Community discussions

MUM Europe 2020
 
Predator
just joined
Topic Author
Posts: 1
Joined: Wed Apr 25, 2012 9:01 pm

Opening Ports to Allow Active FTP

Wed Apr 25, 2012 9:18 pm

I'm running an RB450 with a Public IP of 1.2.3.4 and a NATTED subnet of 192.168.100.X. One of my users needs to run an application that uses Active FTP. I'm attempting to open ports 20-22 and 1024-65535 to IP Address 192.168.100.68. Here's my IP FIREWALL NAT print:

Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses=192.168.100.68 to-ports=20-22 protocol=tcp src-address-list=192.168.100.68 src-port="" dst-port=20-22 port=""

1 chain=srcnat action=src-nat to-addresses=1.2.3.4 to-ports=20-22 protocol=tcp src-address-list=192.168.100.68 dst-address-list=1.2.3.4
src-port=20-22 dst-port="" port=""

2 chain=dstnat action=dst-nat to-addresses=192.168.100.68 to-ports=1024-65535 protocol=tcp src-address-list=192.168.100.68 src-port="" dst-port=1024-65535
port=""

3 chain=srcnat action=src-nat to-addresses=1.2.3.4 to-ports=1024-65535 protocol=tcp src-address-list=192.168.100.68 src-port=1024-65535 dst-port=""
port=""

4 chain=srcnat action=masquerade out-interface=Public

So far, this hasn't worked. I'm new at this so any thoughts or suggestions are very much appreciated.
 
syadnom
Member
Member
Posts: 407
Joined: Thu Jan 27, 2011 7:29 am

Re: Opening Ports to Allow Active FTP

Wed Apr 25, 2012 10:27 pm

I think you are trying to make it more complicated. The dest NAT to your device should be enough to initiate the FTP session on port 21, then the source NAT aka masquerade should handle all the other ports.

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=<WANIP> dst-port=21 protocal=tcp to-address=192.168.100.68 to-ports=21
add action=masquerade chain=srcnat comment=gatewayNAT disabled=no out-interface=ether1-WANGATEWAY


at the very least, you are missing the dst-address=<WANIP> in your statement.
 
Sob
Forum Guru
Forum Guru
Posts: 5014
Joined: Mon Apr 20, 2009 9:11 pm

Re: Opening Ports to Allow Active FTP

Thu Apr 26, 2012 4:51 am

I assume that "application that uses Active FTP" means FTP client and not FTP server as syadnom understood it.

If it's the case, you should need to configure almost nothing, as long as it's plain unencrypted FTP on standard port. You just need the masquerade rule and:
/ip firewall service-port set ftp disabled=no ports=21
It's set by default, so unless you changed it, it's already there. Everything will just work, client will happily issue PORT commands with its internal address 192.168.100.68, knowing nothing about NAT. But RouterOS will monitor the control connection and rewrite them to correct public IP and also take care of forwarding the right ports when data connections from server arrive.

It will fail if:

a) Target FTP server listens on port other than default 21.

If it is just single exception, it can be fixed by adding that port to /ip firewall service-port to have it also monitored.
But if you want that client to be able to connect to any server to any possible non-standard port using active mode, then go right to b), ignore the info about encryption and just use the same settings.

b) Connection to target server is encrypted.

In this case RouterOS can't inspect the control connection and do the rewriting, so you have to forward the ports manually:
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1.2.3.4 dst-port=1024-65535 \
  protocol=tcp to-addresses=192.168.100.68
That alone is *not* enough, you also have to configure FTP client to send the proper public IP (your example 1.2.3.4) to server with PORT commands. And while you're at it (read "the client supports it") you can also narrow down the forwarded port range to much smaller one (and you must set the same range on both router and client), because you probably don't want to waste so many ports on just one client.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
syadnom
Member
Member
Posts: 407
Joined: Thu Jan 27, 2011 7:29 am

Re: Opening Ports to Allow Active FTP

Thu Apr 26, 2012 5:04 am

Active mode is just a PITA for the client. It needs ports 20 & 21 open inbound to the FTP server and the FTP server needs to be able to get out the firewall on ports >1024. The client has to worry about strange inbound replies from the server.

Sob, I don't read the OP as wanting to connect to the mikrotik's ftp server.
 
Sob
Forum Guru
Forum Guru
Posts: 5014
Joined: Mon Apr 20, 2009 9:11 pm

Re: Opening Ports to Allow Active FTP

Thu Apr 26, 2012 6:05 am

You suggested to forward port 21 from public IP to internal IP, so clearly you take the internal device behind NAT as FTP server (different from FTP server on router itself of course). From OP's description (and description alone, his rules show too many forwarded ports to take anything from that) it looks to me more like that internal device is FTP client. Otherwise why would he need to forward ports for active mode, it's what clients need. There's of course the possibility that OP doesn't know exactly what he wants. ;) But he'll surely tell us.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
creiher
just joined
Posts: 2
Joined: Sun Aug 11, 2013 4:57 am

Re: Opening Ports to Allow Active FTP

Fri May 02, 2014 2:22 am

In my case, NAT active FTP, works perfectly doing the following:
(RouterOS v6.7)
/ip firewall nat add action=dst-nat chain=dstnat dst-address="Public Address" dst-port="non-standard port >1023" protocol=tcp to-addresses="Private Address" to-port="non-standard port >1023"
and,
ip firewall service-port set ftp disabled=no ports="non-standar port"
That's all!

Tnaks to Sob for the useful way to solve this issue!

Who is online

Users browsing this forum: jeetlal, mobinsaffarpour and 111 guests