Greetings,
For the sake of clarity, here is my current physical configuration:
Main firewall:
WatchGuard Firebox T15
Router (behind the firewall):
MikroTik hEX
The T15 is in a separate network (172.16.0.0), interface 01 is connected to a Mikrotik router to provide internet, but my LAN is in the range 10.0.0.0.
Interface 01 on the T15 is 172.16.0.1 and is plugged in the WAN port on the MikroTik.
Interface 02 on the T15 is 10.0.0.254 to be in the same range as the LAN and is plugged in the first port of the Mikrotik.
The WAN port on the MikroTik got address 172.16.0.2 (eth01).
Both the T15 and the Mikrotik have a route to communicate with each other.
The computer I use as a FTP server on is in the 10.0.0.0 network (10.0.0.32).
Explicit FTP over TLS works when I connect form a computer in the same network as the FTP server (10.0.0.X range).
Explicit FTP over TLS does not work when I try it outside of my network. It does connect, reach the TLS handshake (initialization) and then timeout.
Policies exists in the T15 to allow port 21 and port 49152-49252 for passive connections.
DST-NAT rules exists on the MikroTik for port 21 ans ports 49152-49252 as well:
add action=dst-nat chain=dstnat dst-address=172.16.0.2 dst-port=49152-65534 protocol=tcp to-addresses=10.0.0.32 to-ports=49152-65534
add action=dst-nat chain=dstnat dst-address=172.16.0.2 dst-port=21 protocol=tcp to-addresses=10.0.0.32 to-ports=21
What am I missing?
May you help me out with this please?
Thank you for your time, it is greatly appreciated.