Hello everyone,

Trust someone here will point me in the right direction albeit other documentation to resolve my smallish error.

First please note I am a utter-noob with Mikrotik and most of my experience has now come from the documentation on this forum. So please type slow and explain to me in understandable English

The Problem:

No client computer or server on the network can access any external ftp sites i.e. ftp.hp.com, only error I have is either the connection timed out or connecting from command prompt displays connect:Unknown error number

The Setup:

Client PC (multiple) connects to Server 2003 STD connects to Untangle firewall connects to Mikrotik Router.

The Untangle firewall I know and all FTP access have been configured which leaves me with the MR.

The Question:

I need to know where do I configure any rules, port forwarding on the router and what exactly would I need to configure to allow access to external ftp sites/servers.

I will continue to read on the documentation to better understand the setup and configuration of the mikrotik router but will appreciate any help with said matter.

Hou dit handskoen
ArmandNell

if clients have access to websites, they should have same kind of access to FTP sites unless you specifically made a firewall to block those ports. post your router config from command "/export compact"

It helps reading the documentation I guess I was just a bit frustrated about battling so long with this problem however soon after I posted this I managed to get the ftp working with the following entry:

I am using winbox v4.11 to do the config so under IP > Firewall > NAT i added this rule:

chain=dstnat src address= (internal LAN IP[0.0.0.0/24]) protocol= 6 (tcp) dts port=21 action=dstnat to address= (Public IP of dsl router) to ports=21

However I picked up one smallish hiccup. Downloading a driver from HP keeps asking for a username and password, just like you would authenticate with any ftp server but I do know that this should not be.

Anyone got any ideas? If still needed I will post the firewall rules....

Like Normis said, please post the config.

You haven't got the FTP working with the rule you made. You just forwarded the FTP requests from your clients to your router, and its the ftp service of your router that is asking for username and pass.

So disable that rule and post the config, so we can try to solve the real problem

Well that sucks

I am really new to the mikrotik routers so if you can be patient with me through this process I would appreciate it, perhaps I will even learn some new tricks.

I have attached the router config file for your review. Please note I have not configured this router at all so I will not be able to explain why things are configured as it is.

Thank you for your time with this and any suggestions or help will be appreciated

**I have removed the router config file because since I posted it I have someone from china trying to login to my router, please let me know what info I need to post without compromising my security**

Let's Try this again:

I have a Billion router that is managed by my ISP, this connects to my Mikrotik Router, my LAN is behind the Mikrotik. I have asked my ISP to check their router if FTP access is open and they confirmed that it is.

All default settings for FTP access on the Mikrotik Router is enabled. The problem we have is that if we want to download any file from the web that connects to a ftp server if fails i.e. ftp.hp.com

My browser shows that it is "opening ftp.hp.com" then "connecting to ftp.hp.com" but hangs here until it displays a timed out message.

Anyone with an Idea that might help me please let me know cause this is now becoming a problem since some sites we work of requires the download from ftp sites.

Sorry for the problem you are having with the "china attacker".
To increase security disable ssh and telnet in ip - services (i think you are having connecting tries in ssh, that is so common).

For the ftp part. To make it clear, do you have ftp access if you connect directly with the Billion, without MikroTik in the middle??

Thanks and sorry for my late reply

@GuJack20

No worries about late response. If i connect directly to the billion router the all FTP access works fine.

PS: I have disable the services mentioned and configured some other options as well which I found here in the user manuals for securing the router.

Hello ArmandNell

Can you give me access to your router? Through winbox, ssh or even teamviewer?

Thanks

add me on skype and lets have a chat about it

skype: armand_nell

Does your firewall configuration allow "related" connections? FTP is funky in that it uses two ports and needs the related connections enabled, particulary in active mode where the remote host has to open a socket back to the client.

For starters try having your FTP client connect using passive mode, if that works the problem is probably a firewall setting.

Guys your help will be appreciated for the last week I have been learning the MikroTik router, so that is all the experience I have with these routers.

Here is a print out on my /ip firewall filter and /ip firewall nat, I hope this will help you fine poeple in providing me with the correct direction to get FTP working again.

/ip firewall filter
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add chain=input comment=UDP protocol=udp
add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add chain=input comment=Winbox dst-port=8291 protocol=tcp
add chain=input comment="From Vodacom Business DSL" src-address=(ip address)
add chain=input comment="From our private LAN" src-address=(ip address)
add action=drop chain=input comment="Drop everything else"
add action=log chain=input comment="Log everything else" log-prefix="DROP INPUT"

