Trying to allow inbound traffic but it's being dropped



  • I'm running 2.2.3.

    I'm trying to allow inbound FTP from a single host.  I have a rule that allows inbound FTP on TCP 21 from this single host, and several other hosts.  The host isn't able to connect, and the logs show that his attempts are being dropped in the "Block all" rule.  For some reason, his attempts aren't triggering the rule to allow that traffic, and I'm stumped as to why.

    No other hosts have problems connecting and transferring files, just this one.  I'd be grateful if anyone had suggestions on troubleshooting this.



  • Post the rules on the interface concerned, and IP address of the host, and contents of any aliases you might have made and used.
    There is going to be some critical little setting in the rule that causes it not to match.



  • Here we go.  Here's the log with the host IP:

    Here's the rule:

    Here's the alias:

    None of the other 3 hosts in there ^^^ have any problems.  There's no trailing space or extra characters at the end of the problem hosts' IP address or anything like that.



  • You must have a port forward also to get to the internal private IP address. If the port forward is not applying to traffic from the problem public source IP, then the destination address won't be getting the NAT applied to it, then the rule will not match.
    So maybe there is some issue with the port forward?



  • Here's the port forward:

    I included the forward for the passive ports, also (there's a corresponding rule for them as well).



  • The port forward looks fine, and since it is applied to all source addresses, it is not going to pick out that special public source IP. I now realize that the blocks reported in the log have 192.168.1.100:21 already reported - so that already showed that the port forward was working OK.
    Are the blocks really associated with the "block all" rule? Or maybe the block is coming from some other rule? Are there any other block rules in the Floating tab? Or higher up the ruleset above the pass rule?

    Apart from that, I am struggling to see why the block is happening - others feel free to give ideas…


  • Banned

    Why did you disable the Filter rule association on the NAT rules? You only have port forward there, but no FW rule created on WAN. (See the missing green god knows what which you have on the first line…) Ditto for the passive ports. Use the FTPAllowHosts alias as source on the NAT rules and do NOT mess with that dropdown box.

    Beyond that - when you click the red X in the firewall logs, you'll see which firewall rule blocks the traffic. (Cannot even guess since there's no screenshot of any rules on WAN.)



  • The OP does not actually want to allow traffic from any source IP through the port forward/firewall in to the FTP server. In that case, the associated filter rule is not appropriate and he is trying to put his one (more restrictive) rule. In theory it should work.

    Of course you could also make the port forwarding rule more restrictive, specifying just the alias of allowed public IPs as the source. Then you can use the "associated filter rule" option and remove the special rule now in the WAN firewall rules. That might be easier and less prone to having some odd error.



  • Are you sure 192.168.1.100 is in the alias used for the destination IP?



  • @doktornotor:

    Why did you disable the Filter rule association on the NAT rules? You only have port forward there, but no FW rule created on WAN. (See the missing green god knows what which you have on the first line…) Ditto for the passive ports. Use the FTPAllowHosts alias as source on the NAT rules and do NOT mess with that dropdown box.

    Beyond that - when you click the red X in the firewall logs, you'll see which firewall rule blocks the traffic. (Cannot even guess since there's no screenshot of any rules on WAN.)

    Hmmmm, I wasn't aware I had actively disabled anything, really.  I've had this in place for so long and haven't messed with it, that I don't honestly remember disabling that when creating them all those years ago.  In any case, I've re-enabled Pass for the NAT rules for both TCP 21 and also for the passive port range.

    As for the firewall logs, I wish I had taken a screenshot of the popup message from clicking the red X, too, but it's no longer in my logs so I'll need to have the host make another attempt.



  • @Harvy66:

    Are you sure 192.168.1.100 is in the alias used for the destination IP?

    Yes, positive.


Log in to reply