Configure Microsoft IIS FTP Server over Mikrotik Router Step by Step Guide

To allow FTP access on port 21 from a remote client behind a MikroTik router to an IIS server, follow these steps to configure both the MikroTik router and the IIS server:

1. Configure IIS for FTP:

1. Install FTP on IIS:
   • Open Server Manager > Add Roles and Features.
   • Select Web Server (IIS) > FTP Server and ensure the required FTP components are installed.
2. Configure FTP Site in IIS:
   • Open IIS Manager.
   • Right-click on Sites > Add FTP Site.
   • Configure the site’s physical path (e.g., C:\inetpub\ftproot).
   • Configure Binding settings:
     • IP Address: Choose the IP address of the server (or use All Unassigned).
     • Port: Set to 21.
     • SSL: Choose No SSL or Require SSL, depending on your security needs.
   • Set Authentication (Basic) and Authorization rules to allow the necessary user access.
   • Allow FTP traffic through Windows Firewall.
   • Open Windows Firewall > Advanced Settings.
   • Add Inbound Rules to allow traffic on port 21 (FTP) and ports for Passive FTP (if used).Configure Firewall on IIS Server:
3. netsh advfirewall firewall add rule name="FTP" protocol=TCP dir=in localport=21 action=allow


   For Passive FTP, add a range of ports (e.g., 50000-51000) to the firewall.

   netsh advfirewall firewall add rule name="FTP Passive" protocol=TCP dir=in localport=50000-51000 action=allow

4. Configure Passive Mode in IIS:
   • In IIS Manager, select your FTP site.
   • Double-click on FTP Firewall Support.
   • Specify a range of ports (e.g., 50000-51000) for Passive Mode.
   • Set the External IP Address of your MikroTik router’s public IP.

2. Configure MikroTik Router:

1. NAT Rule for FTP (Port Forwarding):
   • Log in to your MikroTik router via Winbox or SSH.
   • Go to IP > Firewall > NAT.
   • Add a new dstnat rule to forward FTP traffic from the public IP to the internal IIS server:
   /ip firewall nat add chain=dstnat protocol=tcp dst-port=21 action=dst-nat to-addresses=<Internal_IP_of_IIS_Server> to-ports=21


   Replace <Internal_IP_of_IIS_Server> with the internal IP address of your IIS server.

2. NAT Rule for Passive FTP (if using Passive Mode):
   • Add another NAT rule for the passive port range (e.g., 50000-51000):
   /ip firewall nat add chain=dstnat protocol=tcp dst-port=50000-51000 action=dst-nat to-addresses=<Internal_IP_of_IIS_Server>

3. Firewall Rules to Allow FTP Traffic:
   • Go to IP > Firewall > Filter Rules.
   • Add rules to allow FTP traffic (both port 21 and the passive range):
   /ip firewall filter add chain=forward protocol=tcp dst-port=21 action=accept
/ip firewall filter add chain=forward protocol=tcp dst-port=50000-51000 action=accept

4. Enable FTP Helper (Optional):
   • Ensure the FTP helper is enabled, which helps handle FTP connections, especially for passive mode:
   /ip firewall service-port enable ftp


3. Test the FTP Connection:

• From an external client: Use an FTP client (like FileZilla) to connect to the public IP of your MikroTik router.
• Configure FileZilla:
  • Host: Public IP of MikroTik router.
  • Username/Password: Credentials for the FTP user on IIS.
  • Port: 21.
  • Transfer Mode: Set to Passive if you configured Passive FTP.

If everything is configured correctly, you should be able to connect to the IIS FTP server from a remote location, with the MikroTik router forwarding the traffic to the internal server.