RUT955 latest firmware ftp port farwarding

Hi, I’m having headache to make ftp working on the new rut955 firmware. we have dozens that are working correctly but all with previous firmware. The router is connected via ipsec tunnel to our fortinet gate. With 7.06.3 all works fine except ftp forwarding. I have gnss receivers behind router at 192.168.1.100 (our standard configuration) that have embedded standard ftp server. Each router tunnel “rewrites” to an internal ip.

This is the output of iptables -S command from the not-working router and followed by the output of the same command from a working one (firmware 6.07)

root@ISPRA151:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_wan_rule
-N input_lan_rule
-N input_rule
-N input_wan_rule
-N output_lan_rule
-N output_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_ACCEPT
-A INPUT -m set --match-set ipb_port_dest src,dst,dst -j DROP
-A INPUT -m set --match-set ipb_port src,dst -j DROP
-A INPUT -m set --match-set ipb_mac src -j DROP
-A INPUT -i lo -m comment --comment “!fw3” -j ACCEPT
-A INPUT -m comment --comment “!fw3: Custom input rule chain” -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment “!fw3” -j syn_flood
-A INPUT -i br-lan -m comment --comment “!fw3” -j zone_lan_input
-A INPUT -i eth1 -m comment --comment “!fw3” -j zone_wan_input
-A INPUT -i wwan0 -m comment --comment “!fw3” -j zone_wan_input
-A INPUT -i qmimux0 -m comment --comment “!fw3” -j zone_wan_input
-A FORWARD -s 10.158.0.0/16 -d 10.20.0.151/32 -i qmimux0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 10.20.0.151/32 -d 10.158.0.0/16 -o qmimux0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -m set --match-set ipb_port_dest src,dst,dst -j DROP
-A FORWARD -m set --match-set ipb_port src,dst -j DROP
-A FORWARD -m set --match-set ipb_mac src -j DROP
-A FORWARD -m comment --comment “!fw3: Custom forwarding rule chain” -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A FORWARD -i br-lan -m comment --comment “!fw3” -j zone_lan_forward
-A FORWARD -i eth1 -m comment --comment “!fw3” -j zone_wan_forward
-A FORWARD -i wwan0 -m comment --comment “!fw3” -j zone_wan_forward
-A FORWARD -i qmimux0 -m comment --comment “!fw3” -j zone_wan_forward
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -s 192.168.1.1/32 -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -o lo -m comment --comment “!fw3” -j ACCEPT
-A OUTPUT -m comment --comment “!fw3: Custom output rule chain” -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment “!fw3” -j zone_lan_output
-A OUTPUT -o eth1 -m comment --comment “!fw3” -j zone_wan_output
-A OUTPUT -o wwan0 -m comment --comment “!fw3” -j zone_wan_output
-A OUTPUT -o qmimux0 -m comment --comment “!fw3” -j zone_wan_output
-A reject -p tcp -m comment --comment “!fw3” -j REJECT --reject-with tcp-reset
-A reject -m comment --comment “!fw3” -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment “!fw3” -j RETURN
-A syn_flood -m comment --comment “!fw3” -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment “!fw3” -j ACCEPT
-A zone_lan_forward -m comment --comment “!fw3: Custom lan forwarding rule chain” -j forwarding_lan_rule
-A zone_lan_forward -s 192.168.0.0/24 -d 10.158.0.0/16 -p tcp -m comment --comment “!fw3: LAN_to_IPSEC” -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.0.0/24 -d 10.158.0.0/16 -p udp -m comment --comment “!fw3: LAN_to_IPSEC” -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment “!fw3: Zone lan to wan forwarding policy” -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_lan_forward -m comment --comment “!fw3” -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment “!fw3: Custom lan input rule chain” -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_lan_input -m comment --comment “!fw3” -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment “!fw3: Custom lan output rule chain” -j output_lan_rule
