Setting up FTP file transfer between your Mikrotik router and FTP client is quite easy. This guide will show you how to allow local, and remote users access to your router routers file system using FTP.

Local FTP Access:

Login to your router and enable the FTP IP service by opening a new terminal and typing the following:

ip service enable ftp

We now need to create a firewall filter to allow local devices to access it. We'll do the same for remote access later on. The "place-before" command tells the firewall where to place the new filter. You will need to take a look at your filters and determine the best placement:

ip firewall filter add chain=input src-address=<YOUR LOCAL SUBNET> dst-address=<YOUR ROUTERS IP> protocol=tcp dst-port=21 action=accept place-before=6 comment=Allow_FTP_From_Local

Next we need to think about users, and what we want people to be able to do on our server. Customising permissions is quite easy through the users and user groups menu. To start I’ll create a user group that can only read and download FTP files from the server. If you would like a user that can also write e.g upload files, simply add “write” to the list of policies:

user group add name=FTP_Read policy=read,ftp

Notice how the permissions for the group are separated with commas. Now lets create a user and put it in that group so that the permissions are inherited:

user add name=<Username> group=FTP_Read password=<Strong Password>

Using those credentials you’ll be able to login to the FTP server through an FTP client, without being able to change things on the router itself.

Remote FTP Access:

That’s all you need to do to setup up a local FTP server. If for some reason you want the server to be publicly reachable… Which I highly recommend not using your router for, you can do this in a number of ways. Option one is to create a filter rule to allow incoming connections through the routers public IP to access the server on port 21. This may or may not work depending on your firewall setup (be as specific as you like):

 ip firewall filter add chain=input action=accept protocol=tcp dst-port=21

The other, safer way would be to create an IP whitelist that only includes certain public IP addresses of networks that you trust:

ip firewall address-list add list=Whitelist address=<Public IP>

Next we can create a filter that allows input on TCP port 21 from the whitelist only:

ip firewall filter add chain=input action=accept protocol=tcp dst-port=21 src-address-list=Whitelist

Alternatively if you have a filter rule that blocks all input from the WAN interface, you can add the whitelist in the src-address-list and invert it to tell the firewall to block all input from the WAN interface except for IP addresses in the whitelist going to TCP port 21:

ip firewall filter add chain=input action=drop src-address-list=!Whitelist protocol=tcp dst-port=!21