Community discussions

MikroTik App
 
Hialeahjoe
just joined
Topic Author
Posts: 4
Joined: Fri Jun 22, 2018 5:29 pm

IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Fri Jun 22, 2018 5:42 pm

Good Morning,

I am hoping you all can assist with this very frustrating issue. I am attempting to set up an FTP server in our in-house server via Filezilla. On Filezilla's configuration I am using Listening Port= 21 and in passive mode am using port range 980-990. I have already set up the windows firewall rules to allow both incoming and outgoing communication through both these FTP ports. Worthy mentioning here that I have another software system in place that uses an API that communicates through port 3691 TCP/UDP. I was able to successfully open this port up and our API works like a charm. When I try and replicate the process for our FTP server I cannot get the port open. Can anyone assist with clarifying the procedures for this? Here is the latest setup I did on the mikrotik server (reading your forums and videos ive tried a few different setups):

1) Logged into router and went to IP>Firewall>Nat tab at the top
2) I added a New NAT rule.
3) a- Chain= dstnat
b- Protocol= (6) tcp
c- In.Interface= ether1-gateway (I dont see an option for WAN, and I was not the original IT guy that set up the network. As far as I can tell in this crummy UI that mikrotik offers, the IT guy bridged the connections)
d- action= dst-nat
e- To Address= 10.1.10.120
f- To Ports = 980

Any thoughts would be immensely useful! thanks!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Fri Jun 22, 2018 8:00 pm

... this crummy UI that mikrotik offers, ...
Be careful with the words, sir! ;)

If your WAN is ether1-gateway (it probably is, unless you have PPPoE on top of that), then:

a) If you use plaintext FTP with no encryption, this should be enough:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=21 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.10.120
b) If you have encrypted FTP (with certificate), you need to forward all ports:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=21,980-990 in-interface=ether1-gateway protocol=tcp to-addresses=10.1.10.120
And you also have to configure FTP server to send correct public address in replies to PASV commands.

Other problem could be if you'd forward port(s) using dstnat, but didn't let them through firewall filter.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Fri Jun 22, 2018 8:49 pm

My issue is the age of the OS you are using.
Not sure which product you are using but the latest is, 6,42.4........
 
Hialeahjoe
just joined
Topic Author
Posts: 4
Joined: Fri Jun 22, 2018 5:29 pm

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Fri Jun 22, 2018 9:21 pm

... this crummy UI that mikrotik offers, ...
Be careful with the words, sir! ;)
hehe sorry :) i actually like the robustness of the hardware, its an amazing bang for your buck. I just feel the UI is lacking, thats all....

OK so here is where I am at in this conundrum:
I have plain FTP enabled in filezilla, with Port 21 for listening, and I setup the passive mode as well via port ranges 980-985 (I definitely did put the right WAN IP for passive mode settings). Based on your explanation, I dont have to setup the NAT for my range of ports for passive mode unless i am use encrypted FTP? I was under the impression that I would have to forward all of them.

On another note, you mentioned IP Filters. I was toying with them today based on a blog post I had read on here with a simliar issue, but it did almost nothing to solve my problem. I have just reconfigured it again to see if i had any luck and nothing. Could you verify that this is correctly done for IP filters? I dont know how to get the settings in the syntax that you all use on this blog, so forgive me for this spread out explanation of how i set up the IP Filter:
Chain = Forward
Dst. Address = 10.1.10.120
Protocol = 6 (tcp)
Dst. Port = 980-985
In. Interface = ether1-gateway
connection NAT state= dstnat
Action = Accept

Is this correct?

thanks guys for all your help.
 
Hialeahjoe
just joined
Topic Author
Posts: 4
Joined: Fri Jun 22, 2018 5:29 pm

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Fri Jun 22, 2018 9:25 pm

My issue is the age of the OS you are using.
Not sure which product you are using but the latest is, 6,42.4........
Agreed. Unfortunately I was just brought on as a contracted consultant for other stuff, and despite my efforts to give the IT here a wide-berth I have come toe-to-toe with it. The original IT guy that set everything up has disappeared and based on what I've seen so far it looks like he ran a sloppy operation. The router probably is one of the more updated systems in this office, its kind of tragic. I have updated it already, and am just waiting for the end of business day today to restart the network so i dont affect the daily workload.

Thanks man!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Fri Jun 22, 2018 10:00 pm

Do you use WinBox? I'm almost in love with that thing. Nice, powerful, intuitive, ... at least for me.