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=196.x.x.x dst-port=443 protocol=tcp to-addresses=\
192.x.x.x to-ports=443
add action=dst-nat chain=dstnat dst-address=41.x.x.x dst-port=443 protocol=tcp to-addresses=\
192.x.x.x to-ports=443
add action=dst-nat chain=dstnat comment="Rebalance WWW" dst-address=41.x.x.x dst-port=80 protocol=\
tcp to-addresses=192.x.x.x to-ports=80
add action=dst-nat chain=dstnat comment="Rebalance SSL" dst-address=41.x.x.x dst-port=443 \
protocol=tcp to-addresses=192.x.x.x to-ports=443
add action=dst-nat chain=dstnat comment="TS1 Vodacom" dst-address=41.x.x.x dst-port=3389 protocol=\
tcp to-addresses=192.x.x.x to-ports=3389
add action=dst-nat chain=dstnat comment="Rebalance RDP" dst-address=41.x.x.x dst-port=3389 \
protocol=tcp to-addresses=192.x.x.x to-ports=3389
add action=dst-nat chain=dstnat comment="FLEXI2008 RDP Vodacom" dst-address=41.x.x.x dst-port=3380 \
protocol=tcp to-addresses=192.x.x.x to-ports=3389
add action=dst-nat chain=dstnat comment="TS1 IS" dst-address=196.x.x.x dst-port=3389 protocol=\
tcp to-addresses=192.x.x.x to-ports=3389
add action=dst-nat chain=dstnat comment=TS2 dst-address=196.x.x.x dst-port=3388 protocol=tcp \
to-addresses=192.x.x.x to-ports=3389
add action=dst-nat chain=dstnat comment=Voicelogic dst-address=196.x.x.x dst-port=3387 protocol=\
tcp to-addresses=192.x.x.x to-ports=3389
add action=dst-nat chain=dstnat comment=FlexiTZN dst-address=196.x.x.x dst-port=3387 protocol=\
tcp to-addresses=192.x.x.x to-ports=3389
add action=dst-nat chain=dstnat comment=SRV03 dst-address=196.x.x.x dst-port=3383 protocol=tcp \
to-addresses=192.x.x.x to-ports=3389
add action=dst-nat chain=dstnat comment=SRV01 dst-address=196.x.x.x dst-port=3381 protocol=tcp \
to-addresses=192.x.x.x to-ports=3389
add action=dst-nat chain=dstnat comment=SRV02 dst-address=196.x.x.x dst-port=3382 protocol=tcp \
to-addresses=192.x.x.x to-ports=3389
add action=dst-nat chain=dstnat comment="FLEXI2008 RDP IS" dst-address=196.x.x.x dst-port=3380 \
protocol=tcp to-addresses=192.x.x.x to-ports=3389
add action=dst-nat chain=dstnat dst-address=196.x.x.x dst-port=110 protocol=tcp to-addresses=\
192.x.x.x to-ports=110
add action=dst-nat chain=dstnat dst-address=41.x.x.x dst-port=110 protocol=tcp to-addresses=\
192.x.x.x to-ports=110
add action=dst-nat chain=dstnat dst-address=196.x.x.x dst-port=53 protocol=tcp to-addresses=\
192.x.x.x to-ports=53
add action=dst-nat chain=dstnat dst-address=196.x.x.x dst-port=53 protocol=udp to-addresses=\
192.x.x.x to-ports=53
add action=src-nat chain=srcnat comment="Bypass Mail - x.x" routing-mark="Other mail" \
to-addresses=196.x.x.x
add action=dst-nat chain=dstnat dst-address=196.x.x.x dst-port=25 protocol=tcp to-addresses=\
192.x.x.x to-ports=25
add action=dst-nat chain=dstnat dst-address=196.x.x.x dst-port=25 protocol=udp to-addresses=\
192.x.x.x to-ports=25
add action=dst-nat chain=dstnat comment=Flexi dst-address=196.x.x.x dst-port=3384 protocol=tcp \
to-addresses=192.x.x.x to-ports=3389
add action=dst-nat chain=dstnat dst-address=196.x.x.x dst-port=21 protocol=tcp \
to-addresses=192.x.x.x to-ports=21 - this suppose to forward to internal server but does not work
add action=masquerade chain=srcnat comment="Added by webbox" out-interface=e3-Vodacom to-addresses=\
0.0.0.0

Please let me know should there be any other config prints you guys might require in helping me win this ftp problem.

Try to disable

add action=drop chain=input comment="Drop everything else"

See what happens

Problem solved and I do feel like one huge sucker.

I discovered that there was two factors that was stopping the FTP access from working. To explain so you fine people can understand. I have two DSL lines feeding into my building, one is on a cisco router the other on a billion router in turn they are connected to my mikrotik router which feeds to the rest of the LAN.

under /ip routes there are routes configured to let mail and www pass through the one line and all other traffic via the other however it turns out that the billion router dsl connection was down hence ftp not working since it could not establish a connection. So i disabled the rule to pass traffic via the billion router and confirured another to allow traffic via the cisco and viola....ftp access working again.

What I do not understand is how this was configured, why and how did we not loose complete internet connectivity.

So in my new efforts of learning the mikrotik router I will now try and find out how to do the following:

setup either (proper) load balancing or fail over that should one dsl line go down we dont loose connectivity to functions such as ftp.

Any help to point in the right direction will be greatly appreciated.

check this load balancing method .. hope you will find it useful
http://fatalsite.net/?p=100

excellent thank you vixxant this helped me allot...