Hello, I have a problem that I can't access my FTP that is on my lan by using outside IP.
I have to use the direct connection using my Lan inside IP.

I have set NAT:

Accept FTP forward from ether1_wan to FTP server (ports passive ftp 9000-1000)

Chain: dstnat
dst. address (my outside ip here)
protocol 6
dst port 9000-10000

action: dst-nat
to address (my inside ftp server ip here)
to ports: 9000-10000

I have set Filter rules:


1. Accept FTP forward from ether1_wan to FTP server (ports 20 control 21 transfer)
Chain: forward
dst. address: (my inside ftp server ip here)
protocol 6
dst port: 20-21
in interface: ether1_wan

action: accept

2. Accept FTP forward from ether1_wan to FTP server (ports passive ftp 9000-1000)
Chain: forward
dst. address: (my inside ftp server ip here)
protocol 6
dst port: 9000-10000
in interface: ether1_wan

action: accept

Any ideas what I need to do?

Change the destination address on the forward rule to the Public IP instead of the internal IP

Using your inside address is ok, you should add an additional NAT rule.
Search Hairpin NAT

Change the destination address on the forward rule to the Public IP instead of the internal IP

Tried it, did not make any difference.

Using your inside address is ok, you should add an additional NAT rule.
Search Hairpin NAT

Should I add:

/ip firewall nat
add chain=srcnat src-address=[my PC IP address] \
dst-address=[the internal IP of FTP server] protocol=tcp dst-port=20-21 \
out-interface=[LANbridge ports 2-9] action=masquerade

/ip firewall nat
add chain=srcnat src-address=[my PC IP address] \
dst-address=[the internal IP of FTP server] protocol=tcp dst-port=9000-10000 \
out-interface=[LANbridge ports 2-9] action=masquerade

Also I would like to ask about port forwarding, on this guide they do not specify the dst address at all. Instead they specify WAN interface.

http://networkingforintegrators.com/201 ... g-example/

What to use and when?