Re: FTP Blocking

nadym67 · May 11, 2010, 8:43am

Hi,

I have ftp running on my LAN. I need to give access to mobile users via internet. I have assigned IP to WAN interface & did dsnt nat. Whiled testing when I try to connect in log is shows.

FDROP forward: input: WAN output: LAN proto TCP (SYN)

Regards,

Nadeem

sergejs · May 11, 2010, 10:52am

Please, post /ip firewall nat rule used for the FTP server redirection.

nadym67 · May 11, 2010, 11:14am

chain=srcnat action=src-nat to-addresses=142.24.210.58 to-ports=0-65535 out-interface=WAN
src-address=192.168.0.0/24

nadym67 · May 11, 2010, 11:17am

Sorry that was wrong

chain=dstnat action=dst-nat to-addresses=192.168.0.6 to-ports=20-21 in-interface=WAN dst-address=142.24.210.68
dst-port=20-21 protocol=tcp

Chupaka · May 11, 2010, 1:09pm

so, disable that firewall filter rule that drops the packet

nadym67 · May 11, 2010, 1:35pm

I disabled all the drop rules still not working

sergejs · May 12, 2010, 5:54am

Do you have active or passive FTP?

nadym67 · May 12, 2010, 10:29am

I have an active ftp running on linux os.

sergejs · May 12, 2010, 11:08am

Then NAT should work. Try to forward other ports SSH/Telnet to your server (to make sure that public IP address works, which is given by the ISP).

nadym67 · May 12, 2010, 11:21am

I m able to ping this IP after natting.

ditonet · May 12, 2010, 11:27am

How did you test FTP server?
Active FTP will not function when client-side is firewalled or client is behind NAT device which is not smart enough to alter IP addresses in FTP packets.
Passive FTP is better choice for mobile user, especially when they connect from different places.

Regards, Grzegorz.

nadym67 · May 12, 2010, 12:09pm

My server is working fine, Mikrotik is dropping, FDROP forward:in WAN out :lan TCP (SYN)

ditonet · May 12, 2010, 12:24pm

I’m sure that your FTP server is working fine, I wrote about FTP clients.
I don’t know what FDROP in your log is, but the rest forward:in WAN out :lan TCP (SYN) say that packet is forwarded through router.
Look at this: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
Post your full firewall RouterOS logs.

Regards, Grzegorz.

sergejs · May 12, 2010, 12:25pm

How this is joined together?

#1

Wed May 12, 2010 1:09 pm
My server is working fine, Mikrotik is dropping, FDROP forward:in WAN out :lan TCP (SYN)

#2

Posted: Tue May 11, 2010 2:35 pm
I disabled all the drop rules still not working

nadym67 · May 12, 2010, 12:53pm

#1
Is my error message form my Mikrotik log

#2

Reply to chupaka as he asked to disable all drop rules in filewall.

sergejs · May 12, 2010, 12:57pm

Firstly you told that disabled drop rules, but still you see them in your log?

nadym67 · May 12, 2010, 1:20pm

Yes thats correct even I m confused.

ditonet · May 12, 2010, 1:57pm

Set two logging rules, one for ‘input’ on WAN side, second for ‘forward’.
You will clearly see what is dropped and what is forwarded.

Regards, Grzegorz.

Chupaka · May 12, 2010, 3:02pm

do you have ftp nat helper enabled (under IP - Firewall - Service Ports)?

nadym67 · May 12, 2010, 5:23pm

I setted 2 rules for log its same FDROP forward in WAN out lan src-mac , proto TCP (SYN), and :21 len 48