Problems with port forwarding with nasBox ftp

rocketman002 · March 5, 2019, 6:22pm

Hi all,
Please excuse my brevity, I disconnected when I pressed submit and lost everything, so I had to retype everything.
I am having problems setting up an ftp server on a synology nasbox, I believe there is something wrong with my port forwarding. Specifically I think that port 80 might be the problem.
I have the following set under IP>FIREWALL>NAT

port 21:
chain:dstnat
dstAddress:routers external ip
protocol: tcp
dst port: 21
in interface: all ethernet
connection type: ftp
action: dstNAT
to address: 192.168.200.111
to port: 21
port 21:
see port 21
dstport: 20
dstport: 20
rule1 for passive ftp ports:
chain:dstnat
dstAddress:routers external ip
protocol: tcp
dst port: 55536-55567
in interface: all ethernet
action: dstNAT
to address: 192.168.200.111
to port: 55536-55567
rule2 for passive ftp ports:
see rule1 for passive ftp ports
protocol: udp
port 80:
chain:dstnat
protocol: tcp
dst port: 80
in interface: all ethernet
action: dstNAT
to address: 192.168.200.111
to port: 80

Thanks all.

Sarel0092 · March 6, 2019, 6:52am

Can you access the FTP server in your local network?

Can you export your NAT config?
/ip firewall nat export file=ip-firewall-nat

anav · March 6, 2019, 2:47pm

Best to see entire config…
/export hide-sensitive file=yourconfigmar06

A typical dsntat rule looks like
add chain=dstnat action=dst-nat dst-port=21 protocol = tcp
in-interface-list=WAN to-address=192.168.200.111

(1) If its a definable list of WANIPs, then highly highly suggest you use source address list in your nat rule to limit access.
add chain=dstnat action=dst-nat dst-port=21 protocol = tcp
in-interface-list=WAN source-address-list=definedusers to-address=192.168.200.111

(2) Port 21 is a well probed, scanned port and thus suggesting two things
a. change the default ftp port on the NAS, however that may break some ALG process etc and may not be recommended (search google or nas forums for best practices in this regard with respect to your specific nas).

b. I imagine all your users are using FTP programs and they can easily change the port they put in for access.

c. With B in mind, Its best to at least change the INCOMING DEFAULT PORT to non-standard… like so…
add chain=dstnat action=dst-nat dst-port=randomhighnumberport(61003) protocol = tcp
in-interface-list=WAN to-address=192.168.200.111 to ports=21

IN effect the router translates the incoming 61003 port traffic and moves it to the defined IP address on port 21 as expected by the NAS ftp server.

d. Finally, I would not be using an FTP server on the internet that didnt at least have some type of FTPS (secure mode) TLS etc
(note that ssl is not considered secure: https://tools.ietf.org/html/rfc7568)

anav · March 9, 2019, 6:31pm

Well, what did you solve on your own???