-A zone_lan_output -m comment --comment “!fw3” -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_ACCEPT -o wwan0 -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_wan_dest_ACCEPT -o wwan0 -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_ACCEPT -o qmimux0 -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_wan_dest_ACCEPT -o qmimux0 -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_forward -m comment --comment “!fw3: Custom wan forwarding rule chain” -j forwarding_wan_rule
-A zone_wan_forward -s 10.158.0.0/16 -d 192.168.1.100/32 -p udp -m comment --comment “!fw3: NAT_TO_IPSEC” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -s 10.158.0.0/16 -d 192.168.1.100/32 -p tcp -m comment --comment “!fw3: NAT_TO_IPSEC” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m comment --comment “!fw3: Allow-passthrough-traffic” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m comment --comment “!fw3: Allow-passthrough-traffic” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment “!fw3: Zone wan to lan forwarding policy” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_wan_forward -m comment --comment “!fw3” -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment “!fw3: Custom wan input rule chain” -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment “!fw3: Allow-DHCP-Renew” -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment “!fw3: Allow-Ping” -j ACCEPT
-A zone_wan_input -p tcp -m comment --comment “!fw3: Allow-vpn-traffic” -j ACCEPT
-A zone_wan_input -p udp -m comment --comment “!fw3: Allow-vpn-traffic” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment “!fw3: Enable_SSH_WAN” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 22 -m comment --comment “!fw3: Enable_SSH_WAN” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 4200:4220 -m comment --comment “!fw3: Enable_CLI_WAN” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4200:4220 -m comment --comment “!fw3: Enable_CLI_WAN” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 80 -m comment --comment “!fw3: Enable_HTTP_WAN” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 80 -m comment --comment “!fw3: Enable_HTTP_WAN” -j ACCEPT
-A zone_wan_input -p esp -m comment --comment “!fw3: Allow-IPsec-ESP” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment “!fw3: Allow-IPsec-NAT-T” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment “!fw3: Allow-IPsec-IKE” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --sport 8080 -m comment --comment “!fw3: IPSEC_TO_WEBUI” -j ACCEPT
-A zone_wan_input -p udp -m udp --sport 8080 -m comment --comment “!fw3: IPSEC_TO_WEBUI” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 502 -m comment --comment “!fw3: Enable_MODBUSD_WAN” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1883 -m comment --comment “!fw3: Enable_MQTT_WAN” -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_wan_input -m comment --comment “!fw3” -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment “!fw3: Custom wan output rule chain” -j output_wan_rule
-A zone_wan_output -m comment --comment “!fw3” -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_src_ACCEPT -i wwan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_src_ACCEPT -i qmimux0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
root@ISPRA151:~#

and the working one :slight_smile:

root@ISPRA_152_RGCL:~# ftp
-ash: ftp: not found
root@ISPRA_152_RGCL:~# iptables-S
-ash: iptables-S: not found
root@ISPRA_152_RGCL:~# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forwarding_gre_rule
-N forwarding_hotspot_rule
-N forwarding_l2tp_rule
-N forwarding_lan_rule
-N forwarding_pptp_rule
-N forwarding_rule
-N forwarding_sstp_rule
-N forwarding_vpn_rule
-N forwarding_wan_rule
-N input_gre_rule
-N input_hotspot_rule
-N input_l2tp_rule
-N input_lan_rule
-N input_pptp_rule
-N input_rule
-N input_sstp_rule
-N input_vpn_rule
-N input_wan_rule
-N output_gre_rule
-N output_hotspot_rule
-N output_l2tp_rule
-N output_lan_rule
-N output_pptp_rule
-N output_rule
-N output_sstp_rule
-N output_vpn_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_gre_dest_ACCEPT
-N zone_gre_dest_REJECT
-N zone_gre_forward
