That, i really dunno when stop working, but i cant find the problem, any of my pppoe clients cant access a external ftp server in passive mode, i have ftp ON in ip > firewall > service-ports, if i connect a laptop direct to the ISP , works fine.
Can someone help me plz ?
Mikrotik version 4.17
Do you have a firewall rule that permits “related” traffic through the router?
The firewall helper simply classifies the data stream as a related connection type.
i set one rule about related when i try to make it work, but i dunno if is right, can you givme a idea how i should have such rule plz.
It depends on the rest of your rule set. So post that here.
Generally speaking make a rule that accepts related traffic in the forward chain and move it close enough to the top so that it comes before other rules that would drop the traffic.
Well, i use a masquerade rule pointing to a linux gateway, nothing more, just few rules for blocking such traffic like 135-139 TPC/UDP.
When i connect direct to this linux gateway, all ftp connections work fine.
I try to access a ftp site from a linux box in the LAN, and Extended Passive works right, but the Normal Passive dont, also active connections works.
tp> passive
Passive mode: on; fallback to active mode: on.
ftp> ls
421 Service not available, remote server has closed connection.
ftp> epsv
EPSV/EPRT on IPv4 on.
ftp> ls
229 Entering Extended Passive Mode (|||29559|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Mar 30 23:46 pub
Jul/07/2011 00:37:17 firewall,info info: ftp forward: in: out:Internet, proto TCP (ACK,FIN), 192.168.110.1:50300->70.90.191.125:21, len 40
Jul/07/2011 00:37:18 firewall,info info: ftp input: in:Internet out:(none), src-mac 00:e0:52:86:c8:35, proto TCP (ACK,PSH), 70.90.191.125:21->10.0.0.58:50300, len 89
192.168.110.1 = laptop (pppoe)
70.90.191.125 = ftp.shorewall.net
10.0.0.58 = Mikrotik, Internet Interface
Mikrotik FTP Helper not working ? also i try a ftp proxy after 10.0.0.58 and i get logs about 10.0.0.58 rejecting ftp connections.
Mikrotik Version 5.5
As asked before: post your config.
Post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, “/ip firewall export”, and an accurate network diagram.
Though at a quick guess your problem is double NAT. Your WAN IP is also private. That is gonna be a problem unless your ISP does FTP inspection for you.
/ip route print detail = http://pastebin.com/Y7MPaCts
/interface print = http://pastebin.com/kUe9Jmfk
/ip firewall export =
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1h tcp-fin-wait-timeout=10s
tcp-last-ack-timeout=10s tcp-syn-received-timeout=10s tcp-syn-sent-timeout=10s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m
udp-timeout=10s
/ip firewall filter
add action=drop chain=forward disabled=no p2p=all-p2p src-address=192.168.1.95
add action=drop chain=forward comment="Dropeo Cyber Nocturno" disabled=yes dst-port=80,3128,443,1863 protocol=tcp src-address=192.168.1.10-192.168.1.94
add action=drop chain=forward comment="Dropeo P2P Hoteles" disabled=no p2p=all-p2p src-address=192.168.119.200-192.168.119.254
add action=drop chain=forward comment="Dropeo 25 Cyber" disabled=no dst-port=25 protocol=tcp src-address=192.168.1.1-192.168.1.29
add action=drop chain=forward comment="Limite Sesiones" connection-limit=80,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=forward comment="Limite Sesiones" connection-limit=10,32 disabled=no dst-port=25 protocol=tcp tcp-flags=syn
add action=drop chain=forward comment="Dropeo 139" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=forward comment="Dropeo 139" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=forward comment="Dropeo 139" disabled=no dst-port=445 protocol=tcp
add action=accept chain=forward disabled=no dst-address=10.0.0.99
add action=accept chain=input disabled=no dst-address=10.0.0.58 protocol=tcp src-address=10.0.0.99 src-port=20,21,2121
/ip firewall mangle
add action=change-mss chain=forward disabled=no in-interface=Local new-mss=1452 protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=change-mss chain=forward disabled=no in-interface=Wireless new-mss=1452 protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=dst-nat chain=dstnat comment=deudores disabled=yes dst-port=80 protocol=tcp src-address=192.168.3.0/24 to-addresses=10.0.0.99 to-ports=81
add action=masquerade chain=srcnat comment=Enmascaramiento disabled=no out-interface=Internet src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=Enmascaramiento disabled=no out-interface=Internet src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment=Enmascaramiento disabled=no out-interface=Internet src-address=192.168.250.90-192.168.250.110
add action=masquerade chain=srcnat comment=Enmascaramiento disabled=no out-interface=Internet src-address=192.168.110.0-192.168.120.0
add action=masquerade chain=srcnat comment="Enmascaramiento Luthien" disabled=no out-interface=PPP src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Proxy Transparente" disabled=yes dst-address=192.168.1.99 dst-port=3128 protocol=tcp src-address=
192.168.110.3-192.168.120.0 to-addresses=10.0.0.99 to-ports=3128
add action=dst-nat chain=dstnat comment="Redireccionamiento de Puertos" disabled=no dst-address=10.0.0.58 dst-port=9022 protocol=tcp to-addresses=
192.168.1.209 to-ports=9022
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=9055 protocol=tcp to-addresses=192.168.1.95 to-ports=9055
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=4899 protocol=tcp to-addresses=192.168.1.221 to-ports=4899
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3339 protocol=tcp to-addresses=192.168.1.95 to-ports=3339
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1194 protocol=udp to-addresses=192.168.1.206 to-ports=1194
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3390 protocol=tcp to-addresses=192.168.1.206 to-ports=3390
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3390 protocol=udp to-addresses=192.168.1.206 to-ports=3390
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3060 protocol=tcp to-addresses=192.168.1.204 to-ports=3060
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3061 protocol=tcp to-addresses=192.168.1.204 to-ports=3061
