I'm having some issues working with the firewall on a new 2850. I want to allow FTP access to my NAS (inside the router) but only from known IP addresses.

I have added an entry in NAT/Open Ports to allow TCP port 21 traffic (FTP) to 192.168.1.252 via WAN1.

Within Firewall/General Setup, I have disabled the "Call Filter" (can't see a real benefit for it) and under "Default Rule", have set "Filter" to Block (to block all traffic)

Within Firewall/Filter Setup/Filter Set 2 (default data filter), I have created (in order):

Allow_all_out - Direction LAN/RT/VPN -> WAN (to allow outbound traffic)
Source Any
Dest Any
Service Any
Filter - Pass Immediately

Block_all_in - Direction WAN -> LAN/RT/VPN (to block all inbound traffic)
Source Any
Dest Any
Service Any
Filter - Block (have also tried block if no further match)

ftp_work_in - Direction WAN -> LAN/RT/VPN (to allow access from the specified IP address)
Source (my work public IP address)
Dest 192.168.1.252
Service TCP port 21
Filter - pass immediately

Yet, I can't get it to work as I want. Can anyone help?

Thanks,
Mike

Have you opened the port or port forwarded port 21?

You fist rules is not needed as it will allow all outgoing as default.

you shouldn't even need the Firewall rule
I have one set up and just opened the port for the LAN IP

Hi Sicon,

Yep, the port is forwarded as required in the NAT section --> I have added an entry in NAT/Open Ports to allow TCP port 21 traffic (FTP) to 192.168.1.252 via WAN1.

I created the first rule because I set the firewall to block all traffic (including outgoing) --> Within Firewall/General Setup, I have disabled the "Call Filter" (can't see a real benefit for it) and under "Default Rule", have set "Filter" to Block (to block all traffic)

I need to create the firewall rule because I only want one host to be able to access via FTP. If I open up the port using NAT, anyone can then connect.

Regards,
Mike

OK, what does the syslog say when you try to make the connection?

Is your work public up address another site or connection?
On the Block all rule you must have the block all unless further match otherwise the Logic on the Firewall Rule will stop at the Block all rule.

Also you must set up the rules under "default data rule" not the default call rule unless you have change the general settings from the default other wise its looking at the wrong set for the data filtering.

Here's how to set up that allow rule:


You will also need to change the block rule to "Block if no further match" or move it down so that the FTP allow rule goes first because a Block Immediately rule before an exception will mean the firewall stops processing at the block immediately rule, otherwise, looks good