-N zone_gre_input
-N zone_gre_output
-N zone_gre_src_ACCEPT
-N zone_gre_src_REJECT
-N zone_hotspot_dest_ACCEPT
-N zone_hotspot_dest_REJECT
-N zone_hotspot_forward
-N zone_hotspot_input
-N zone_hotspot_output
-N zone_hotspot_src_REJECT
-N zone_l2tp_dest_ACCEPT
-N zone_l2tp_forward
-N zone_l2tp_input
-N zone_l2tp_output
-N zone_l2tp_src_ACCEPT
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_pptp_dest_ACCEPT
-N zone_pptp_dest_REJECT
-N zone_pptp_forward
-N zone_pptp_input
-N zone_pptp_output
-N zone_pptp_src_ACCEPT
-N zone_pptp_src_REJECT
-N zone_sstp_dest_ACCEPT
-N zone_sstp_dest_REJECT
-N zone_sstp_forward
-N zone_sstp_input
-N zone_sstp_output
-N zone_sstp_src_REJECT
-N zone_vpn_dest_ACCEPT
-N zone_vpn_forward
-N zone_vpn_input
-N zone_vpn_output
-N zone_vpn_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_ACCEPT
-N zone_wan_src_REJECT
-A INPUT -i lo -m comment --comment “!fw3” -j ACCEPT
-A INPUT -m comment --comment “!fw3: user chain for input” -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment “!fw3” -j syn_flood
-A INPUT -i br-lan -m comment --comment “!fw3” -j zone_lan_input
-A INPUT -i wwan0 -m comment --comment “!fw3” -j zone_wan_input
-A INPUT -i tun_+ -m comment --comment “!fw3” -j zone_vpn_input
-A INPUT -i l2tp+ -m comment --comment “!fw3” -j zone_l2tp_input
-A INPUT -i xl2tp+ -m comment --comment “!fw3” -j zone_l2tp_input
-A INPUT -i pptp+ -m comment --comment “!fw3” -j zone_pptp_input
-A INPUT -i gre+ -m comment --comment “!fw3” -j zone_gre_input
-A INPUT -i tun0 -m comment --comment “!fw3” -j zone_hotspot_input
-A INPUT -i tun1 -m comment --comment “!fw3” -j zone_hotspot_input
-A INPUT -i tun2 -m comment --comment “!fw3” -j zone_hotspot_input
-A INPUT -i tun3 -m comment --comment “!fw3” -j zone_hotspot_input
-A INPUT -i sstp-+ -m comment --comment “!fw3” -j zone_sstp_input
-A INPUT -m comment --comment “!fw3” -j reject
-A FORWARD -s 10.158.0.0/16 -d 10.20.0.152/32 -i wwan0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 10.20.0.152/32 -d 10.158.0.0/16 -o wwan0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -m comment --comment “!fw3: user chain for forwarding” -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A FORWARD -p icmp -m comment --comment “!fw3: ping_Ispra” -j zone_wan_dest_ACCEPT
-A FORWARD -i br-lan -m comment --comment “!fw3” -j zone_lan_forward
-A FORWARD -i wwan0 -m comment --comment “!fw3” -j zone_wan_forward
-A FORWARD -i tun_+ -m comment --comment “!fw3” -j zone_vpn_forward
-A FORWARD -i l2tp+ -m comment --comment “!fw3” -j zone_l2tp_forward
-A FORWARD -i xl2tp+ -m comment --comment “!fw3” -j zone_l2tp_forward
-A FORWARD -i pptp+ -m comment --comment “!fw3” -j zone_pptp_forward
-A FORWARD -i gre+ -m comment --comment “!fw3” -j zone_gre_forward
-A FORWARD -i tun0 -m comment --comment “!fw3” -j zone_hotspot_forward
-A FORWARD -i tun1 -m comment --comment “!fw3” -j zone_hotspot_forward
-A FORWARD -i tun2 -m comment --comment “!fw3” -j zone_hotspot_forward
-A FORWARD -i tun3 -m comment --comment “!fw3” -j zone_hotspot_forward
-A FORWARD -i sstp-+ -m comment --comment “!fw3” -j zone_sstp_forward
-A FORWARD -m comment --comment “!fw3” -j reject
-A OUTPUT -d 10.158.55.254/32 -j ACCEPT
-A OUTPUT -o lo -m comment --comment “!fw3” -j ACCEPT
-A OUTPUT -m comment --comment “!fw3: user chain for output” -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment “!fw3” -j zone_lan_output
-A OUTPUT -o wwan0 -m comment --comment “!fw3” -j zone_wan_output
-A OUTPUT -o tun_+ -m comment --comment “!fw3” -j zone_vpn_output
-A OUTPUT -o l2tp+ -m comment --comment “!fw3” -j zone_l2tp_output
-A OUTPUT -o xl2tp+ -m comment --comment “!fw3” -j zone_l2tp_output
-A OUTPUT -o pptp+ -m comment --comment “!fw3” -j zone_pptp_output
-A OUTPUT -o gre+ -m comment --comment “!fw3” -j zone_gre_output
-A OUTPUT -o tun0 -m comment --comment “!fw3” -j zone_hotspot_output
-A OUTPUT -o tun1 -m comment --comment “!fw3” -j zone_hotspot_output
-A OUTPUT -o tun2 -m comment --comment “!fw3” -j zone_hotspot_output
