FTP through MikroTik firewall

[Plamen Kolev]

I set up FTP server on my nas, I try to login from outside network through MikroTik firewall (forwarded port 21 to local ip of my nas). The browser prompt me for user name and password I typed them correct but the browser says "The page can't be displayed". Tried to connect with ftp client with no success again.

I managed to login via CMD (ftp command) but this isn't my game:

ftp> open ftp
Connected to ftp.
220 ProFTPD 1.3.5 Server (nas.local FTP Server) [::ffff:192.168.102.60]
User (ftp:(none)): software
331 Password required for software
Password:
230-Welcome to ftp!
230 User software logged in

I substituted my WAN IP with ftp above.

From LAN network there is no problem.

 

[pirateghost]

You need to read up on port forwarding for FTP. This isn't a freenas issue.

That said, FTP over the internet is stupid. All your ftp passwords are being sent over clear text

 

[HolyK]

FTP actually uses more than one port. Port 21 is for "commands" and 20 is for "data", but there are also some "random" ports from 1024++ coming into a play so it is a bit messy. What you need to do is:

On NAS:
FTP port: 21 (or whatever port you want as the "connection one")
Minimum passive port: 15000 (choose something from 1024++)
Maximum passive port: 15100 (something like above +100 or even more if you will have lot of clients)

On Mikrotik:
# open terminal and:

Code:

/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=20 protocol=tcp dst-address=222.222.222.222 in-interface=WAN dst-port=20 log=no log-prefix=""
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=15000-15100 protocol=tcp dst-address=222.222.222.222 in-interface=WAN dst-port=15000-15100 log=no log-prefix=""
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=21 protocol=tcp dst-address=222.222.222.222 in-interface=WAN dst-port=21 log=no log-prefix=""
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=15000-15100 protocol=udp dst-address=222.222.222.222 in-interface=WAN dst-port=15000-15100 log=no log-prefix=""

where ...
... 10.10.10.10. is internal IP of your NAS where the FTP runs
... 222.222.222.222 is your public IP
... WAN is the name of your wan interface where the uplink cable is conencted
... "ports" ... just make sure that the range is the same as configured on FTP server

Then you should be fine with this.

BTW: If you would like to access the FTP via your public IP but from within the internal network, it will NOT work because of the hairpin. To do so you will need a bit more NAT rules ...

Code:

/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=20 protocol=tcp src-address=10.10.10.0/24 dst-address=222.222.222.222 dst-port=20 log=no log-prefix=""
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=21 protocol=tcp src-address=10.10.10.0/24 dst-address=222.222.222.222 dst-port=21 log=no log-prefix=""
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=15000-15100 protocol=tcp src-address=10.10.10.0/24 dst-address=222.222.222.222 dst-port=15000-15100 log=no log-prefix=""

where the "10.10.10.0/24" is the subnet IP with CIDR

Then it should work .

 

[Plamen Kolev]

Thank you for detailed description HolyK.

I managed to make working FTP server through NAT. In my case the key were minimum and maximum passive ports.
After I sat up these ports and forwarded in MikroTik router everything worked fine.

I have only two dstnat rules.
Thank you for detailed description HolyK.

I managed to make working FTP server through NAT. In my case the key were minimum and maximum passive ports.
After I sat up these ports and forwarded in MikroTik router everything worked fine.

I have only two dstnat rules.

Code:

/ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.102.60 to-ports=21 protocol=tcp dst-address=PUBLIC_IP dst-port=21
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.102.60 to-ports=50000-51000 protocol=tcp dst-address=PUBLIC_IP dst-port=50000-51000