Community discussions

 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Tue May 11, 2010 11:43 am

Hi,

I have ftp running on my LAN. I need to give access to mobile users via internet. I have assigned IP to WAN interface & did dsnt nat. Whiled testing when I try to connect in log is shows.

FDROP forward: input: WAN output: LAN proto TCP (SYN)

Regards,

Nadeem
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6616
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: FTP Blocking

Tue May 11, 2010 1:52 pm

Please, post /ip firewall nat rule used for the FTP server redirection.
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Tue May 11, 2010 2:14 pm

chain=srcnat action=src-nat to-addresses=142.24.210.58 to-ports=0-65535 out-interface=WAN
src-address=192.168.0.0/24
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Tue May 11, 2010 2:17 pm

Sorry that was wrong

chain=dstnat action=dst-nat to-addresses=192.168.0.6 to-ports=20-21 in-interface=WAN dst-address=142.24.210.68
dst-port=20-21 protocol=tcp
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: FTP Blocking

Tue May 11, 2010 4:09 pm

when I try to connect in log is shows.

FDROP forward: input: WAN output: LAN proto TCP (SYN)
so, disable that firewall filter rule that drops the packet
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Tue May 11, 2010 4:35 pm

I disabled all the drop rules still not working
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6616
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: FTP Blocking

Wed May 12, 2010 8:54 am

Do you have active or passive FTP?
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Wed May 12, 2010 1:29 pm

I have an active ftp running on linux os.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6616
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: FTP Blocking

Wed May 12, 2010 2:08 pm

Then NAT should work. Try to forward other ports SSH/Telnet to your server (to make sure that public IP address works, which is given by the ISP).
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Wed May 12, 2010 2:21 pm

I m able to ping this IP after natting.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: FTP Blocking

Wed May 12, 2010 2:27 pm

How did you test FTP server?
Active FTP will not function when client-side is firewalled or client is behind NAT device which is not smart enough to alter IP addresses in FTP packets.
Passive FTP is better choice for mobile user, especially when they connect from different places.

Regards, Grzegorz.
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Wed May 12, 2010 3:09 pm

My server is working fine, Mikrotik is dropping, FDROP forward:in WAN out :lan TCP (SYN)
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: FTP Blocking

Wed May 12, 2010 3:24 pm

I'm sure that your FTP server is working fine, I wrote about FTP clients.
I don't know what FDROP in your log is, but the rest forward:in WAN out :lan TCP (SYN) say that packet is forwarded through router.
Look at this: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
Post your full firewall RouterOS logs.

Regards, Grzegorz.
Last edited by ditonet on Wed May 12, 2010 3:26 pm, edited 1 time in total.
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6616
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: FTP Blocking

Wed May 12, 2010 3:25 pm

How this is joined together?

#1
Wed May 12, 2010 1:09 pm
My server is working fine, Mikrotik is dropping, FDROP forward:in WAN out :lan TCP (SYN)
#2
Posted: Tue May 11, 2010 2:35 pm
I disabled all the drop rules still not working
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Wed May 12, 2010 3:53 pm

#1
Is my error message form my Mikrotik log

#2

Reply to chupaka as he asked to disable all drop rules in filewall.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6616
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: FTP Blocking

Wed May 12, 2010 3:57 pm

Firstly you told that disabled drop rules, but still you see them in your log?
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Wed May 12, 2010 4:20 pm

Yes thats correct even I m confused.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: FTP Blocking

Wed May 12, 2010 4:57 pm

Set two logging rules, one for 'input' on WAN side, second for 'forward'.
You will clearly see what is dropped and what is forwarded.

Regards, Grzegorz.
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: FTP Blocking

Wed May 12, 2010 6:02 pm

do you have ftp nat helper enabled (under IP - Firewall - Service Ports)?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Wed May 12, 2010 8:23 pm

I setted 2 rules for log its same FDROP forward in WAN out lan src-mac <MAC ADDRESS> , proto TCP (SYN), <Public IP of Source PC> and <ftp Lan IP>:21 len 48
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: FTP Blocking

Wed May 12, 2010 11:57 pm

Post your firewall/mangle rules and log results.

