Community discussions

MikroTik App
 
warn1ng
just joined
Topic Author
Posts: 22
Joined: Sun Jul 03, 2011 3:12 am

pppoe clients cant access any internet ftp in passive mode

Mon Jul 04, 2011 1:35 am

That, i really dunno when stop working, but i cant find the problem, any of my pppoe clients cant access a external ftp server in passive mode, i have ftp ON in ip > firewall > service-ports, if i connect a laptop direct to the ISP , works fine.

Can someone help me plz ?

Mikrotik version 4.17
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: pppoe clients cant access any internet ftp in passive mo

Mon Jul 04, 2011 8:27 pm

Do you have a firewall rule that permits "related" traffic through the router?

The firewall helper simply classifies the data stream as a related connection type.
 
warn1ng
just joined
Topic Author
Posts: 22
Joined: Sun Jul 03, 2011 3:12 am

Re: pppoe clients cant access any internet ftp in passive mo

Tue Jul 05, 2011 12:41 am

i set one rule about related when i try to make it work, but i dunno if is right, can you givme a idea how i should have such rule plz.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: pppoe clients cant access any internet ftp in passive mo

Tue Jul 05, 2011 12:49 am

It depends on the rest of your rule set. So post that here.
Generally speaking make a rule that accepts related traffic in the forward chain and move it close enough to the top so that it comes before other rules that would drop the traffic.
 
warn1ng
just joined
Topic Author
Posts: 22
Joined: Sun Jul 03, 2011 3:12 am

Re: pppoe clients cant access any internet ftp in passive mo

Tue Jul 05, 2011 12:54 am

Well, i use a masquerade rule pointing to a linux gateway, nothing more, just few rules for blocking such traffic like 135-139 TPC/UDP.
When i connect direct to this linux gateway, all ftp connections work fine.

I try to access a ftp site from a linux box in the LAN, and Extended Passive works right, but the Normal Passive dont, also active connections works.
 
warn1ng
just joined
Topic Author
Posts: 22
Joined: Sun Jul 03, 2011 3:12 am

Re: pppoe clients cant access any internet ftp in passive mo

Tue Jul 05, 2011 1:06 am

tp> passive
Passive mode: on; fallback to active mode: on.
ftp> ls
421 Service not available, remote server has closed connection.

----------

ftp> epsv
EPSV/EPRT on IPv4 on.
ftp> ls
229 Entering Extended Passive Mode (|||29559|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Mar 30 23:46 pub
 
warn1ng
just joined
Topic Author
Posts: 22
Joined: Sun Jul 03, 2011 3:12 am

Re: pppoe clients cant access any internet ftp in passive mo

Thu Jul 07, 2011 6:43 am

http://pastebin.com/5q666dkR

Jul/07/2011 00:37:17 firewall,info info: ftp forward: in:<pppoe-warn1ng> out:Internet, proto TCP (ACK,FIN), 192.168.110.1:50300->70.90.191.125:21, len 40
Jul/07/2011 00:37:18 firewall,info info: ftp input: in:Internet out:(none), src-mac 00:e0:52:86:c8:35, proto TCP (ACK,PSH), 70.90.191.125:21->10.0.0.58:50300, len 89

192.168.110.1 = laptop (pppoe)
70.90.191.125 = ftp.shorewall.net
10.0.0.58 = Mikrotik, Internet Interface

Mikrotik FTP Helper not working ? also i try a ftp proxy after 10.0.0.58 and i get logs about 10.0.0.58 rejecting ftp connections.

Mikrotik Version 5.5
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: pppoe clients cant access any internet ftp in passive mo

Thu Jul 07, 2011 7:12 am

As asked before: post your config.

Post the output of "/ip address print detail", "/ip route print detail", "/interface print", "/ip firewall export", and an accurate network diagram.

Though at a quick guess your problem is double NAT. Your WAN IP is also private. That is gonna be a problem unless your ISP does FTP inspection for you.
 
