Hi all,
Please excuse my brevity, I disconnected when I pressed submit and lost everything, so I had to retype everything.
I am having problems setting up an ftp server on a synology nasbox, I believe there is something wrong with my port forwarding. Specifically I think that port 80 might be the problem.
I have the following set under IP>FIREWALL>NAT
port 21:
chain:dstnat
dstAddress:routers external ip
protocol: tcp
dst port: 21
in interface: all ethernet
connection type: ftp
action: dstNAT
to address: 192.168.200.111
to port: 21
port 21:
see port 21
dstport: 20
dstport: 20
rule1 for passive ftp ports:
chain:dstnat
dstAddress:routers external ip
protocol: tcp
dst port: 55536-55567
in interface: all ethernet
action: dstNAT
to address: 192.168.200.111
to port: 55536-55567
rule2 for passive ftp ports:
see rule1 for passive ftp ports
protocol: udp
port 80:
chain:dstnat
protocol: tcp
dst port: 80
in interface: all ethernet
action: dstNAT
to address: 192.168.200.111
to port: 80
Thanks all.
-
-
rocketman002
just joined
- Posts: 1
- Joined:
Re: Problems with port forwarding with nasBox ftp
Can you access the FTP server in your local network?
Can you export your NAT config?
/ip firewall nat export file=ip-firewall-nat
Can you export your NAT config?
/ip firewall nat export file=ip-firewall-nat
Re: Problems with port forwarding with nasBox ftp
Best to see entire config.....
/export hide-sensitive file=yourconfigmar06
A typical dsntat rule looks like
add chain=dstnat action=dst-nat dst-port=21 protocol = tcp \
in-interface-list=WAN to-address=192.168.200.111
(1) If its a definable list of WANIPs, then highly highly suggest you use source address list in your nat rule to limit access.
add chain=dstnat action=dst-nat dst-port=21 protocol = tcp \
in-interface-list=WAN source-address-list=definedusers to-address=192.168.200.111
(2) Port 21 is a well probed, scanned port and thus suggesting two things
a. change the default ftp port on the NAS, however that may break some ALG process etc and may not be recommended (search google or nas forums for best practices in this regard with respect to your specific nas).
b. I imagine all your users are using FTP programs and they can easily change the port they put in for access.
c. With B in mind, Its best to at least change the INCOMING DEFAULT PORT to non-standard........... like so.........
add chain=dstnat action=dst-nat dst-port=randomhighnumberport(61003) protocol = tcp \
in-interface-list=WAN to-address=192.168.200.111 to ports=21
IN effect the router translates the incoming 61003 port traffic and moves it to the defined IP address on port 21 as expected by the NAS ftp server.
d. Finally, I would not be using an FTP server on the internet that didnt at least have some type of FTPS (secure mode) TLS etc
(note that ssl is not considered secure: https://tools.ietf.org/html/rfc7568)
/export hide-sensitive file=yourconfigmar06
A typical dsntat rule looks like
add chain=dstnat action=dst-nat dst-port=21 protocol = tcp \
in-interface-list=WAN to-address=192.168.200.111
(1) If its a definable list of WANIPs, then highly highly suggest you use source address list in your nat rule to limit access.
add chain=dstnat action=dst-nat dst-port=21 protocol = tcp \
in-interface-list=WAN source-address-list=definedusers to-address=192.168.200.111
(2) Port 21 is a well probed, scanned port and thus suggesting two things
a. change the default ftp port on the NAS, however that may break some ALG process etc and may not be recommended (search google or nas forums for best practices in this regard with respect to your specific nas).
b. I imagine all your users are using FTP programs and they can easily change the port they put in for access.
c. With B in mind, Its best to at least change the INCOMING DEFAULT PORT to non-standard........... like so.........
add chain=dstnat action=dst-nat dst-port=randomhighnumberport(61003) protocol = tcp \
in-interface-list=WAN to-address=192.168.200.111 to ports=21
IN effect the router translates the incoming 61003 port traffic and moves it to the defined IP address on port 21 as expected by the NAS ftp server.
d. Finally, I would not be using an FTP server on the internet that didnt at least have some type of FTPS (secure mode) TLS etc
(note that ssl is not considered secure: https://tools.ietf.org/html/rfc7568)
Re: Problems with port forwarding with nasBox ftp
Well, what did you solve on your own???
Who is online
Users browsing this forum: Bing [Bot] and 11 guests