FTP actually uses more than one port. Port 21 is for "commands" and 20 is for "data", but there are also some "random" ports from 1024++ coming into a play so it is a bit messy. What you need to do is:
On NAS:
FTP port: 21 (or whatever port you want as the "connection one")
Minimum passive port: 15000 (choose something from 1024++)
Maximum passive port: 15100 (something like above +100 or even more if you will have lot of clients)
On Mikrotik:
# open terminal and:
Code:
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=20 protocol=tcp dst-address=222.222.222.222 in-interface=WAN dst-port=20 log=no log-prefix=""
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=15000-15100 protocol=tcp dst-address=222.222.222.222 in-interface=WAN dst-port=15000-15100 log=no log-prefix=""
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=21 protocol=tcp dst-address=222.222.222.222 in-interface=WAN dst-port=21 log=no log-prefix=""
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=15000-15100 protocol=udp dst-address=222.222.222.222 in-interface=WAN dst-port=15000-15100 log=no log-prefix=""
where ...
... 10.10.10.10. is internal IP of your NAS where the FTP runs
... 222.222.222.222 is your public IP
... WAN is the name of your wan interface where the uplink cable is conencted
... "ports" ... just make sure that the range is the same as configured on FTP server
Then you should be fine with this.
BTW: If you would like to access the FTP via your public IP but from within the internal network, it will NOT work because of the
hairpin. To do so you will need a bit more NAT rules ...
Code:
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=20 protocol=tcp src-address=10.10.10.0/24 dst-address=222.222.222.222 dst-port=20 log=no log-prefix=""
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=21 protocol=tcp src-address=10.10.10.0/24 dst-address=222.222.222.222 dst-port=21 log=no log-prefix=""
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.10 to-ports=15000-15100 protocol=tcp src-address=10.10.10.0/24 dst-address=222.222.222.222 dst-port=15000-15100 log=no log-prefix=""
where the "10.10.10.0/24" is the subnet IP with CIDR
Then it should work .