Skip to content
Jun 1 / Greg

Mikrotik NAT FTP to same IP as Masquerade

MTK FTP NAT

MTK FTP NAT

The idea is that you have a single public IP on your Mikrotik. You want to grab anyone on the internet heading to your IP for FTP and redirect them to an internal FTP server.

The first thing you want to do is disable the FTP server on the Mikrotik.

1

ip service disable ftp

Next, you need to redirect port 20 and 21 to your internal FTP server. The public facing interface is named “outside”. The public IP bound to the router is 1.1.1.1. The private internal IP of the FTP server is 192.168.1.11.

1
2

chain=dstnat action=netmap to-addresses=192.168.1.11 to-ports=21 protocol=tcp src-address=0.0.0.0/0 dst-address=1.1.1.1 in-interface=outside dst-port=21 
chain=dstnat action=netmap to-addresses=192.168.1.11 to-ports=20 protocol=tcp src-address=0.0.0.0/0 dst-address=1.1.1.1 in-interface=outside dst-port=20

As you can see I use chain dstnat and action of netmap. I also specified incoming interface.

Filed under Mikrotik, Networking

12 Comments

leave a comment
  1. Rob / Jun 1 2009

    If you’re like me and still want to use FTP on the MT device, you can change the FTP port on MT instead of disabling it by: ip service set ftp port=27

    Then you’d need to setup your FTP client’s connection to use the alternate port you specified.

  2. Greg / Jun 1 2009

    Rob, great tip! I’m picking up on those “I’m better than you” tones…don’t sass me! heh

  3. Rob / Jun 1 2009

    N’suh! I wouldn’t dream of sass’n yossuh! 😉

    I’m just a hick wannabe carpenter remember?

  4. Greg / Jun 1 2009

    Hehehe…nice. As well as a WISP engineer, a VB control system engineer, admin for an ISD, make duck calls, and a partridge in a pear tree, or is it a peach tree?

  5. Rob / Jun 2 2009

    A partridge in any tree around here is fair game! They taste the same if they come out of a pear, peach, apple, pine or oak tree! >:-) 😉 Actually, there aren’t any partridge around here truth be known.

  6. Greg / Jun 2 2009

    So you build me up, just to let me down…and mess me around, huh buttercup.

    I can keep quoting songs…don’t push me, I’ll do it….I’m close to the edge, tryin not to lose my head.

  7. John / Feb 2 2010

    Hey guys,

    I have configured my rb with the same settings as above but for some reason it is not working for me. I have used similar settings to port farward to the same pc on my lan so I can pcanywhere in and this works great but for some reason ports 20 and 21 are not being forwarded…I have disabled the MT ftp not sure what else I should be doing….any help would be appreciated.

  8. Greg / Feb 2 2010

    John,

    Paste your rules here so I can examine them.

  9. John / Feb 5 2010

    Im using the winbox interface
    Under General:
    Chain: Dst-Nat
    Dst-Address: My public ip address 72.xx.xxx.xxx
    Protocol: 6(tcp)
    Dst. Port: 5633 (which is the port my ftp server is set to listen on)
    In. Interface: WAN

    Under Action:
    action: netmap
    to addresses: internal ip of the pc where ftp server is running, which i can connect to when using its internal address while on my lan
    to ports: 5633

  10. John / Feb 5 2010

    I also have changed the port on firewall->service ports-> ftp to 5633

  11. Greg / Feb 8 2010

    John,

    How about your data port? FTP uses 21 for control and 20 for data transfer. Make sure you redirect that port also.

  12. Tomas / Nov 5 2015

    (action: netmap) Thank you very much!!!

Leave a Comment

 

CAPTCHA

*