To access your FTP server at 192.168.100.95 from the WAN, you need to configure NAT port forwarding and firewall rules:<\/p>\n\n\n\n
# Forward FTP control port (21) from WAN to DMZ server\nset nat destination rule 110 description 'Forward FTP to DMZ server'\nset nat destination rule 110 destination port '21'\nset nat destination rule 110 inbound-interface name 'eth2.201'\nset nat destination rule 110 protocol 'tcp'\nset nat destination rule 110 translation address '192.168.100.95'\nset nat destination rule 110 translation port '21'\n<\/code><\/pre>\n\n\n\n2. Add Firewall Forward Rule<\/h2>\n\n\n\n# Allow FTP traffic from WAN to DMZ server\nset firewall ipv4 forward filter rule 35 action 'accept'\nset firewall ipv4 forward filter rule 35 description 'Allow FTP from WAN to DMZ'\nset firewall ipv4 forward filter rule 35 destination address '192.168.100.95'\nset firewall ipv4 forward filter rule 35 destination port '21'\nset firewall ipv4 forward filter rule 35 inbound-interface name 'eth2.201'\nset firewall ipv4 forward filter rule 35 outbound-interface name 'br1'\nset firewall ipv4 forward filter rule 35 protocol 'tcp'\n<\/code><\/pre>\n\n\n\n3. For Passive FTP (Recommended)<\/h2>\n\n\n\n
If using passive FTP, you need to forward the passive port range. Configure your FTP server to use a specific passive port range (e.g., 50000-51000), then:<\/p>\n\n\n\n
# Forward passive FTP port range\nset nat destination rule 111 description 'Forward FTP passive ports to DMZ'\nset nat destination rule 111 destination port '50000-51000'\nset nat destination rule 111 inbound-interface name 'eth2.201'\nset nat destination rule 111 protocol 'tcp'\nset nat destination rule 111 translation address '192.168.100.95'\n\n# Allow passive FTP ports through firewall\nset firewall ipv4 forward filter rule 36 action 'accept'\nset firewall ipv4 forward filter rule 36 description 'Allow FTP passive from WAN to DMZ'\nset firewall ipv4 forward filter rule 36 destination address '192.168.100.95'\nset firewall ipv4 forward filter rule 36 destination port '50000-51000'\nset firewall ipv4 forward filter rule 36 inbound-interface name 'eth2.201'\nset firewall ipv4 forward filter rule 36 outbound-interface name 'br1'\nset firewall ipv4 forward filter rule 36 protocol 'tcp'\n<\/code><\/pre>\n\n\n\n4. Apply Configuration<\/h2>\n\n\n\ncommit\nsave\n<\/code><\/pre>\n\n\n\n5. Verify FTP Conntrack Module<\/h2>\n\n\n\n
Good news! Your config already has FTP connection tracking enabled:<\/p>\n\n\n\n
set system conntrack modules ftp\n<\/code><\/pre>\n\n\n\nThis helps the firewall understand FTP’s secondary data connections.<\/p>\n\n\n\n
Access from WAN<\/h2>\n\n\n\n
Once configured, access your FTP server using your WAN IP address:<\/p>\n\n\n\n
ftp <your-wan-ip>\n<\/code><\/pre>\n\n\n\nImportant Notes:<\/h2>\n\n\n\n\n- Get your WAN IP<\/strong>: Run
show interfaces ethernet eth2.201<\/code> to see your current WAN IP<\/li>\n\n\n\n- FTP Server Configuration<\/strong>: Make sure your FTP server (at 192.168.100.95) is configured for:\n
\n- Passive mode with the port range you forwarded (50000-51000)<\/li>\n\n\n\n
- The correct external IP address for passive mode announcements<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Security<\/strong>: Consider using SFTP (port 22) or FTPS (ports 21, 990) instead of plain FTP for better security<\/li>\n<\/ol>\n\n\n\n
Testing:<\/h2>\n\n\n\n# From outside your network, test FTP connection\ntelnet <your-wan-ip> 21\n\n# Or use FTP client\nftp <your-wan-ip>\n<\/code><\/pre>\n\n\n\nWould you like help configuring secure FTP (FTPS) or SFTP instead?<\/p>\n","protected":false},"excerpt":{"rendered":"
To access your FTP server at 192.168.100.95 from the WAN, you need to configure NAT port forwarding and firewall rules: 1. Configure NAT Destination Rule (Port Forwarding) 2.<\/p>\n