Community discussions

MikroTik App
 
User avatar
KRuK
just joined
Topic Author
Posts: 8
Joined: Mon Mar 06, 2023 7:50 pm

No access to FTP server through VPN tunnel

Tue Mar 07, 2023 3:40 pm

This is my first post on the forum so welcome to everyone :)

Router: MikroTik hAP ac2 (updated to latest version OS 7.8 Stable)

I have Bitvise SSH Server installed on my PC and everything works fine (access to the server from the LAN and from the Internet). A few days ago I set up a WireGuard server on MT and have access to the LAN and the Internet through a VPN tunnel. I use phone to acces to the server. The problem occurs when I want to access the SSH server via WireGuard. The same problem is when I try to access via OpenVPM and L2TP

What is strange is that via WireGuard or other VPVs I have access to the server through SFTP protocol while through FTP protocol I have no access.

I think the problem is related to the operation of the passive port 20020. Sometimes when you try to connect to the server via FTP, it shows the contents of the foldef but when you try to refresh the view, everything disappears and the message "Loading error! Check your network connection" appears. I don't know what the problem is and I'm out of ideas. Can you guys look at my configuration, maybe you can help me. Is there something in my configuration that could be causing the problem? Maybe something is missing?

I configured the MT Router based on various tutorials on the Internet, so my knowledge of how the network works is not great.
# mar/07/2023 11:24:06 by RouterOS 7.8
# software id = 46XI-U957
#
# model = RBD52G-5HacD2HnD
# serial number = xxxxxxxxx
/interface bridge
add comment="Home Network" name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=poland \
    disabled=no frequency=2427 installation=indoor mode=ap-bridge rate-set=\
    configured ssid=Maki_52 station-roaming=enabled supported-rates-b="" \
    tx-power-mode=all-rates-fixed wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
    20/40/80mhz-Ceee country=poland disabled=no frequency=auto installation=\
    indoor mode=ap-bridge ssid=Maki_52_5G station-roaming=enabled \
    tx-power-mode=all-rates-fixed wps-mode=disabled
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/disk
add parent=usb1 partition-number=1 partition-offset="1 048 576" \
    partition-size="61 504 225 280" type=partition
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add comment="Serwer DHCP" name=dhcp_pool ranges=172.16.0.100-172.16.0.254
add comment=L2TP name=l2tp_pool ranges=10.0.1.2-10.0.1.5
add comment=OpenVPN name=openvpn_pool ranges=10.0.0.2-10.0.0.5
/ip dhcp-server
add address-pool=dhcp_pool interface=bridge1 lease-time=1h name=dhcp1
/ppp profile
add change-tcp-mss=yes comment=L2TP local-address=10.0.1.1 name=l2tp \
    remote-address=l2tp_pool use-encryption=yes
add comment=OpenVPN dns-server=62.179.1.62,8.8.8.8 local-address=10.0.0.1 \
    name=openvpn remote-address=openvpn_pool use-encryption=required
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/system logging action
add name=logowanie target=memory
add name=l2tp target=memory
add disk-file-name=disk1/ovpn disk-stop-on-full=yes name=usbovpn target=disk
add disk-file-name=disk1/l2tp name=usbl2tp target=disk
add disk-file-name=disk1/logowanie disk-stop-on-full=yes name=usblogowanie \
    target=disk
add memory-stop-on-full=yes name=ovpn target=memory
add name=Blocked target=memory
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=wlan1
add bridge=bridge1 ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set default-profile=l2tp enabled=yes use-ipsec=required
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256-cbc default-profile=openvpn \
    enabled=yes require-client-certificate=yes
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=wireguard1 public-key=\
    "nNSNTQF61O1IrtyuUtLCS0is+F9BAM6mhmBBEoZ4Cg="
/ip address
add address=172.16.0.1/24 interface=bridge1 network=172.16.0.0
add address=10.10.0.1/29 comment=WireGuard interface=wireguard1 network=\
    10.10.0.0
/ip dhcp-server network
add address=172.16.0.0/24 gateway=172.16.0.1
/ip firewall address-list
add address=test001.ddns.net list=domena
/ip firewall filter
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment="Accept all LAN traffic" in-interface=\
    bridge1
add action=accept chain=input comment=\
    "Accept LAN access via VPN (L2TP and OpenVPN)" in-interface=all-ppp \
    src-address=10.0.0.0/23
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=accept chain=input comment=\
    "Accept all LAN traffic for WireGuard connections" in-interface=\
    wireguard1
add action=accept chain=input comment=\
    "Accept established and related connections" connection-state=\
    established,related
add action=drop chain=input comment="Block hosts that scan ports" \
    in-interface=ether1 log=yes log-prefix="BLOCKED SCANER" src-address-list=\
    port_scanners
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=23h59m59s chain=input comment=\
    "Port scanning detection" in-interface=ether1 log=yes log-prefix=\
    "ADDED SCANER" protocol=tcp psd=21,5s,3,1
add action=add-src-to-address-list address-list=knock_1 address-list-timeout=\
    30s chain=input comment="Port Knocking" dst-port=3311 in-interface=ether1 \
    protocol=tcp
add action=add-src-to-address-list address-list=knock_2 address-list-timeout=\
    30s chain=input dst-port=1289 in-interface=ether1 protocol=tcp \
    src-address-list=knock_1
add action=add-src-to-address-list address-list=TRUSTED_LIST \
    address-list-timeout=1h chain=input dst-port=2328 in-interface=ether1 \
    protocol=tcp src-address-list=knock_2
add action=accept chain=input comment="Accept connections on selected ports, i\
    f the address is on the list: TRUSTED_LIST (FTP; Webfig)" dst-port=\
    2321,4433 protocol=tcp src-address-list=TRUSTED_LIST
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=accept chain=input comment=L2TP dst-port=1701,500,4500 protocol=\
    udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="Accept WinBox" dst-port=8451 protocol=\
    tcp
add action=drop chain=input comment="Block everything other"
/ip firewall nat
add action=masquerade chain=srcnat comment=Maskarada out-interface=ether1
add action=masquerade chain=srcnat comment="Maskarada Hairpin NAT" \
    dst-address=!172.16.0.1 src-address=172.16.0.0/24
add action=dst-nat chain=dstnat comment="Bitvise SSH Server - SSH" \
    dst-address=!172.16.0.1 dst-address-type=local dst-port=2271 protocol=tcp \
    src-address-list="" to-addresses=172.16.0.10 to-ports=2271
add action=dst-nat chain=dstnat comment="Bitvise SSH Server - FTP" \
    dst-address=!172.16.0.1 dst-address-type=local dst-port=2171 protocol=tcp \
    to-addresses=172.16.0.10 to-ports=2171
add action=dst-nat chain=dstnat comment="Bitvise SSH Server - Passive Port" \
    dst-port=20020 protocol=tcp to-addresses=172.16.0.10 to-ports=20020
add action=dst-nat chain=dstnat comment="foobar2000 - Beefweb Remote Control" \
    dst-address=!172.16.0.1 dst-address-type=local dst-port=8880 protocol=tcp \
    to-addresses=172.16.0.10 to-ports=8880
add action=dst-nat chain=dstnat comment="Wake on LAN" dst-port=9 protocol=udp \
    to-addresses=172.16.0.10 to-ports=9
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No access to FTP server through VPN tunnel

