

janisk · March 20, 2009, 6:59am

as noted by nest - ftp uses port 20 and port 21

goranr · March 20, 2009, 2:12pm

Thank you very much for quick replies.

As I have been trying to solve this problem for a while now, I had previously also made a port forward rule for port 20, without any success - anyway, I think this port is not essential for mere connection establishing, especially I am not using passive mode. After rebooting configuration on Mikrotik, I have forgotten to add it.

As I was not sure what is the problem really as everything is set well (to the best of my knowledge): I have suspected there is something wrong with my ADSL router settings (modem, actually, as it is in a bridge mode) - firewall, ACL or something, so I made a little test: I have connected the ADSL modem directly to the server, made PPPoE connection directly from the server, and I could make a connection via another ISP, so this pretty much eliminates both modem and ISP, and points directly to the router.