If you use plaintext FTP, conntrack helper will snoop in control connection (if it's on standard port) for any PASV/PORT commands, mark data connections as "related" and change addresses if needed. So in that case, forwarding just port 21 is enough.

For filter, you can have universal rule to allow all dstnatted connections:
/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept
Also make sure that you allow packets with connection-state=related. It's usually part if first standard rule.

You can also do (in Terminal):
/export hide-sensitive
and post the config here. If you think that the config might be a mess, then who knows what might be wrong, and it's hard to guess, because RouterOS gives you plenty of ways how to shoot yourself in foot.
 
Hialeahjoe
just joined
Topic Author
Posts: 4
Joined: Fri Jun 22, 2018 5:29 pm

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Fri Jun 22, 2018 10:17 pm

You the man! thanks Sob. It looks like the IP filter worked. It does beg the question why my API works without an IP filter but the FTP didnt, but I'll take a W where I can right now.

thanks again
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Sat Jun 23, 2018 4:58 am

Do you use WinBox? I'm almost in love with that thing. Nice, powerful, intuitive, ... at least for me.

If you use plaintext FTP, conntrack helper will snoop in control connection (if it's on standard port) for any PASV/PORT commands, mark data connections as "related" and change addresses if needed. So in that case, forwarding just port 21 is enough.

For filter, you can have universal rule to allow all dstnatted connections:
/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept
Also make sure that you allow packets with connection-state=related. It's usually part if first standard rule.

You can also do (in Terminal):
/export hide-sensitive
and post the config here. If you think that the config might be a mess, then who knows what might be wrong, and it's hard to guess, because RouterOS gives you plenty of ways how to shoot yourself in foot.
Winbox Fantasies By SoB, coming soon to a bookstore near you!!!
"ten things you can do with a naughty terminal but would never tell your mother"


About the NRA dangers of RouterOS, its a surprise I have any toes left!!

Sob do you mean use the FTP alg in ROUTEROS and simply dstnat the standard FTP port (was wondering as that is all I have had to do with any number of routers).
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Sat Jun 23, 2018 6:08 am

Well, I sure did create some naughty configs with WinBox. :)

And with FTP, if it's the old unencrypted one, the answer is yes. Dstnat port 21, don't forget to allow related connections and you're all set. Router will read all required info from control connection. Which also shows why you shouldn't use unencrypted FTP, because if router can read everything in control connections (including password, but router doesn't care about that), then anyone else on the way can do the same.
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Sat Jun 23, 2018 7:43 am

For Passive Mode, you do have to forward the Passive Ports as well as the FTP Port.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Sat Jun 23, 2018 2:45 pm

You really don't, if there's no encryption. If I have:
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=LAN
add action=accept chain=forward connection-nat-state=dstnat
add action=reject chain=forward reject-with=icmp-admin-prohibited
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat dst-address-type=local dst-port=21 protocol=tcp to-addresses=192.168.80.10
This is log from server:
[23.6.2018 13:37:05] [384] < PASV
[23.6.2018 13:37:05] [384] > 227 Entering Passive Mode (192,168,80,10,239,121)
[23.6.2018 13:37:05] [384] < MLSD
[23.6.2018 13:37:05] [384] > 150 Opening passive mode data connection for listing of "/DriveE".
[23.6.2018 13:37:05] [384] > 226 MLSD command successful.
And this is from client:
PASV
227 Entering Passive Mode (213,x,x,251,239,121)
MLSD
150 Opening passive mode data connection for listing of "/DriveE".
226 MLSD command successful.
Address is correctly changed to public one and connection succeeds, even though there are no other forwarded ports except tcp 21. But again, only without encryption. If there is encryption, then dstnat for data ports and correctly configured WAN address in FTP server are required.
 
Saint
just joined
Posts: 5
Joined: Thu Mar 04, 2021 12:15 pm

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Thu Mar 04, 2021 12:30 pm

Hello. I'm such a noob on this... clould you please help me.
I have a Telecom operator router /gateway and after i have an mikrotik HPA lite (with another network range different from the operator range, it has a fixed ip gaved by operator router). Connected to the Mikrotik network i have an Seagate Central (network disc) with and FTP server, and i would like to connet to it from outside my home.
I have a dynamic DNS activated on my operator router (no-ip), and i have activated DMZ to the mikrotik fixed ip.
Also i have activated outside port 10100 on operators router for the FTP access. On mikrotik i have redirect port 10100 to the ip of my disc on port 21.
Inside my home i can reach FTP easely, no problem, but when i try to reach from outside my home, i receive "server sent passive reply with unroutable address <fixed ip of mikrotik>, using host address instead. Transfer channel can't be opened. Reason: No connection could be made because the target machine actively refused it. Could not retrieve directory listing" using winscp FTP client and no encryption.

