Port forwarding not working on HAP ac2

valic · August 7, 2023, 2:01pm

Hello,
I have the following configuration on HAP ac2:

/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.104 mac-address=AC:12:03:10:1C:65
add address=192.168.1.112 mac-address=EC:63:D7:FC:83:25
add address=192.168.1.105 mac-address=00:25:64:B4:E5:FB
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=21 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.152 to-ports=21
add action=dst-nat chain=dstnat dst-port=49152-65534 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.152 to-ports=49152-65534
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.151 to-ports=443
add action=dst-nat chain=dstnat dst-port=442 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.111 to-ports=442
/ip service
set telnet disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes

The router is connected to the internet using PPPoE.
On ether5 I have a switch that connects everything in the LAN, including the ftp server.
The port forwarding is not working on ftp or any other ports.
Please tell me where is the error in the configuration.

Thank you!

pe1chl · August 7, 2023, 2:22pm

Try to use a slightly more modern protocol than FTP. It is difficult to forward.

nickshore · August 7, 2023, 2:48pm

Do not specify to-ports on your dst-nat rules !

bpwl · August 7, 2023, 3:06pm

Yes it is complex, with in-band (passive) or out of band control for FTP, if the firewall has no “FTP helper” then passive mode must be used.
http://www2.ic.uff.br/~michael/kr1999/2-application/2_03-ftp.htm

In the past (e.g. 2008) the browsers, like Internet Explorer, allowed for the “PASV” option for an FTP connection.
Client programs like Core FT, WinSCP, Filezilla etc had the same options for PASV mode (besides supporting SFTP, FTPS, FTP over SSH , etc etc)
The FTP passive option seems to have disappeared from browsers.

I used to give presentations to the users on this :
Some partial screenshots …

Menu’s may have changed now, principles are the same … https://support.tigertech.net/filezilla-passive

pe1chl · August 7, 2023, 3:30pm

The entire support for FTP has disappeared from browsers. And for a reason.

valic · August 8, 2023, 5:52am

Thank you all for replying!

I understand the reasons for not recommending the use of ftp but still the router doesn’t accept connections on other ports either.
I removed the To Port option from the dst-nat without any result.

Any suggestions will be appreciated.

Thank you!

bpwl · August 8, 2023, 8:27am

Even for FTP PASV (passive mode) the firewall in front of the FTP server and the FTP server must be setup for the same dedicated PASV high port numbers.
Firewall rules must allow inbound connections, and do the forwarding on ports 21 and those higher PASV port numbers.

With FTP active mode the client side router/firewall might be the problem, not accepting the response from the FTP server port 20 (firewall rule, or behind NAT)

Many exemples of this to be found on the internet. Just like: https://www.jscape.com/blog/active-v-s-passive-ftp-simplified, (and in this forum )