Community discussions

MikroTik App
 
HEki
just joined
Topic Author
Posts: 14
Joined: Mon Mar 28, 2022 7:04 pm

2 mikrotik routers and FTPs behind one of them

Tue Oct 25, 2022 9:00 pm

Ok,

here is a diagram of my network.
Image

I have 2 networks. Network 1 has the computers, servers and 2 ftps. One ftp is filezilla, one is a asus router with external hd and has ftp enabled (the best 20€ i have ever spent! simple solution and highly effective and useful!). The network 2 has 1 computer that runs 2 virtual computers.

Problem 1:
Mikrotik 1 has NAT port forwarding from port 21 to port 21 for FTP 1 and NAT port forwarding from port 333 to port 21 for FTP 2. This way FTP 1 and 2 are accessible from the internet. The problem is NAT port forwarding for FTP 1, because i can't connect to my outside FTP 3 which also runs on port 21! I switch NAT port forwarding from 21 to 334. This way i can access my FTP 3 and both FTPs are accessible from the internet. I have also entered this:
/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept
Also make sure that you allow packets with connection-state=related. It's usually part if first standard rule.
Problem solved! Do i realy need this firewall filter?

Problem 2:
I don't even know how to explain this, but every computer behind Mikrotik 2, so the network 2, which has its own external IP, can't connect to FTP 1 or FPT 2 in network 1. It can connect to FTP 3 (ftp outside). Or let me correct myself. It can connect, but after a period of time, i get error 10054. After the connection, it starts to fetch the directories and files of the root, but it never displays the results. The funny part is that sometimes it does work and i can browse the ftp ... 1 out of 10 times maybe ... I have cobianbackup here that can upload to ftp. The test sometimes goes through and sometimes it returns the error 10054. I also have a freesqlbackup program that also transfers files to the ftp. The test connection to the ftp works, but when the actual upload starts, it stops working ...

I entered into the mikrotik 2 NAT port forwarding for ports 333 and 334 and added the external ip, also added the same filter ... Nothing works because i don't know what i doing! I am guess the problem is with mikrotik 1 and i don't need to do anything on mikrotik 2 since it can connect to FPT 3 without any issues ... Or am i wrong? Do i need NAT and filters? Or just NAT? Please help me out.

Thank you.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2 mikrotik routers and FTPs behind one of them

Tue Oct 25, 2022 9:21 pm

Thumbs up for image. But without showing your config, it's a guessing game, and not a good one. Guess for problem 1 is wrong dstnat rule that doesn't specify destination address in any way. Guess for problem 2 is some other wrong config, but depending on how "creative" you are, it could be so many things...

If you want to increase your chances, do:
/export hide-sensitive file=myconfig
And post content of myconfig.rsc in code tags. You can mask things like public address if you want, but don't overdo it.
 
HEki
just joined
Topic Author
Posts: 14
Joined: Mon Mar 28, 2022 7:04 pm

Re: 2 mikrotik routers and FTPs behind one of them

Wed Oct 26, 2022 9:03 am

Here are both mikrotik settings. Let me know if i need to post anything else. Like i said. I basicly copied NATs from old router and
entered them into the NAT section. And i added 1 filter rule since that is what i found on forums here.

Mikrotik1 (network 1)

