Community discussions

MikroTik App
 
SamusAran
just joined
Topic Author
Posts: 4
Joined: Thu Aug 11, 2022 5:34 pm

Explicit FTP over TLS - Issues with configuration

Thu Aug 11, 2022 5:37 pm

Greetings,

For the sake of clarity, here is my current physical configuration:

Main firewall:
WatchGuard Firebox T15

Router (behind the firewall):
MikroTik hEX

The T15 is in a separate network (172.16.0.0), interface 01 is connected to a Mikrotik router to provide internet, but my LAN is in the range 10.0.0.0.

Interface 01 on the T15 is 172.16.0.1 and is plugged in the WAN port on the MikroTik.
Interface 02 on the T15 is 10.0.0.254 to be in the same range as the LAN and is plugged in the first port of the Mikrotik.

The WAN port on the MikroTik got address 172.16.0.2 (eth01).

Both the T15 and the Mikrotik have a route to communicate with each other.

The computer I use as a FTP server on is in the 10.0.0.0 network (10.0.0.32).

Explicit FTP over TLS works when I connect form a computer in the same network as the FTP server (10.0.0.X range).

Explicit FTP over TLS does not work when I try it outside of my network. It does connect, reach the TLS handshake (initialization) and then timeout.

Policies exists in the T15 to allow port 21 and port 49152-49252 for passive connections.

DST-NAT rules exists on the MikroTik for port 21 ans ports 49152-49252 as well:
add action=dst-nat chain=dstnat dst-address=172.16.0.2 dst-port=49152-65534 protocol=tcp to-addresses=10.0.0.32 to-ports=49152-65534
add action=dst-nat chain=dstnat dst-address=172.16.0.2 dst-port=21 protocol=tcp to-addresses=10.0.0.32 to-ports=21

What am I missing?

May you help me out with this please?

Thank you for your time, it is greatly appreciated.
 
SamusAran
just joined
Topic Author
Posts: 4
Joined: Thu Aug 11, 2022 5:34 pm

Re: Explicit FTP over TLS - Issues with configuration

Fri Aug 12, 2022 11:50 pm

Greetings,

After further testing, here is an update

From internal:
Plain FTP works as active.
Plain FTP works as passive.
Explicit FTP over TLS work as passive.
Explicit FTP over TLS as active does not work (cannot get directory listing).

From external:
Plain FTP works as active.
Plain FTP works as passive.
Explicit FTP over TLS does not work as passive (TLS handshake (initialization) and then timeout).
Explicit FTP over TLS does not work as active (TLS handshake (initialization) and then timeout).

Does that help in figuring out the problem please? Seems like something is blocking TLS...

Thank you for your time and help, it is greatly appreciated.
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: Explicit FTP over TLS - Issues with configuration

Sat Aug 13, 2022 1:38 am

A bit of theory, FTP uses one control connection (default port 21) and separate data connections ("random" ports) for each transfer (file listing, download, upload). In original active mode, data connections are established from server to client. It has near zero chance to work in modern internet, because of NATs and firewalls (*). In newer passive mode, data connections are established from client to server. The idea is that server must have reachable port for control connection, and if it has one, it can probably have more.

(*) With plain unencrypted FTP, NATs and firewall are handled by helpers that inspect control connection packets, look for addresses and ports of data connections, rewrite them if necessary and open ports in firewall for them. But with encrypted connection it's not possible, and you have to forward all data ports to server and configure it correctly to use the right public address in responses to PASV command.

So your internal results are as expected. No problem with plaintext, passive TLS works too (so server's firewall is probably configured correctly), and passive TLS fails, because it doesn't get through client's own firewall.

But external results with TLS are wrong. Data transfers could fail if you didn't properly forward all ports to server. But you must be able to log in (no TLS failure), unless something wrongly interferes with control connection. RouterOS doesn't do anything like that. So you should check the other machine (main firewall), I don't know it, so I don't know that exactly it may be trying to do.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Explicit FTP over TLS - Issues with configuration

Sat Aug 13, 2022 2:26 am

A network diagram would help, not sure why you have such a convoluted setup.
Why not simply ditch the Watchguard?

If the Watchguard is an edge router, then dont bother trying to have it doing DCHP on the LAN behind the MT, as well. or connected to any LAN, other than perhaps for Management purposes.
Which can all be done on the one etherport, dont need two.

Who is online

Users browsing this forum: No registered users and 10 guests