Is it possible to bypass this. could you write IP filter rules so i can make this work (winbox).
I would be much grateful.
Regards
 
User avatar
EIKA
just joined
Posts: 24
Joined: Thu Dec 28, 2017 7:29 pm
Location: Berlin, Germany

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Mon May 01, 2023 1:06 pm

Hi guys!

I want to setup MikroTik on a client side. Client behind the MikroTik must be able to use FTP over TLS in active mode (TCP:21).
Encrypted passive mode works fine, as well as plain passive and plain active modes. The only problem is encrypted active mode.

From what I understand, MiktoTik FTP helper (Firewall - Service Ports - ftp), can't read what's inside the packets due to encryption used, and cannot make connections based on info from PORT/PASV commands. So, FTP client can initialize TLS connection and start talking to FTP server, but fails on directory list command (timeout).

Here is client's log:
200 PROT command successful.
OPTS UTF8 ON
200 UTF8 OPTS ON
CWD /
250 CWD command successful. "/" is current directory.
Connect ok!
Get directory
TYPE A
200 Type set to A.
MODE Z
200 Mode Z ok.
PORT 10,0,0,43,212,201
200 Port command successful.
MLSD
PORT failed, try PASV mode!
PASV

And here is a log from FTP server (the same connection as above; just opposive side of view):
02:54:30, 76, SRV.IP.ADDR.ES, , AUTH TLS
02:54:30, 76, SRV.IP.ADDR.ES, , 234 AUTH command ok; starting SSL connection.
02:54:30, 76, SRV.IP.ADDR.ES, , establishing encrypted session
02:54:30, 76, SRV.IP.ADDR.ES, , USER client-username
02:54:30, 76, SRV.IP.ADDR.ES, client-username, 331 Password required for client-username.
02:54:30, 76, SRV.IP.ADDR.ES, client-username, PASS ****
02:54:30, 76, SRV.IP.ADDR.ES, client-username, logged in as "client-username".
02:54:30, 76, SRV.IP.ADDR.ES, client-username, 230 User client-username logged
02:54:31, 76, SRV.IP.ADDR.ES, client-username, FEAT
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 211-Extensions supported:
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  AUTH TLS
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  CCC
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  CLNT
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  CPSV
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  EPRT
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  EPSV
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  MDTM
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  MFCT
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  MFMT
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  MLST type*;size*;create;modify*;
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  MODE Z
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  PASV
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  PBSZ
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  PROT
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  REST STREAM
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  SBUF
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  SIZE
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  SSCN
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  TVFS
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  UTF8
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  XCRC "filename" SP EP
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  XMD5 "filename" SP EP
02:54:31, 76, SRV.IP.ADDR.ES, client-username,  XSHA1 "filename" SP EP
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 211 End.
02:54:31, 76, SRV.IP.ADDR.ES, client-username, PBSZ 0
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 200 PBSZ=0
02:54:31, 76, SRV.IP.ADDR.ES, client-username, PROT P
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 200 PROT command successful.
02:54:31, 76, SRV.IP.ADDR.ES, client-username, OPTS UTF8 ON
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 200 UTF8 OPTS ON
02:54:31, 76, SRV.IP.ADDR.ES, client-username, CWD /
02:54:31, 76, SRV.IP.ADDR.ES, client-username, change directory "/" --> Access allowed.
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 250 CWD command successful. "/" is current directory.
02:54:31, 76, SRV.IP.ADDR.ES, client-username, TYPE A
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 200 Type set to A.
02:54:31, 76, SRV.IP.ADDR.ES, client-username, MODE Z
02:54:31, 76, SRV.IP.ADDR.ES, client-username, 200 Mode Z ok.
02:54:32, 76, SRV.IP.ADDR.ES, client-username, PORT 10,0,0,43,202,73
02:54:32, 76, SRV.IP.ADDR.ES, client-username, 200 Port command successful.
02:54:32, 76, SRV.IP.ADDR.ES, client-username, MLSD
02:54:53, 76, SRV.IP.ADDR.ES, client-username, 425 Cannot open data connection.
02:54:53, 76, SRV.IP.ADDR.ES, client-username, PASV
02:54:53, 76, SRV.IP.ADDR.ES, client-username, 227 Entering Passive Mode (SRV,IP,ADDR,ES,31,114)

Firewall settings are very basic now, just allowed related and established connections (both IN and FW chains). There are no any drops temporary. And two defconf rules, passthrough and fasttrack. That's all.