Regards, Grzegorz.
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Thu May 13, 2010 1:07 pm

No rules in mangle log I have mentioned in previous post
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: FTP Blocking

Thu May 13, 2010 1:17 pm

OK, so let us know how you log firewall activity?

Regards, Grzegorz.
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Thu May 13, 2010 1:27 pm

I have 4 log rules inut, forward, tcp services & udp services
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: FTP Blocking

Thu May 13, 2010 2:10 pm

No rules in mangle log I have mentioned in previous post
If not in 'mangle', so where they are? In 'filter rules'?

Regards, Grzegorz.
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Thu May 13, 2010 2:13 pm

Yes in filter rules src nat and routing
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: FTP Blocking

Thu May 13, 2010 10:55 pm

Connect your linux box/ftp server directly to WAN and make test.
Install Wireshark to get as much details as possible.

Regards, Grzegorz.
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Tue May 18, 2010 5:25 pm

I could not connect my ftp directly to Mikrotik as it has other applications runnning.

Can u tell me step by step how to configure Mikrotik to service ftp server throught it, to compare it with my config if any mistake by me after I m human bieng
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: FTP Blocking

Tue May 18, 2010 10:39 pm

I suggested that you should connect your linux box directly to WAN, without MikroTik or any other NAT-ing device.
This will clearly show what is wrongly configured: your FTP server or MikroTik.
According to your earlier post:
My server is working fine, Mikrotik is dropping, FDROP forward:in WAN out :lan TCP (SYN)
In my opinion MikroTik forwards packets correctly.
I asked you about your firewall/mangle/nat rules and logs but it looks that is 'Top Secret' data :D
And last but not least - Active FTP is not good choice.

Regards, Grzegorz.
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6616
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: FTP Blocking

Wed May 19, 2010 8:16 am

nadym67, I agree with Grzegorz.

We are not able to help you without full output from /ip firewall export from the problematic router.
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Wed May 19, 2010 9:59 am

Kndly find attached file form firewall export.
You do not have the required permissions to view the files attached to this post.
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Wed May 19, 2010 1:12 pm

We have 2 ISP's I did a port scan on natted IP using packet trap its showing port 20 21 not responding. (ISP not terminated on Mikrotik) I started ftp service on Mikrotik WAN address it shows port open.
 
User avatar
martini
Member Candidate
Member Candidate
Posts: 296
Joined: Tue Dec 21, 2004 12:13 am

Re: FTP Blocking

Wed May 19, 2010 3:05 pm

Oooo ))) how many rules on you router ??
Move dst-nat rule on top of the firewall nat in winbox, and disable drop forward rule and Jump rule, than if all works - enable one by one rule and test )
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Wed May 19, 2010 4:12 pm

Still not working what I observed that all dst nat its not accepting even at port 80
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: FTP Blocking

