Hi,

I have a CCR2004-16G-2S+ with RouterOS 7.0.4 behind a Fritzbox (7630) .
I configured it as a router cascade with double natting.
The mikrotik WAN Port is connected to the FritzBox and behind the mikrotik is a server. The Fritzbox has a static route for the server network pointing to the mikrotik.

ISP--> Fritzbox (192.168.1.1/24) --> CCR (192.168.1.254 / 192.168.2.1/24) --> Server (192.168.2.2)

I want to use the Server as FTP Server on port 21 and 45500-45600 .
So far I realised this with double natting like this:
Somehow this doesn't work for all external networks -some external networks like my home or my girlfriends home can connect to the server, while from my friend's home or his girlfriend's home you can't connect.
Someone suggested to not use double nat and let the fritzbox route instead. I tried this but can't get it working. If I disable the src-nat masquerading and dst-nat rules and set port forwarding directly in the fritzbox directly to the server (it would still need to go via the static route to the wan port of the mikrotik) I can't reach the FTP server anymore.

Any ideas?

...IMHO you can't really avoid Double NATing, as the Fritz will not allow to disable NAT in its firewall.
You could disable NAT/masquerading on the CCR altogether, but would still need a port forward on the CCR for SCR 192.168.0.1 to DST 192.168.2.2 as the fritz will use the CCR as GW for the 2nd network anyway (hence configure port fording in the Fritz to the CCR as endpoint, not server#2, too).

Another option is to keep NAT/masquerading on the CCR and enable the CCR (192.168.0.254) as "exposed host" in the Fritz.
This will simply forward everything to the CR that is inbound to the WAN port of the fritz (still NATed), which would leave you with the tasks to configure port forwarding rules in the CCR only, from that time on.
Edit: and you don't need the route in the Fritz to the second net this way.

Double NAT is not the problem.

Double port forward.
Once on Fritz towards a dedicated port on CCR.
Then again on CCR towards server.

For firewall rules on CCR.......... one should only allow port forwarding, the specifics are located on the associated DST NAT rule.

From:
/ip firewall filter
add action=accept chain=forward comment="Server 1" dst-address=192.168.2.2 \
dst-port=21 protocol=tcp
add action=accept chain=forward dst-address=192.168.2.2 dst-port=49500-49600 \
protocol=tcp

TO:
/ip firewall filter
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN
AND
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=49500-49600\
protocol=tcp to-addresses=192.168.2.2

I would suggest you attempt to limit access to the port forwarding if possible ( do you know the public WANIPs that will use your Server? )
In fact I would demand it such that users
a. provide their fixed static WANIP
b. provide their domain name associated with there WANIP, in this case there are free dyndns names that folks can easily get or if business should be able to provide.

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.1.254 dst-port=49500-49600\
protocol=tcp to-addresses=192.168.2.2 src-address-list=authorizedaccess

where firewall address list is
add address=IPaddressuser1 name=authorizedaccess
add address=IPaddressuser2 name=authorizedaccess
add address=IPaddressuser3 name=authorizedaccess
add address=domainnameUserA name=authorizedaccess
add address=domainnameUserB name=authorizedaccess
add address=domainnameUserC name=authorizedaccess

In terms of NAT, the fritz box needs to forward those ports to 192.168.1.254
I dont think any specific routes are required on the fritz box??

There's no reason why double NAT itself should influence whether FTP works or not. You can have ten NATs in a row and if you correctly forward ports through all of them, it must work. Neither client or server has any way to know how many NATs are between them.

But if you don't really need the second NAT for something, there's also no reason to have it. All you need is route to 192.168.2.0/24 via 192.168.1.254 on Fritzbox and forward ports directly to 192.168.2.2. That's if Fritzbox allows that. And then just make sure that you don't block this traffic in CCR's firewall, but those filter rules look good.

If it doesn't work, then it could be something with server config. Make sure that it's definitely configured to use only ports 49500-49600 and that it knows the public address, which it needs for passive mode. Also clients should use passive mode too (but any sane modern client does that by default).

Hi,
thank you for your replies. I have to admit that I have no idea what is wrong with the setup.
It happened like this:
I had the above posted config and from my home network (which is a completely different network) I could connect via FTP.
Then I tried routing directly with the fritzbox but had no success. I reconfigured it to the old config and connection stopped working.
After 3-5 hours or a restart (I forgot) it started working again.
A few weeks later (yesterday) I tried again to route directly via the Fritzbox, again without success. I reconfigured everything to the above mentioned config (which used to work),
but coulldn't connect anymore. I restarted the CCR and then another connection (HTTP over port 8080) stopped working as well (it worked before the restart).
I reconfigured a RDP connection the same way and it let me through.
What could be messed up? Old firewall connection states?