# oct/26/2022 07:01:57 by RouterOS 6.47.4
# software id = 4CX8-IGPJ
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.0.200-192.168.0.250
add name=vpn ranges=192.168.0.230-192.168.0.249
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.0.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
    192.168.0.0
add address=xxx.xxx.xx.xxx/16 interface=ether1 network=xxx.xxx.x.x
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=forward comment="FTP TEST" connection-nat-state=\
    dstnat connection-state=related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.0.0/24
add action=dst-nat chain=dstnat comment="Test1" dst-port=\
    1352 protocol=tcp to-addresses=192.168.0.20 to-ports=1352
add action=dst-nat chain=dstnat comment=Test2 dst-port=5960 \
    protocol=tcp to-addresses=192.168.0.25 to-ports=5960
add action=dst-nat chain=dstnat comment=Test3 dst-port=8642 \
    protocol=tcp to-addresses=192.168.0.20 to-ports=8642
add action=dst-nat chain=dstnat comment=Test4 dst-port=8080 \
    protocol=tcp to-addresses=192.168.0.20 to-ports=8080
add action=dst-nat chain=dstnat comment=Test5 dst-port=22226 \
    protocol=tcp to-addresses=192.168.0.25 to-ports=80
add action=dst-nat chain=dstnat comment="FTP1" dst-port=334 \
    protocol=tcp to-addresses=192.168.0.25 to-ports=21
add action=dst-nat chain=dstnat comment="FTP2" \
    dst-port=333 protocol=tcp to-addresses=192.168.0.14 to-ports=21
add action=dst-nat chain=dstnat comment="Test6" dst-port=\
    2988 protocol=tcp to-addresses=192.168.0.25 to-ports=80
add action=dst-nat chain=dstnat comment="Test7" dst-port=\
    444 protocol=tcp to-addresses=192.168.0.100 to-ports=444
add action=dst-nat chain=dstnat comment="Test8" \
    dst-port=555 protocol=tcp to-addresses=192.168.0.14 to-ports=555
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip route
add distance=1 gateway=xxx.xxx.x.x
/ppp secret
add disabled=yes name=vpn service=pptp
/system clock
set time-zone-name=Europe
/system identity
set name="MikroTik"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Mikrotik2 (network 2)
# oct/26/2022 07:03:25 by RouterOS 6.47.9
# software id = 9KU1-K83K
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.254
add name=vpn ranges=192.168.10.50-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.10.1/24 comment=defconf interface=ether2 network=\
    192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=forward comment="FTP TEST" connection-nat-state=\
    dstnat connection-state=related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.10.0/24
add action=dst-nat chain=dstnat comment="Test 1" \
    dst-port=1234 protocol=tcp to-addresses=192.168.10.4 to-ports=1234
[b][i]add action=dst-nat chain=dstnat comment="FTP 1" dst-port=334 protocol=tcp \
    to-addresses='myexternalIP of network1' to-ports=334
add action=dst-nat chain=dstnat comment="FTP 2" dst-port=333 protocol=tcp \
    to-addresses='myexternalIP of network1' to-ports=333[/i][/b]
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe
/system identity
set name="MikroTik"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Do i realy need the nats in bold and italic in mikrotik2?

Thank you.
Last edited by BartoszP on Wed Oct 26, 2022 3:27 pm, edited 1 time in total.
Reason: Use proper tags .. quotes for quotting, code for code
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2 mikrotik routers and FTPs behind one of them

Wed Oct 26, 2022 3:17 pm

As expected, your dstnat rules are incomplete. If you have:
/ip firewall nat
add action=dst-nat chain=dstnat comment="FTP1" dst-port=334 protocol=tcp to-addresses=192.168.0.25 to-ports=21
then only two conditions are protocol and port. It will take incoming connections to your server, outgoing connections to remote servers, everything, because it will all match. With non-standard port 334 it's less noticeable, but it's still possibly a problem. With standard port 21, well, you discovered that yourself.

You need to add another condition, to limit it only to your address. It can be either dst-address=<your public address> (if you have static public address on this router; I'm not sure what you have, I see both some static address and DHCP client on ether1) or dst-address-type=local (matches any address on router, which may still be too broad, but usually it's good enough). You want to do this for all your current dstnat rules.

About unneeded things, that would be this on both routers:
/ip firewall filter
add action=accept chain=forward comment="FTP TEST" connection-nat-state=dstnat connection-state=related
And the two bold rules on router 2 are completely useless too.

As for why servers in network 1 don't work from network 2, I'm not sure. They should. Make sure that clients use passive mode, but that's probably not it, because it should be default. Try to return one server to port 21 and check if it helps. I assume you have just plain FTP without encryption, right? Otherwise it would be unlikely to work at all.
 
HEki
just joined
Topic Author
Posts: 14
Joined: Mon Mar 28, 2022 7:04 pm

Re: 2 mikrotik routers and FTPs behind one of them

Wed Oct 26, 2022 3:56 pm

Thank you for the info!