Wed May 19, 2010 4:51 pm

Nearly everything in that NAT rule set you posted is disabled. Once you take out the disabled lines, only the below is left:
/ ip firewall nat 
add chain=dstnat action=dst-nat to-addresses=192.168.0.6 to-ports=20-21 \
    dst-address=124.247.210.186 dst-port=20-21 protocol=tcp \
    comment="esoftconnect" disabled=no 
add chain=srcnat action=src-nat to-addresses=124.247.210.185 to-ports=0-65535 \
    out-interface=voip src-address=192.168.0.0/24 comment="LAN via MCI via IP \
    Address 202.80.63.82. Do not change. Used for VPN Traffic" disabled=no 
That's correct (though the comment on the srcnat chain is wildly inaccurate), but you're filtering the port. You are accepting ports 20/21 in the input chain (though the comment is incorrect, you're not just accepting from trusted sources, you're accepting from everywhere):
add chain=input action=accept dst-port=20-21 protocol=tcp comment="ftp access \
    to router from trusted sources" disabled=no 
But the traffic won't be in the input chain. dstnat happens before input/output/forward, and because the destination IP address after dstnat is no longer local the packets will be in the forward chain. The only reference to ports 20/21 in the forward chain are in the chain 'tcp-services':
add chain=tcp-services action=accept src-port=0-65535 dst-port=20-21 \
    protocol=tcp comment="ftp" disabled=no 
and while they are accepted there (though it doesn't make sense to check for a source port if you're going to permit every possible source port, that's just eating resources for a check that will always succeed) you're only jumping to 'tcp-services' with a condition of 'in-interface=lan', which isn't true for the Internet accessing the FTP server.
add chain=forward action=jump jump-target=tcp-services in-interface=lan \
    protocol=tcp comment="allow all outgoing from LAN tcp services" \
    disabled=no 
Since you do have a default drop in the forward chain FTP traffic to the FTP server will be dropped since it isn't accepted first:
add chain=forward action=log log-prefix="FDROP" comment="log drop everything \
    else" disabled=no 
add chain=forward action=drop comment="drop everything else" disabled=yes 
And that log message before the drop matches what you've been posting.

Caveat on all of the above: that's one hell of a ruleset, most of it isn't even in use as it's marked disabled and it could be summarized quite a lot (why do you have 20 rules for NAT exemption for VPN when you could just build address lists and refer to them in on quick rule?) - at a quick glance it's rather confusing and I don't want to spend an hour going through it, so I'm not 100% sure that the above is correct. You should really look at simplifying your configuration.
 
nadym67
just joined
Topic Author
Posts: 18
Joined: Mon Oct 06, 2008 10:47 pm

Re: FTP Blocking

Wed May 19, 2010 5:06 pm

Thanks for your valuable reply. This router was configured by the ex engineer I just started working on I did not removed any config bcoz they used to use it as backup router for cisco to connect VPN. I m going safe to avoid major issue. As per your advice I'll remove all disabled rules but after taking backup.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: FTP Blocking

Wed May 19, 2010 5:09 pm

To make this work quickly find the log rule with a log-prefix of "FDROP" and add the following rule just above it:
/ip firewall filter
add chain=forward action=accept protocol=tcp dst-ports=20-21
By the looks of it you're already permitting FTP traffic initiated from everywhere but the WAN so the rule won't do anything more than permit traffic to the FTP server.

Good luck cleaning up the configuration.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: FTP Blocking

Thu May 20, 2010 11:27 pm

Hi,

I agree with fewi's every word, problem is located probably here:
add chain=forward action=log log-prefix="FDROP" comment="log drop everything \
    else" disabled=no 
add chain=forward action=drop comment="drop everything else" disabled=yes 
add chain=input action=accept src-port=20-21 protocol=tcp comment="ftp" \
    disabled=yes 
And I'm really impressed by your firewall ruleset :D , but seriously you should simplify and summarize your rules.

Regards, Grzegorz.
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6616
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: FTP Blocking

Fri May 21, 2010 10:48 am

These rules are only logging. Drop rules are disabled, but accept for 20-21 TCP on the top for any-port should do the trick.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 841
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: FTP Blocking

Fri May 21, 2010 12:22 pm

OK, I tried to analyze these rules and found:
add chain=forward action=accept src-address=192.168.0.6 src-port=21 \
    dst-port=0-65535 protocol=tcp comment="allow from FTP server" disabled=yes 
and
add chain=feedsRSS action=accept out-interface=lan src-address=124.247.210.186 \
    dst-address=192.168.0.6 src-port=21 dst-port=21 protocol=tcp \
    comment="Esoftconnect" disabled=no 
In my opinion it should be 20-21 not only 21, because connection from/to FTP data port (20) is not allowed.
This is Active FTP so data port is important.

Hope this helps.

Regards, Grzegorz.
Grzegorz | MTCNA, MTCRE, MTCSE | konsultacje MikroTik Warszawa
It is a book about a Spanish guy called Manual. You should read it. - Dilbert

Who is online

Users browsing this forum: No registered users and 127 guests