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3070 protocol=tcp to-addresses=192.168.1.204 to-ports=3070
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1500 protocol=tcp to-addresses=192.168.1.204 to-ports=1500
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=8085 protocol=tcp to-addresses=192.168.1.212 to-ports=8085
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=8065 protocol=tcp to-addresses=192.168.1.211 to-ports=8065
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=6022 protocol=tcp to-addresses=192.168.1.210 to-ports=6022
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3306 protocol=tcp to-addresses=192.168.1.210 to-ports=3306
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=8080 protocol=tcp to-addresses=192.168.1.210 to-ports=8080
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=5900 protocol=tcp to-addresses=192.168.1.210 to-ports=5901
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3180 protocol=tcp to-addresses=192.168.1.213 to-ports=3180
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=60443 protocol=tcp to-addresses=192.168.1.213 to-ports=60443
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=60443 protocol=udp to-addresses=192.168.1.213 to-ports=60443
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1433 protocol=tcp to-addresses=192.168.1.212 to-ports=1433
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3389 protocol=tcp to-addresses=192.168.1.212 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1080 protocol=tcp to-addresses=192.168.1.214 to-ports=1080
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1081 protocol=tcp to-addresses=192.168.1.214 to-ports=1081
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=8481 protocol=tcp to-addresses=192.168.1.214 to-ports=8481
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=5905 protocol=tcp to-addresses=192.168.119.223 to-ports=5905
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=5906 protocol=tcp to-addresses=192.168.119.223 to-ports=5906
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=5907 protocol=tcp to-addresses=192.168.119.223 to-ports=5907
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1030 protocol=tcp to-addresses=192.168.119.210 to-ports=1030
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1031 protocol=tcp to-addresses=192.168.119.210 to-ports=1031
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=10025 protocol=tcp to-addresses=192.168.1.95 to-ports=10025
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1035 protocol=tcp to-addresses=192.168.1.215 to-ports=1035
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1036 protocol=tcp to-addresses=192.168.1.215 to-ports=1036
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1032 protocol=tcp to-addresses=192.168.119.210 to-ports=1032
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1040 protocol=tcp to-addresses=192.168.1.216 to-ports=1040
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2130 protocol=tcp to-addresses=192.168.1.204 to-ports=2130
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2131 protocol=tcp to-addresses=192.168.1.204 to-ports=2131
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2132 protocol=tcp to-addresses=192.168.1.207 to-ports=2132
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2133 protocol=tcp to-addresses=192.168.1.207 to-ports=2133
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2134 protocol=tcp to-addresses=192.168.1.217 to-ports=2134
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3388 protocol=tcp to-addresses=192.168.1.217 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2135 protocol=tcp to-addresses=192.168.1.217 to-ports=2135
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1041 protocol=tcp to-addresses=192.168.1.218 to-ports=1041
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1042 protocol=tcp to-addresses=192.168.1.218 to-ports=1042
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1043 protocol=tcp to-addresses=192.168.1.219 to-ports=1043
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1044 protocol=tcp to-addresses=192.168.1.219 to-ports=1044
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1045 protocol=tcp to-addresses=192.168.1.220 to-ports=1045
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1046 protocol=tcp to-addresses=192.168.1.220 to-ports=1046
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2106 protocol=tcp to-addresses=192.168.1.95 to-ports=2106
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=7777 protocol=tcp to-addresses=192.168.1.95 to-ports=7777
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=5901 protocol=tcp to-addresses=192.168.1.95 to-ports=5901
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=47323 protocol=tcp to-addresses=192.168.1.95 to-ports=47323
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=47323 protocol=udp to-addresses=192.168.1.95 to-ports=47323
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1037 protocol=tcp to-addresses=192.168.119.213 to-ports=1037
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1038 protocol=tcp to-addresses=192.168.119.213 to-ports=1038
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=34567 protocol=tcp to-addresses=192.168.119.222 to-ports=34567
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=7012 protocol=tcp to-addresses=192.168.1.208 to-ports=7012
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=5000 protocol=udp to-addresses=192.168.1.95 to-ports=5000
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
Ofc i avoid post 600 pppoe interfaces in the last post xD
Diagram = http://200.51.46.51/diagram.txt
Like i say before, if i connect a laptop to 10.0.0.99, all the ftp connections works fine, so i dont think the problem is there.
anyone ? 
I don’t see anything wrong, other the fact that you’re NATing 192.168/16 space to 10/8 space back to 192.168/16 space after your provider already performed NAT.
Sorry.
Ye i know that is not right, but i got this network working for years, just like that, and i dunno when the passive ftp stop working, i figure it when i start getting calls from costumers saying ftp dont work, i think the problem is on the Mikrotik FTP Helper, is just like not working.
Thanks Alot for your time fewi.