[SOLVED] Forwarding traffic to ftp in a tunnel through a specific IP

fifoa · June 15, 2020, 8:59pm

Hello, I have IPsec Gre Tunnel, my network is 192.168.30.0/24 in remote site 192.168.0/24, but FTP server can accept only from 1 IP address 192.168.30.52, I made a rule witch multiple clients to be able to connect with this FTP.

chain=srcnat action=src-nat to-addresses=192.168.30.52 dst-address=192.168.0.11 log=yes log-prefix="FTP : "

but when I made connection with this FTP I get the following error :

FTP :  srcnat: in:(unknown 0) out:Gre_Tunnel, src-mac 00:0c:29:a7:2a:a8, proto TCP (SYN), 192.168.30.53:59981->192.168.0.11:1024, len 60

And FTP returns :

227 Entering Passive Mode (192,168,0,11,4,0).
ftp: connect: Connection timed out

I don’t have access to this FTP server and I must to comes up with a variant how to make this access.

CZFan · June 15, 2020, 10:29pm

FTP is a bit more complicated than other protocols, you have 2 modes, active and passive, but then also 2 sets of ports to deal with, i.e. Control and data.

Best will be for a certified Mikrotik consultant to assist,

Sob · June 16, 2020, 2:55am

Ftp is not that difficult. For client using passive mode, it’s all outgoing connections, nothing complicated. You just need to find out where exactly it’s blocked, your router, remote router, server, it can be any of those. Packet sniffer is your friend.

tippenring · June 16, 2020, 12:25pm

As already stated, it helps to know in detail how FTP works.

That said, why are you using NAT at all for this traffic? It appears that the hosts should be able to communicate without NAT.

fifoa · June 18, 2020, 1:25pm

Thx Sob, it helped me a lot!