warn1ng
just joined
Topic Author
Posts: 22
Joined: Sun Jul 03, 2011 3:12 am

Re: pppoe clients cant access any internet ftp in passive mo

Fri Jul 08, 2011 12:22 am

/ip route print detail = http://pastebin.com/Y7MPaCts

/interface print = http://pastebin.com/kUe9Jmfk

/ip firewall export =

# jul/07/2011 18:19:49 by RouterOS 5.5
# software id =
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1h tcp-fin-wait-timeout=10s \
tcp-last-ack-timeout=10s tcp-syn-received-timeout=10s tcp-syn-sent-timeout=10s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
udp-timeout=10s
/ip firewall filter
add action=drop chain=forward disabled=no p2p=all-p2p src-address=192.168.1.95
add action=drop chain=forward comment="Dropeo Cyber Nocturno" disabled=yes dst-port=80,3128,443,1863 protocol=tcp src-address=192.168.1.10-192.168.1.94
add action=drop chain=forward comment="Dropeo P2P Hoteles" disabled=no p2p=all-p2p src-address=192.168.119.200-192.168.119.254
add action=drop chain=forward comment="Dropeo 25 Cyber" disabled=no dst-port=25 protocol=tcp src-address=192.168.1.1-192.168.1.29
add action=drop chain=forward comment="Limite Sesiones" connection-limit=80,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=forward comment="Limite Sesiones" connection-limit=10,32 disabled=no dst-port=25 protocol=tcp tcp-flags=syn
add action=drop chain=forward comment="Dropeo 139" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=forward comment="Dropeo 139" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=forward comment="Dropeo 139" disabled=no dst-port=445 protocol=tcp
add action=accept chain=forward disabled=no dst-address=10.0.0.99
add action=accept chain=input disabled=no dst-address=10.0.0.58 protocol=tcp src-address=10.0.0.99 src-port=20,21,2121
/ip firewall mangle
add action=change-mss chain=forward disabled=no in-interface=Local new-mss=1452 protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=change-mss chain=forward disabled=no in-interface=Wireless new-mss=1452 protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=dst-nat chain=dstnat comment=deudores disabled=yes dst-port=80 protocol=tcp src-address=192.168.3.0/24 to-addresses=10.0.0.99 to-ports=81
add action=masquerade chain=srcnat comment=Enmascaramiento disabled=no out-interface=Internet src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=Enmascaramiento disabled=no out-interface=Internet src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment=Enmascaramiento disabled=no out-interface=Internet src-address=192.168.250.90-192.168.250.110
add action=masquerade chain=srcnat comment=Enmascaramiento disabled=no out-interface=Internet src-address=192.168.110.0-192.168.120.0
add action=masquerade chain=srcnat comment="Enmascaramiento Luthien" disabled=no out-interface=PPP src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="Proxy Transparente" disabled=yes dst-address=192.168.1.99 dst-port=3128 protocol=tcp src-address=\
192.168.110.3-192.168.120.0 to-addresses=10.0.0.99 to-ports=3128
add action=dst-nat chain=dstnat comment="Redireccionamiento de Puertos" disabled=no dst-address=10.0.0.58 dst-port=9022 protocol=tcp to-addresses=\
192.168.1.209 to-ports=9022
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=9055 protocol=tcp to-addresses=192.168.1.95 to-ports=9055
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=4899 protocol=tcp to-addresses=192.168.1.221 to-ports=4899
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3339 protocol=tcp to-addresses=192.168.1.95 to-ports=3339
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1194 protocol=udp to-addresses=192.168.1.206 to-ports=1194
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3390 protocol=tcp to-addresses=192.168.1.206 to-ports=3390
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3390 protocol=udp to-addresses=192.168.1.206 to-ports=3390
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3060 protocol=tcp to-addresses=192.168.1.204 to-ports=3060
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3061 protocol=tcp to-addresses=192.168.1.204 to-ports=3061
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3070 protocol=tcp to-addresses=192.168.1.204 to-ports=3070
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1500 protocol=tcp to-addresses=192.168.1.204 to-ports=1500
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=8085 protocol=tcp to-addresses=192.168.1.212 to-ports=8085
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=8065 protocol=tcp to-addresses=192.168.1.211 to-ports=8065
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=6022 protocol=tcp to-addresses=192.168.1.210 to-ports=6022
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3306 protocol=tcp to-addresses=192.168.1.210 to-ports=3306
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=8080 protocol=tcp to-addresses=192.168.1.210 to-ports=8080
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=5900 protocol=tcp to-addresses=192.168.1.210 to-ports=5901
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3180 protocol=tcp to-addresses=192.168.1.213 to-ports=3180
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=60443 protocol=tcp to-addresses=192.168.1.213 to-ports=60443
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=60443 protocol=udp to-addresses=192.168.1.213 to-ports=60443
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1433 protocol=tcp to-addresses=192.168.1.212 to-ports=1433
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3389 protocol=tcp to-addresses=192.168.1.212 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1080 protocol=tcp to-addresses=192.168.1.214 to-ports=1080
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1081 protocol=tcp to-addresses=192.168.1.214 to-ports=1081
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=8481 protocol=tcp to-addresses=192.168.1.214 to-ports=8481
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=5905 protocol=tcp to-addresses=192.168.119.223 to-ports=5905
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=5906 protocol=tcp to-addresses=192.168.119.223 to-ports=5906
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=5907 protocol=tcp to-addresses=192.168.119.223 to-ports=5907
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1030 protocol=tcp to-addresses=192.168.119.210 to-ports=1030
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1031 protocol=tcp to-addresses=192.168.119.210 to-ports=1031
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=10025 protocol=tcp to-addresses=192.168.1.95 to-ports=10025
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1035 protocol=tcp to-addresses=192.168.1.215 to-ports=1035
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1036 protocol=tcp to-addresses=192.168.1.215 to-ports=1036
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1032 protocol=tcp to-addresses=192.168.119.210 to-ports=1032
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1040 protocol=tcp to-addresses=192.168.1.216 to-ports=1040
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2130 protocol=tcp to-addresses=192.168.1.204 to-ports=2130
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2131 protocol=tcp to-addresses=192.168.1.204 to-ports=2131
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2132 protocol=tcp to-addresses=192.168.1.207 to-ports=2132
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2133 protocol=tcp to-addresses=192.168.1.207 to-ports=2133
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2134 protocol=tcp to-addresses=192.168.1.217 to-ports=2134
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=3388 protocol=tcp to-addresses=192.168.1.217 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2135 protocol=tcp to-addresses=192.168.1.217 to-ports=2135
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1041 protocol=tcp to-addresses=192.168.1.218 to-ports=1041
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1042 protocol=tcp to-addresses=192.168.1.218 to-ports=1042
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1043 protocol=tcp to-addresses=192.168.1.219 to-ports=1043
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1044 protocol=tcp to-addresses=192.168.1.219 to-ports=1044
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1045 protocol=tcp to-addresses=192.168.1.220 to-ports=1045
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1046 protocol=tcp to-addresses=192.168.1.220 to-ports=1046
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=2106 protocol=tcp to-addresses=192.168.1.95 to-ports=2106
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=7777 protocol=tcp to-addresses=192.168.1.95 to-ports=7777
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=5901 protocol=tcp to-addresses=192.168.1.95 to-ports=5901
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=47323 protocol=tcp to-addresses=192.168.1.95 to-ports=47323
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=47323 protocol=udp to-addresses=192.168.1.95 to-ports=47323
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1037 protocol=tcp to-addresses=192.168.119.213 to-ports=1037
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=1038 protocol=tcp to-addresses=192.168.119.213 to-ports=1038
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=34567 protocol=tcp to-addresses=192.168.119.222 to-ports=34567
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=7012 protocol=tcp to-addresses=192.168.1.208 to-ports=7012
add action=dst-nat chain=dstnat disabled=no dst-address=10.0.0.58 dst-port=5000 protocol=udp to-addresses=192.168.1.95 to-ports=5000
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
 