Tue Mar 07, 2023 11:26 pm

Can you provide a diagram as well,
 
User avatar
KRuK
just joined
Topic Author
Posts: 8
Joined: Mon Mar 06, 2023 7:50 pm

Re: No access to FTP server through VPN tunnel

Wed Mar 08, 2023 9:01 am

Can you provide a diagram as well,

Of course, no problem, but I have no idea how to do it. I have never used such a tool, how to run it how to set up. I found something like this in the wiki but it doesn't tell me anything :(
https://wiki.mikrotik.com/wiki/Manual:P ... w#Diagrams
 
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: No access to FTP server through VPN tunnel

Wed Mar 08, 2023 12:17 pm

FTP establishes new data connection for every single transfer (download, upload, even directory listing). Just one port isn't much to work with. I can't say that it clearly couldn't work, it depends on how server handles it, but it can't hurt to try to configure at least some small range of passive ports (ten or so at least).
 
User avatar
KRuK
just joined
Topic Author
Posts: 8
Joined: Mon Mar 06, 2023 7:50 pm

Re: No access to FTP server through VPN tunnel

Wed Mar 08, 2023 12:56 pm

FTP establishes new data connection for every single transfer (download, upload, even directory listing). Just one port isn't much to work with. I can't say that it clearly couldn't work, it depends on how server handles it, but it can't hurt to try to configure at least some small range of passive ports (ten or so at least).

In the server settings there is no option to enter a range for passive ports. Only one port can be specified. But since it works with a normal connection (without VPN) this is probably not where the problem is.

