RB433AH 2xWAN portforwarding FTP not working

MrC · January 14, 2016, 1:41am

Hi, Im new to Mikrotik and would appreciate your help.

I have RB433AH with RouterOS 6.32.1
/interface ethernet
set [ find default-name=ether3 ] comment=WAN name=WAN_A
set [ find default-name=ether2 ] comment=WAN name=WAN_B
set [ find default-name=ether1 ] comment=LAN

Right now I just using WAN_B since I dont have time to play with settings for both WAN_A and WAN_B.
But I need to set up my FTP server to be accesible from internet. Unfortunately I wasnt able to portforward it properly yet.

so far I disabled ftp service…
/ip service
set ftp disabled=yes
/ip firewall service-port
set ftp disabled=yes
…and tried set /ip firewall nat like this:

/ip firewall nat add chain=dstnat dst-address=MY-PUBLIC-WAN_B-IP protocol=tcp dst-port=20-21 action=dst-nat to-addresses=192.168.1.119 to-ports=20-21 comment=“FTP connection from PUBLIC”

No luck, RB433AH recieve 2 packets (100 Bytes) per connection try, but FTP client returns “Connection timed out”.
Whats wrong? Oh I added wrong local IP… so I corrected the local IP but recieved same result (2 packets (100 Bytes) per connection try, but no connection)… maybe problem is that I try to forward both ports together. New try…

/ip firewall nat add chain=dstnat dst-address=MY-PUBLIC-WAN_B-IP protocol=tcp dst-port=20 action=dst-nat to-addresses=192.168.1.149 to-ports=20
/ip firewall nat add chain=dstnat dst-address=MY-PUBLIC-WAN_B-IP protocol=tcp dst-port=21 action=dst-nat to-addresses=192.168.1.149 to-ports=21

Same result. 2 packets (100 Bytes) per connection try and “Connection timed out”. Hmm, lets try to specify interface…

/ip firewall nat add chain=dstnat in-interface=WAN_B action=dst-nat to-addresses=192.168.1.149 to-ports=21 protocol=tcp dst-address=MY-PUBLIC-WAN_B-IP dst-port=21
/ip firewall nat add chain=dstnat in-interface=WAN_B action=dst-nat to-addresses=192.168.1.149 to-ports=20 protocol=tcp dst-address=MY-PUBLIC-WAN_B-IP dst-port=20

Now RB433AH recieve 0 packets (0 Bytes) and as always FTP client returns “Connection timed out”. As last I tried to change interface to PPPoE of course it didnt work, I didnt expect that it will, but I had to try it. I dont know what else to do at /ip firewall nat.

Maybe its blocked by firewall filter… so I disabled all Filter Rules… and tried to connect again… well result was still same “Connection timed out”. Now I realy dont know what else to try or do… can you help me or atleast point me to the right direction? Please.

MrC · January 15, 2016, 3:59pm

Realy nobody can help me?
Portforwarding should be trivial basics… and this is a newbie question, but thats what Beginner Basics are for, right?

Plenty of similar questions with portforwarding ftp are around, I tried to go thru all of them I found… but they dont mention anything that I wouldnt try (or atleast I think so)… it seems to me that I did all I should but it still dont work… anyone any idea where the problem is?

p3rad0x · January 15, 2016, 4:59pm

Hi,

Did you configure 2x nat rules on the two public interfaces?

 /ip firewall nat add chain=src-nat in-interface=WAN_A action=masquerade
/ip firewall nat add chain=src-nat in-interface=WAN_B action=masquerade

ZeroByte · January 15, 2016, 5:46pm

You really should enable the ftp service port in /ip firewall service-port. This is the “protocol helper” (or sometimes called an ALG) that inspects FTP sessions and watches for the control session ports and fixes those too, both in the NAT translations AND by modifying the contents of the FTP protocol messages as well.

The thing that makes FTP tough is that it uses two ports - the port 21 connection is just the control session - the data transfer flows over a second connection that usually uses port 20 on one end or the other, depending on whether the session is using active mode or passive mode. Passive mode is pretty common these days because it’s typically used whenever the client is behind NAT.

Usually, the client contacts the server on port 21, logs in, and issues a command to retrieve a file.
Active FTP is the default mode, and in this mode, the client chooses an available local TCP port and tells the server which port it’s listening on, and then the server makes a new connection to the client on that specified port. (which is completely backwards from what you might expect).
Passive FTP goes the other way, the server opens the data port and tells the client which port to connect to.

You can probably specify a range of passive ports for the server to choose from, and you’ll need to dst-nat all of those to the FTP server on both ISP public interfaces.

Make sure that you’re doing connection marks on new connections in your prerouting chain as they arrive inbound on ISP1 and ISP2. (if you only mark connections whenever a new outbound connection happens, then this can break multi-isp dstnat.)

You’re probably going to need to require passive FTP sessions - I don’t know if the protocol helper for FTP is sophisticated enough to be able to force the new outbound data sockets from the server to go through whatever WAN interface the control sessions were coming from if the server initiates the data socket (active mode).