Please help me create a rule for firewall that will allow this kind of conneciton.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Mon May 01, 2023 4:15 pm

Active FTP can only work, if
  1. firewall helper can read port commands to forward them between client and server ... so no TLS possible
  2. one configures certain port range (e.g. 60000-60500) to be forwarded to internal host (either client or server) and also instruct client/server only to use those ports (how exactly depends on particular client/server software). In this case TLS is possible.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Mon May 01, 2023 4:31 pm

Sounds like we need a SUPERHERO to the rescue.....
Cue trumpets, fanfare, cheering crowds as Normis the new Avenger rides into the thread announcing Zerotrust cloudflare tunnnel options package for all devices.
Now all can reach servers without publishing public IPs, secure, fun, easy.
 
User avatar
EIKA
just joined
Posts: 24
Joined: Thu Dec 28, 2017 7:29 pm
Location: Berlin, Germany

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Mon May 01, 2023 5:39 pm

firewall helper can read port commands to forward them between client and server ... so no TLS possible

Yes, I know it and totally agree.

[*]one configures certain port range (e.g. 60000-60500) to be forwarded to internal host (either client or server) and also instruct client/server only to use those ports (how exactly depends on particular client/server software). In this case TLS is possible.

Could you please suggest NAT or firewall rule for this? Imagine that 8000-8000 port range is used.
 
User avatar
EIKA
just joined
Posts: 24
Joined: Thu Dec 28, 2017 7:29 pm
Location: Berlin, Germany

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Wed May 03, 2023 2:20 am

I was able to create a NAT entry to make encrypted FTP working in Active mode:

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=LAN1-WAN log=yes log-prefix=FTP-TSL_ protocol=tcp src-address=SER.VER.IP.ADDR src-port=20 to-addresses=10.0.0.43

But it will fail if more than one router user does exist and will use the FTP server. All of requests will be forwarded to the 10.0.0.43 LAN address. Is there a way to fix it? Of course, callback connection must go to the right client IP address (to the client who initiated this connection).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Wed May 03, 2023 5:23 pm

As I already mentioned: create a "normal" DST NAT rule for a range of ports (dst-ports=X-Y) and forward them to one internal client (you can make another DST NAT with different port range for another client). The range doesn't have to be wide, I guess 10 or 20 ports should be enough for a typical work station. Then configure FTP client of your choice to use forwarded port range (X-Y) for active FTP connections ... each FTP client is a bit specific with this regard, probably not all can be properly configured. Here's example of how to do it for Filezilla: https://wiki.filezilla-project.org/Netw ... ctive_mode
 
User avatar
EIKA
just joined
Posts: 24
Joined: Thu Dec 28, 2017 7:29 pm
Location: Berlin, Germany

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Wed May 03, 2023 9:16 pm

As I already mentioned: create a "normal" DST NAT rule for a range of ports (dst-ports=X-Y) and forward them to one internal client (you can make another DST NAT with different port range for another client). The range doesn't have to be wide, I guess 10 or 20 ports should be enough for a typical work station. Then configure FTP client of your choice to use forwarded port range (X-Y) for active FTP connections ... each FTP client is a bit specific with this regard, probably not all can be properly configured. Here's example of how to do it for Filezilla: https://wiki.filezilla-project.org/Netw ... ctive_mode

Okay, let's say it all goes like this.. But how to make the rule valid only for one specified client? My rule works for any client, because checks only server address and port.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: IP Rules/ NAT Setup for FTP - RouterOS v6.30.1

Thu May 04, 2023 9:25 am

Normal DST NAT rule would look like this:
/ip firewall nat
add action=dst-nat chain=dstnat comment="active FTP for client1" dst-port=50000-50020 in-interface-list=WAN protocol=tcp to-addresses=<client1 LAN IP address>
add action=dst-nat chain=dstnat comment="active FTP for client2" dst-port=50100-50120 in-interface-list=WAN protocol=tcp to-addresses=<client2 LAN IP address>
So on client1 (whatever the LAN IP address is) you have to instruct FTP client software to only use ports 50000-50020 for the data connection. And similarly ports 50100-50120 for client2.

Who is online

Users browsing this forum: carcuevas and 27 guests