Image
 
User avatar
KRuK
just joined
Topic Author
Posts: 8
Joined: Mon Mar 06, 2023 7:50 pm

Re: No access to FTP server through VPN tunnel

Wed Mar 08, 2023 4:49 pm

Can you provide a diagram as well,

This diagram of mine looks bad, but in my case everything is very simple, Router, 1 PC, 1 Smartphone, that's it. There are also a few devices connected via Wi-Fi (TV, Air Conditioning) but they are unimportant, it seems to me.

Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No access to FTP server through VPN tunnel

Thu Mar 09, 2023 2:44 am

What is with the knocking if you have wireguard connectivity, ?? what is its purpose.
Also what is this.
add action=accept chain=input comment="Accept connections on selected ports, i\
f the address is on the list: TRUSTED_LIST (FTP; Webfig)" dst-port=\
2321,4433 protocol=tcp src-address-list=TRUSTED_LIST


And worse.
add action=accept chain=input comment="Accept WinBox" dst-port=8451 protocol=\
tcp


Are you telling me you allow access to winbox directly without VPN??

your config is a study in self defeating polar opposites, marrying paranoi config at the same time leaving all the doors open its rather amusing

And thats just the input chain, no forward chain rules...................... why even bother.

I would not be surprized if the strange sourcnat and dst nat rules also hampered plans....................
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: No access to FTP server through VPN tunnel

Thu Mar 09, 2023 3:41 am

That would be the first FTP server I ever saw with support for only single passive port (did you try to enter range like 20020-20030?). It's not impossible, but it would limit some features, e.g. transfers between different servers (FXP) would be problematic. But simple client-server should work. And if it does without VPN, then it shouldn't be the problem. But I don't see anything else. Whatever you're connecting to, be it 172.16.0.10 or some address on router, it should work. Firewall is not stopping it, because you don't have anything in forward chain. If you're connecting to 172.16.0.10, then dstnat for port 20020 interferes, but it forwards connection to same 172.16.0.10, so that's not a problem either.
 
User avatar
KRuK
just joined
Topic Author
Posts: 8
Joined: Mon Mar 06, 2023 7:50 pm

Re: No access to FTP server through VPN tunnel

Thu Mar 09, 2023 12:40 pm

What is with the knocking if you have wireguard connectivity, ?? what is its purpose.
Also what is this.
add action=accept chain=input comment="Accept connections on selected ports, i\
f the address is on the list: TRUSTED_LIST (FTP; Webfig)" dst-port=\
2321,4433 protocol=tcp src-address-list=TRUSTED_LIST


And worse.
add action=accept chain=input comment="Accept WinBox" dst-port=8451 protocol=\
tcp


Are you telling me you allow access to winbox directly without VPN??

your config is a study in self defeating polar opposites, marrying paranoi config at the same time leaving all the doors open its rather amusing

And thats just the input chain, no forward chain rules...................... why even bother.

I would not be surprized if the strange sourcnat and dst nat rules also hampered plans....................

The option with Port knocking was my testing, it referred to access to the router via a browser and the second port was the built-in FTP server. Of course, I agree that what is not used should not be on the list and in addition you should be enabled :( Currently and always, I access the router ONLY from my home PC. I am just learning I know I make mistakes, I assure you I will take your advice to heart.

That would be the first FTP server I ever saw with support for only single passive port (did you try to enter range like 20020-20030?). It's not impossible, but it would limit some features, e.g. transfers between different servers (FXP) would be problematic. But simple client-server should work. And if it does without VPN, then it shouldn't be the problem. But I don't see anything else. Whatever you're connecting to, be it 172.16.0.10 or some address on router, it should work. Firewall is not stopping it, because you don't have anything in forward chain. If you're connecting to 172.16.0.10, then dstnat for port 20020 interferes, but it forwards connection to same 172.16.0.10, so that's not a problem either.

Unfortunately this server does not allow you to enter a range for passive ports. I remember writing to support about this and this is what they wrote back to me.

I asked this question
I have a question about the FTP protocol supported by the Bitvase SSH server. Currently it is only possible to define one passive port. Is there or could there be an option to set a range of passive ports for an FTP connection?. By setting a port range of e.g. 5000-5100, the server could allocate a passive port randomly (from the selected range) which would directly increase the transfer and security, I think so.
This was the response from the support
the SSH Server requires the data connection to use TLS session resumption to associate the data connection with the control connection.

This is a secure mechanism. The port range is an incredibly insecure mechanism, in comparison.

This is what the tip looks like in the server settings

Image

Who is online

Users browsing this forum: Ahrefs [Bot], anav, broderick, Google [Bot], Kuitz, synchro, xrlls and 88 guests