I will have a look later on and report back. As i suspected about the bold italic text in mikrotik 2. I will remove it.

It's bugging me, because clients can connect. The only problem i have is connecting form mikrotik 2. And like i said, sometimes it works, but most of the times, it doesn't.

Thank you again.
 
HEki
just joined
Topic Author
Posts: 14
Joined: Mon Mar 28, 2022 7:04 pm

Re: 2 mikrotik routers and FTPs behind one of them

Thu Oct 27, 2022 8:36 am

Did you mean i need to modify the two "ftp" NATS like this:
add action=dst-nat chain=dstnat comment="FTP1" dst-address=\
xxx.xxx.xx.xxx dst-port=334 protocol=tcp to-addresses=192.168.0.25 \
to-ports=21
add action=dst-nat chain=dstnat comment="FTP2" \
dst-address=xxx.xxx.xx.xxx dst-port=333 protocol=tcp to-addresses=\
192.168.0.14 to-ports=21
and yes xxx.xxx.xx.xxx is a static address.

I have also removed on mikrotik2 the bold/italic lines and removed the filter rule on both mikrotiks. Still no success on connecting to FTP1 or FTP2 from network behind mikrotik2. I tested on clients and it does work. But the mikrotik2 to mikrotik1 is causing me headaches.

Let me correct myself ... I can connect to FTP1 and FTP2 from network2! But when the command is sent to fetch the direcotries and files, it gets disconnected and the connection is lost!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2 mikrotik routers and FTPs behind one of them

Thu Oct 27, 2022 5:13 pm

Yes, that's what I meant. Find a log on client and check what command is used before getting directory listing. Is it PASV or PORT? Should be PASV. If not, try to find some option to change it (look for "passive mode").
 
HEki
just joined
Topic Author
Posts: 14
Joined: Mon Mar 28, 2022 7:04 pm

Re: 2 mikrotik routers and FTPs behind one of them

Thu Oct 27, 2022 7:00 pm

On the client i do have "passive mode" in the settings for the connection. It's funny. Because it works and it doesn't at the same time. And the only difference is that my clients don't have a mikrotik router. I have a spare mikrotik at my office. Will take it home tomorrow and set it up just to test mikrotik to mikrotik connection. If it's going to work, than the problem must be on my ISP modem ... Since both mikrotiks are connected to the same one.

Will let you know tomorrow.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2 mikrotik routers and FTPs behind one of them

Thu Oct 27, 2022 8:35 pm

Better find what you have in logs, exact commands. It can still use the other if first one fails. There could be also some useful message. You want to see PASV command followed by response "227 Entering Passive Mode (a,a,a,a,p,p)", where a.a.a.a is public address of Mikrotik1 (p is port split in half, but it's dynamic, so not of much use). It should be right before listing command, either LIST or MLSD (response to that might contain some useful info too).
 
HEki
just joined
Topic Author
Posts: 14
Joined: Mon Mar 28, 2022 7:04 pm

Re: 2 mikrotik routers and FTPs behind one of them

Fri Oct 28, 2022 7:20 am

Here is the log file from filezilla:
(000016)28.10.2022 6:15:07 - (not logged in) (XXX.XXX.XX.XXX)> Connected, sending welcome message...
(000016)28.10.2022 6:15:07 - (not logged in) (XXX.XXX.XX.XXX)> 220-FileZilla Server version 0.9.41 beta
(000016)28.10.2022 6:15:07 - (not logged in) (XXX.XXX.XX.XXX)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000016)28.10.2022 6:15:07 - (not logged in) (XXX.XXX.XX.XXX)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000016)28.10.2022 6:15:07 - (not logged in) (XXX.XXX.XX.XXX)> USER user123
(000016)28.10.2022 6:15:07 - (not logged in) (XXX.XXX.XX.XXX)> 331 Password required for user123
(000016)28.10.2022 6:15:10 - (not logged in) (XXX.XXX.XX.XXX)> PASS ********
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> 230 Logged on
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> SYST
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> 215 UNIX emulated by FileZilla
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> FEAT
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> 211-Features:
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> MDTM
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> REST STREAM
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> SIZE
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> MLST type*;size*;modify*;
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> MLSD
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> UTF8
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> CLNT
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> MFMT
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> 211 End
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> CLNT Total Commander (UTF-8)
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> 200 Don't care
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> OPTS UTF8 ON
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> 200 UTF8 mode enabled
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> PWD
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> 257 "/" is current directory.
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> TYPE A
(000016)28.10.2022 6:15:10 - user123 (XXX.XXX.XX.XXX)> 200 Type set to A
(000016)28.10.2022 6:15:29 - user123 (XXX.XXX.XX.XXX)> disconnected.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2 mikrotik routers and FTPs behind one of them