...a Fritz is a bitch...very unreliable and unpredictable sometimes...I finally stopped using these, after they introduced port flapping and a MT Router with their latest firmware, starting v7.21

The effects your seeing could be anything left in its config after you changed back and forth, even with a reboot.
Get rid of the second, additional route in the Fritz and keep NAT on the CCR.
On the Fritz, start from a factory reset, then enable the first network and connection to the CCR and then enable the CCR as exposed host in the Fritz. Do not use/enable MyFritz config.

Then configure port forwarding rules as needed on the CCR only.

That's the log message if I log the filter rule for Port 21 rule:

forward: in:ether1 out:PM Bridge, src-mac 2c:3a:fd:c5:3f:0d, proto TCP (SYN), 92.75.179.202:19358->192.168.178.2:21, NAT 92.75.179.202:19358->(192.168.176.254:21->192.168.178.2:21), len 52

(server IP here is 192.168.178.2 and wan gateway is 192.168.176.254)

looks like SYN packets get no reaction and thus no TCP connection is established

...a Fritz is a bitch...very unreliable and unpredictable sometimes...I finally stopped using these, after they introduced port flapping and a MT Router with their latest firmware, starting v7.21

The effects your seeing could be anything left in its config after you changed back and forth, even with a reboot.
Get rid of the second, additional route in the Fritz and keep NAT on the CCR.
On the Fritz, start from a factory reset, then enable the first network and connection to the CCR and then enable the CCR as exposed host in the Fritz. Do not use/enable MyFritz config.

Then configure port forwarding rules as needed on the CCR only.

would there be any problems with dyndns configured in the fritzbox this way?

Few thoughts:

How much sure are you that your server is configured correctly? While it's not rocket science, it can sometimes be a little tricky. You need correct range of passive ports, both them and main port open in machine's firewall. It's best if server knows own public address and uses it in PASV replies, instead of relying on NAT-helper magic.

Then there's debugging. If port forwarding works for RDP, it must work for FTP, at least partially. If server is running, listening on correct port and not blocked by firewall, at least control connection must succeed and you should see something in server log. If it still doesn't work for client, there could be problem with data connections. So again, you need log, but this time from client.

It's not difficult, but you need to go step by step.

Few thoughts:

How much sure are you that your server is configured correctly? While it's not rocket science, it can sometimes be a little tricky. You need correct range of passive ports, both them and main port open in machine's firewall. It's best if server knows own public address and uses it in PASV replies, instead of relying on NAT-helper magic.

Then there's debugging. If port forwarding works for RDP, it must work for FTP, at least partially. If server is running, listening on correct port and not blocked by firewall, at least control connection must succeed and you should see something in server log. If it still doesn't work for client, there could be problem with data connections. So again, you need log, but this time from client.

It's not difficult, but you need to go step by step.

The server has 2 network cards and the ports over the other network work (another fritzbox is connected). So the FTP server is configured correctly (same ports work if going through the other fritzbox without the CCR). One thing I could imagine that could create problems is that there are two wan gateways with equal cost in the mikrotik and I haven't yet managed to set up proper mangle rules. So I am not sure which gateway the mikrotik is using to go out. But I think that the connection should keep the gateway it came from.
How would you start debugging?

Sob and Fritz are good friends, Im sure they will work it out!

If server has two network cards, that certainly sounds like possible source of problem. Is it two network connections? If so, is there anything on server that takes care of sending responses back the same way from where requests came? It's usually not automatic.

@anav: No, not really.

would there be any problems with dyndns configured in the fritzbox this way?

stay away from myfritz, as this will enable some portforwarding "backdoors" to access the fritz.
Yes it comes with dyndns as a by-product, but you either have a standard means to add dyndns to your fritz or even just use the name given under MT /ip -> cloud

Before I used the Mikrotik (it's main purpose is the load balancing and failover between the 2 ISPs (with a Fritzbox each)), it was working without a problem.
Each Fritzbox has its own dyndns and the respective dyndns with port 21 was forwarded to the FTP server.

That's the log output if I try to connect: 92.75.179.202 is my external IP Adress, so the request gets to the wan port.
Maybe the forward rule has to go before the nat rule?

Before I used the Mikrotik (it's main purpose is the load balancing and failover between the 2 ISPs (with a Fritzbox each)), it was working without a problem.
Each Fritzbox has its own dyndns and the respective dyndns with port 21 was forwarded to the FTP server.

...then, what stopps you from keeping it that way, as the server obviously has two network cards and each Fritz has a switch to connect the server as well as the MT?

@joschwe: I'd worry more about those server's two network cards, you know how exactly it's connected, but we don't, so some more details about that and your whole network could help. Also if there's dual WAN on RB without proper magle rules, that too can be problem for incoming connections.

And now the weirdest thing:

It seems to be working for random FTP Port sniffing bots (I guess it's bots)
trying random password combinations like pass1234

here is the log output of a succesful connection....