Community discussions

MikroTik App
  4. RouterOS
  5. General

Need help with FTP configuration (FileZilla)

Post Reply
 
pheela
just joined
Topic Author
Posts: 2
Joined: Wed Apr 20, 2022 12:00 pm

Need help with FTP configuration (FileZilla)

Fri May 27, 2022 3:21 pm

Hello,
there is a local FTP server in my network which is behind NAT. Everything is working fine from the local network, but there is a problem when connecting from outside.
CCR1036-8G-2S+ / RouterOS 7.2.3
added dstnat from public 40021 port to local port 21, so I am able to connect to FileZilla server but there is a problem with directory listing
Code: Select all
Status:	Connecting to PUBLIC_IP_HIDDEN:40021...
Status:	Connection established, waiting for welcome message...
Status:	Initializing TLS...
Status:	Verifying certificate...
Status:	TLS connection established.
Status:	Logged in
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is current directory.
Command:	TYPE I
Response:	200 Type set to I
Command:	PASV
Response:	227 Entering Passive Mode (PUBLIC_IP_HIDDEN,156,80)
Command:	MLSD
Error:	The data connection could not be established: ECONNREFUSED - Connection refused by server
Response:	425 Can't open data connection for transfer of "/"
Error:	Failed to retrieve directory listing
After several hours spent on google search I didn't find anything helpful, except this: "you should also make redirection for passive ports in MikroTik" which doesn't make sense to me at all.
Below is what I did (partial config):
Code: Select all
/ip firewall filter
add action=accept chain=forward dst-address=192.168.50.0 src-address=172.16.0.0/16
/ip firewall nat
add action=redirect chain=dstnat comment="REDIRECT FOR STATIC DNS ENTRIES" dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment="REDIRECT FOR STATIC DNS ENTRIES" dst-port=53 protocol=udp
add action=netmap chain=srcnat comment="ASAN FINANCE <=> FELIX" dst-address=10.250.21.151 log=yes src-address=172.16.49.33 to-addresses=\
    10.127.247.10
add action=netmap chain=srcnat comment="ASAN FINANCE <=> STR" dst-address=10.250.21.151 log=yes src-address=172.16.55.136 to-addresses=\
    10.127.247.9
add action=masquerade chain=srcnat comment="LAN MASQUERADE" out-interface="WAN BRIDGE"
add action=dst-nat chain=dstnat comment="IR INTERNET MAP" dst-port=3366 in-interface="WAN BRIDGE" protocol=tcp to-addresses=172.16.51.253 \
    to-ports=5900
add action=dst-nat chain=dstnat comment="LOCAL FTP" dst-port=40021 in-interface="WAN BRIDGE" protocol=tcp to-addresses=172.16.51.253 \
    to-ports=21
add action=dst-nat chain=dstnat comment="UBUNTU STR WEB" dst-port=57080 in-interface="WAN BRIDGE" protocol=tcp to-addresses=172.16.55.136 \
    to-ports=80
add action=dst-nat chain=dstnat comment="STR NODE1 SRV" dst-port=22041 in-interface="WAN BRIDGE" protocol=tcp to-addresses=172.16.33.105 \
    to-ports=80
add action=dst-nat chain=dstnat comment="STR NODE1 SRV SSH" dst-port=22043 in-interface="WAN BRIDGE" protocol=tcp to-addresses=172.16.33.105 \
    to-ports=22
add action=dst-nat chain=dstnat comment="STR NODE2 CLIENT" dst-port=22042 in-interface="WAN BRIDGE" protocol=tcp to-addresses=172.16.33.99 \
    to-ports=80
add action=dst-nat chain=dstnat comment="STR NODE2 CLIENT SSH" dst-port=22044 in-interface="WAN BRIDGE" protocol=tcp to-addresses=\
    172.16.33.99 to-ports=22
add action=dst-nat chain=dstnat comment="ANDREW LOCAL WWW" dst-port=57550 in-interface="WAN BRIDGE" protocol=tcp to-addresses=172.16.46.212 \
    to-ports=7550
add action=dst-nat chain=dstnat comment="UBUNTU STR SSH" dst-port=57071 in-interface="WAN BRIDGE" protocol=tcp to-addresses=172.16.55.136 \
    to-ports=22
add action=dst-nat chain=dstnat comment="MALIYYA SERVER" dst-port=44490 in-interface="WAN BRIDGE" protocol=tcp to-addresses=172.16.51.195 \
    to-ports=3389
add action=dst-nat chain=dstnat comment=BOKT dst-port=4490 in-interface="WAN BRIDGE" protocol=tcp to-addresses=172.16.51.238 to-ports=4490
add action=dst-nat chain=dstnat comment="MALIYYA DATASRV EXCHANGE" dst-port=10777 in-interface="WAN BRIDGE" protocol=tcp to-addresses=\
    172.16.51.195 to-ports=8095
/ip ipsec identity
add comment="ASAN FINANCE" peer=AsanPeer
/ip ipsec policy
add comment="ASAN FINANCE" dst-address=10.250.21.151/32 peer=AsanPeer proposal=AsanProposal src-address=10.127.247.8/29 tunnel=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=<PUBLIC_IP_HIDDEN>
Any clues?
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11583
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help with FTP configuration (FileZilla)

Fri May 27, 2022 3:45 pm

I'm not sure that passive FTP over SSL can work. If I'm right (but I could be wrong), then FTP protocol, e.g. assigning port number etc. for subsequent data connections are encrypted, but FTP helper needs to see that in order to dynamically set up port forwarding.

One theoretical possibility would be to port forward a bulk of high ports to internal machine running FTP server and configure FTP server only to use that range of ports for passive FTP connections.
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5472
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Need help with FTP configuration (FileZilla)

Fri May 27, 2022 3:47 pm

See this page from Filezilla:
https://wiki.filezilla-project.org/Netw ... figuration

What it boils down to:
you need to decide if you want to use passive or active mode (passive is advised), specify which ports are to be used and then you need to forward those ports towards your Filezilla server.

See also this thread:
viewtopic.php?t=122978
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9120
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help with FTP configuration (FileZilla)

Fri May 27, 2022 7:18 pm

@mkx: It's not only theoretical possibility, it's the right solution. Conntrack's FTP helper is nice hack that can avoid doing whole proper configuration, but its limit is when there's encryption. Then the proper config is the only way to go.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11583
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help with FTP configuration (FileZilla)

Fri May 27, 2022 8:17 pm

@mkx: It's not only theoretical possibility

It's theoretical for me as I don't have first hand experience with configuring firewall for FTP server and I don't know what can one configure on a modern FTP server software. But I'm glad my thinking is in the right direction.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19321
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Need help with FTP configuration (FileZilla)

Fri May 27, 2022 9:03 pm

Concur if you are not talking an SFTP (encrypted FTP server) exposed on the internet, then I have no interest in helping.
You will be hacked............
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9120
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help with FTP configuration (FileZilla)

Fri May 27, 2022 9:08 pm

This is encrypted FTP. SFTP is completely different protocol.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19321
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Need help with FTP configuration (FileZilla)

Fri May 27, 2022 9:31 pm

This is encrypted FTP. SFTP is completely different protocol.
PoTAAAAAYTOES potAHHHHH Toes.

As long as its encrypted..................... dont get lost in the pubes SOB, curly or not, white or black, still pubes........
Top
Post Reply

Who is online

Users browsing this forum: 5h4k4, holvoetn, ips, ldyte1, mkx, pajapatak, pe1chl and 57 guests
  4. RouterOS
  5. General