routers sends back local IP instead of external

RouterOS Beginner Basics
1

Hi,

I have a CRS109-8G-1S-2HnD I'm trying to get the FTP server to work
when I use filezilla, it does work, but when I use windows explorer I get the message:
An error occured opening that folder on the FTP server. Make sure you have permission to acces that folder

Details:
200 Type set A
227 Entering Passive Mode (192,168,10,217,4,2)

the 192.168.10.217 is the local ip address of the ftp server, how can I config the mikrotik to send out the public IP address?

here is my export of my nate file

\

apr/10/2019 23:11:32 by RouterOS 6.44.2

software id = FW3B-LY4F

model = CRS109-8G-1S-2HnD

serial number = 5DD80537130D

/ip firewall nat
add action=masquerade chain=srcnat comment="HARPIN NAT" dst-address=
192.168.10.0/24 log-prefix=harpin src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="Gast wifi op eigen dhcp"
out-interface=wan src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade"
out-interface=wan
add action=dst-nat chain=dstnat comment="FTP Passive" dst-address-list=
Public-IP dst-port=21,1024-1080 protocol=tcp to-addresses=192.168.10.217
add action=dst-nat chain=dstnat comment=PLEX-UT2 dst-port=32402 protocol=tcp
to-addresses=192.168.10.104 to-ports=32400
add action=dst-nat chain=dstnat comment="PLEX UT2 LOG" port=8181 protocol=tcp
to-addresses=192.168.10.104 to-ports=8181
add action=dst-nat chain=dstnat comment=Exchange disabled=yes
dst-address-list=WAN-IP dst-port=25 protocol=tcp to-addresses=
192.168.10.16 to-ports=25
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
192.168.89.0/24
add action=dst-nat chain=dstnat comment=openVPN dst-address-type=local
dst-port=1194 log-prefix=vpn protocol=udp to-addresses=192.168.10.104
to-ports=1194
add action=dst-nat chain=dstnat dst-port=934 protocol=tcp to-addresses=
192.168.10.104 to-ports=934
add action=dst-nat chain=dstnat comment=SickrageAK-Server dst-port=8082
protocol=tcp to-addresses=192.168.10.104 to-ports=8082
add action=dst-nat chain=dstnat comment="SSH for Eymotion" dst-port=2244
in-interface=wan protocol=tcp to-addresses=192.168.10.8 to-ports=22
add action=dst-nat chain=dstnat comment="DECO LEDEN" dst-address-list=WAN-IP
dst-port=80 protocol=tcp to-addresses=192.168.10.212 to-ports=80
add action=dst-nat chain=dstnat comment="SSH RevProxy" dst-port=2233
protocol=tcp to-addresses=192.168.10.25 to-ports=22
add action=dst-nat chain=dstnat comment="NAT in HTTPS" dst-address-list=
WAN-IP dst-address-type=local dst-port=443 protocol=tcp to-addresses=
192.168.10.16 to-ports=443
add action=dst-nat chain=dstnat comment=Synology disabled=yes
dst-address-list=WAN-IP dst-address-type="" dst-limit=
1,5,dst-address/1m40s dst-port=5000 protocol=tcp src-address-type=""
src-port="" to-addresses=192.168.10.16 to-ports=5000
add action=dst-nat chain=dstnat dst-port=2233 protocol=tcp to-addresses=
192.168.10.16 to-ports=2233
add action=dst-nat chain=dstnat dst-port=5001 protocol=tcp to-addresses=
192.168.10.16 to-ports=5001
add action=dst-nat chain=dstnat dst-port=9999 protocol=tcp to-addresses=
192.168.10.16 to-ports=9999
add action=dst-nat chain=dstnat dst-port=873 protocol=tcp to-addresses=
192.168.10.16 to-ports=873
add action=dst-nat chain=dstnat dst-port=6690 protocol=tcp to-addresses=
192.168.10.16 to-ports=6690
add action=dst-nat chain=dstnat comment=MotionEye dst-port=8765 protocol=tcp
to-addresses=192.168.10.8 to-ports=8765
add action=dst-nat chain=dstnat comment=Qtorrent dst-address-list=WAN-IP
dst-address-type=local dst-port=45650 protocol=tcp to-addresses=
192.168.10.105 to-ports=45650
add action=dst-nat chain=dstnat comment=PPTP-DECO dst-address-list=""
dst-port=1723 log=yes log-prefix=pptp protocol=tcp to-addresses=
192.168.10.1 to-ports=1723

2

That’s how ftp works, every transfer (download, upload, directory listing) means new connection. Either client connects to server (passive mode) or server connects to client (active mode). And both work by sending the exact address that should be used, which is nightmare when combined with firewalls and NAT. Routers try to solve that by watching control connection and rewriting addresses and it works as long as you use a) standard port or change router config to also watch another you might use, and b) you don’t use encryption.

In your case, I see forwarded port 21, so I guess you use that. So if you don’t use encryption (which is not the best idea, because passwords fly on the wire in readable form) and you didn’t mess with config in “/ip firewall service-port”, it should work.

Alternative way is to leave the router out of it, and configure ftp server to send the right public address and ports to clients. If you don’t use something completely outdated, ftp servers usually have an option to do so.

3

You need to set up the ftp server. Usually it is under menu “External server IP”

4

I solved the problem by adding in the FTP server settings option the domein name.
It was a field for entering the public IP address, but I enterd the domein name.nl and it did work!

thank you all, for thinking and trying to solv this problem!

5

For the sake of understanding of what you saw at first…

When your filezilla server uses the private IP of the machine, the remote filezilla-client will probably work because the filezilla client has a feature where it determines that the server sent a private IP of a different subnet, meaning it’s unroutable. So the filezilla client instead decides to connect to the public IP of the server for it’s connections. Windows Explorer doesn’t do this, it requires a correctly configured server.