Fri Oct 28, 2022 5:30 pm

That's weird, because after "200 Type set to A" should come either PASV or PORT, but here it looks as if client didn't send it at all. But knowing TC well enough, I'm sure it does. So the question is where it got lost.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 mikrotik routers and FTPs behind one of them

Fri Oct 28, 2022 5:53 pm

Step 1 - Forget passive and use real FTP. (well secure FTP not plain FTP)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2 mikrotik routers and FTPs behind one of them

Sat Oct 29, 2022 12:19 am

There are two things. Either SFTP, which is completely different protocol (based on SSH), and there may be some reason why clients couldn't use it. Or FTPS, which is FTP with encryption, but it doesn't make things easier.
 
HEki
just joined
Topic Author
Posts: 14
Joined: Mon Mar 28, 2022 7:04 pm

Re: 2 mikrotik routers and FTPs behind one of them

Sat Oct 29, 2022 8:25 am

I must remind you ... If you look at the picture. Clients can connect and upload files. Its networks 2 that can't connect to network 1 ... So the network 1 must be working ok. otherwise clients from internet would not be able to connect. It's network 2 that is causing me headache. From that network the connection doesn't work. I will setup mikrotik at home to see if i can connect from network 2 to my home ftp and from home to FTP 1 and FTP 2 in network 1.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2 mikrotik routers and FTPs behind one of them

Sat Oct 29, 2022 5:35 pm

But it's not your router's config (network 2), it has nothing that could influence it (even those two wrong dstnat rules you had there did essentially nothing when connecting to network 1). If something is blocking it, it would have to be something in ISP's network between your two networks (I don't know if it's just one router or if there's longer path). But I don't see why. Perhaps with standard port, something could be sticking its nose in it, but it's less likely for non-standard ones. And why would they even do it, and only for local traffic. It doesn't make sense.
 
HEki
just joined
Topic Author
Posts: 14
Joined: Mon Mar 28, 2022 7:04 pm

Re: 2 mikrotik routers and FTPs behind one of them

Sun Oct 30, 2022 6:29 am

... It doesn't make sense ...
Exactly what i am saying.It doesn't make sense at all why it's not working. I am 99,99% sure its my ISP modem. The two mikrotiks are both on a 50cm cables and are practically together ...
Thank you for your time!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2 mikrotik routers and FTPs behind one of them

Sun Oct 30, 2022 6:32 pm

If you're ready to go a bit advanced, you can catch some packets and check if/how ISP's router interferes. Use Tools->Packet Sniffer on WAN interfaces, limit it to port 333 and save captured packets to file. Then get Wireshark and compare captures from both routers, if all packets from router 2 reached router 1 and if they are the same. You're really only interested about the end, before it breaks.
 
HEki
just joined
Topic Author
Posts: 14
Joined: Mon Mar 28, 2022 7:04 pm

Re: 2 mikrotik routers and FTPs behind one of them

Wed Nov 02, 2022 10:08 am

Hm,

i don't know why i didn't check this first ... The logs ... I guess it has someting to do with the "passive" settings and ports.

ftp2_ dstnat: in:ether1 out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), ExtIpOfNetwoork2:51682->ExtIpOfNetwoork1:333, len 52
It's trying every port from 51682 till 51970 at this moment and its still going ...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: 2 mikrotik routers and FTPs behind one of them

Wed Nov 02, 2022 5:50 pm

This is (should be) the main connection to server on port 333. Port 51682 and others are random (not exactly but yes for this purpose) source ports.

Who is online

Users browsing this forum: CJWW and 13 guests