warn1ng
just joined
Topic Author
Posts: 22
Joined: Sun Jul 03, 2011 3:12 am

Re: pppoe clients cant access any internet ftp in passive mo

Fri Jul 08, 2011 12:36 am

Ofc i avoid post 600 pppoe interfaces in the last post xD

Diagram = http://200.51.46.51/diagram.txt

Like i say before, if i connect a laptop to 10.0.0.99, all the ftp connections works fine, so i dont think the problem is there.
 
warn1ng
just joined
Topic Author
Posts: 22
Joined: Sun Jul 03, 2011 3:12 am

Re: pppoe clients cant access any internet ftp in passive mo

Sat Jul 09, 2011 12:11 am

anyone ? :(
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: pppoe clients cant access any internet ftp in passive mo

Sat Jul 09, 2011 12:16 am

I don't see anything wrong, other the fact that you're NATing 192.168/16 space to 10/8 space back to 192.168/16 space after your provider already performed NAT.

Sorry.
 
warn1ng
just joined
Topic Author
Posts: 22
Joined: Sun Jul 03, 2011 3:12 am

Re: pppoe clients cant access any internet ftp in passive mo

Sat Jul 09, 2011 1:51 am

Ye i know that is not right, but i got this network working for years, just like that, and i dunno when the passive ftp stop working, i figure it when i start getting calls from costumers saying ftp dont work, i think the problem is on the Mikrotik FTP Helper, is just like not working.

Thanks Alot for your time fewi.

Who is online

Users browsing this forum: Bing [Bot], Cr4shOnPc, Florian, Google [Bot], stef70 and 85 guests