MikroTik

Community discussions
https://forum.mikrotik.com/

FTP port forwarding NAT rule not working

https://forum.mikrotik.com/viewtopic.php?t=78043

Page 1 of 1

FTP port forwarding NAT rule not working

Posted: Sun Oct 20, 2013 11:47 pm
by Fylke
Hi,

I have a regular NAT setup with the MikroTik up front and an FTP server on the inside (no DMZ). I've gotten SSH login to work from the Internet-facing interface, but the FTP won't work. At first it seemed like the router was picking up the FTP login, so I shut down the FTP service on it. Now I only get connection refused when trying to set up FTP, even if I go directly towards the FTP machine from inside my home network (the FTP machine is 192.168.88.249).

What am I doing wrong? (feel free to point out any other oddities in my setup)

Cheers,
Magnus
Code: Select all
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway

 1 X ;;; Hairpin NAT rule
     chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.1

 2   ;;; Route FTP to the NAS
     chain=dstnat action=dst-nat to-addresses=192.168.88.249 to-ports=21 protocol=tcp in-interface=ether1-gateway dst-port=21

 3   ;;; FTP passive port range
     chain=dstnat action=dst-nat to-addresses=192.168.88.249 protocol=tcp in-interface=ether1-gateway dst-port=2300-2350
Code: Select all
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=input action=accept protocol=icmp

 1   ;;; default configuration
     chain=input action=accept connection-state=established

 2   ;;; default configuration
     chain=input action=accept connection-state=related

 3   ;;; drop ftp brute forcers
     chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21

 4   chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m

 5   chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h content=530 Login incorrect

 6   ;;; Allow FTP login
     chain=input action=accept connection-state=new protocol=tcp in-interface=ether1-gateway dst-port=21 port=21

 7   ;;; drop ssh brute forcers
     chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22

 8   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist
     address-list-timeout=1w3d dst-port=22

 9   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m
     dst-port=22

10   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m
     dst-port=22

11   chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22

12   ;;; "Allow remote SSH login"
     chain=input action=accept connection-state=new protocol=tcp in-interface=ether1-gateway dst-port=22 port=22
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/