-A OUTPUT -o tun3 -m comment --comment “!fw3” -j zone_hotspot_output
-A OUTPUT -o sstp-+ -m comment --comment “!fw3” -j zone_sstp_output
-A reject -p tcp -m comment --comment “!fw3” -j REJECT --reject-with tcp-reset
-A reject -m comment --comment “!fw3” -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment “!fw3” -j RETURN
-A syn_flood -m comment --comment “!fw3” -j DROP
-A zone_gre_dest_ACCEPT -o gre+ -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_gre_dest_ACCEPT -o gre+ -m comment --comment “!fw3” -j ACCEPT
-A zone_gre_dest_REJECT -o gre+ -m comment --comment “!fw3” -j reject
-A zone_gre_forward -m comment --comment “!fw3: user chain for forwarding” -j forwarding_gre_rule
-A zone_gre_forward -m comment --comment “!fw3: forwarding gre → lan” -j zone_lan_dest_ACCEPT
-A zone_gre_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_gre_forward -m comment --comment “!fw3” -j zone_gre_src_REJECT
-A zone_gre_input -m comment --comment “!fw3: user chain for input” -j input_gre_rule
-A zone_gre_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_gre_input -m comment --comment “!fw3” -j zone_gre_src_ACCEPT
-A zone_gre_output -m comment --comment “!fw3: user chain for output” -j output_gre_rule
-A zone_gre_output -m comment --comment “!fw3” -j zone_gre_dest_ACCEPT
-A zone_gre_src_ACCEPT -i gre+ -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
-A zone_gre_src_REJECT -i gre+ -m comment --comment “!fw3” -j reject
-A zone_hotspot_dest_ACCEPT -o tun0 -m comment --comment “!fw3” -j ACCEPT
-A zone_hotspot_dest_ACCEPT -o tun1 -m comment --comment “!fw3” -j ACCEPT
-A zone_hotspot_dest_ACCEPT -o tun2 -m comment --comment “!fw3” -j ACCEPT
-A zone_hotspot_dest_ACCEPT -o tun3 -m comment --comment “!fw3” -j ACCEPT
-A zone_hotspot_dest_REJECT -o tun0 -m comment --comment “!fw3” -j reject
-A zone_hotspot_dest_REJECT -o tun1 -m comment --comment “!fw3” -j reject
-A zone_hotspot_dest_REJECT -o tun2 -m comment --comment “!fw3” -j reject
-A zone_hotspot_dest_REJECT -o tun3 -m comment --comment “!fw3” -j reject
-A zone_hotspot_forward -m comment --comment “!fw3: user chain for forwarding” -j forwarding_hotspot_rule
-A zone_hotspot_forward -m comment --comment “!fw3: forwarding hotspot → wan” -j zone_wan_dest_ACCEPT
-A zone_hotspot_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_hotspot_forward -m comment --comment “!fw3” -j zone_hotspot_src_REJECT
-A zone_hotspot_input -m comment --comment “!fw3: user chain for input” -j input_hotspot_rule
-A zone_hotspot_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_hotspot_input -m comment --comment “!fw3” -j zone_hotspot_src_REJECT
-A zone_hotspot_output -m comment --comment “!fw3: user chain for output” -j output_hotspot_rule
-A zone_hotspot_output -m comment --comment “!fw3” -j zone_hotspot_dest_ACCEPT
-A zone_hotspot_src_REJECT -i tun0 -m comment --comment “!fw3” -j reject
-A zone_hotspot_src_REJECT -i tun1 -m comment --comment “!fw3” -j reject
-A zone_hotspot_src_REJECT -i tun2 -m comment --comment “!fw3” -j reject
-A zone_hotspot_src_REJECT -i tun3 -m comment --comment “!fw3” -j reject
-A zone_l2tp_dest_ACCEPT -o l2tp+ -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_l2tp_dest_ACCEPT -o l2tp+ -m comment --comment “!fw3” -j ACCEPT
-A zone_l2tp_dest_ACCEPT -o xl2tp+ -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_l2tp_dest_ACCEPT -o xl2tp+ -m comment --comment “!fw3” -j ACCEPT
-A zone_l2tp_forward -m comment --comment “!fw3: user chain for forwarding” -j forwarding_l2tp_rule
-A zone_l2tp_forward -m comment --comment “!fw3: forwarding l2tp → lan” -j zone_lan_dest_ACCEPT
-A zone_l2tp_forward -m comment --comment “!fw3: forwarding l2tp → vpn” -j zone_vpn_dest_ACCEPT
-A zone_l2tp_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_l2tp_forward -m comment --comment “!fw3” -j zone_l2tp_src_ACCEPT
-A zone_l2tp_input -m comment --comment “!fw3: user chain for input” -j input_l2tp_rule
-A zone_l2tp_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_l2tp_input -m comment --comment “!fw3” -j zone_l2tp_src_ACCEPT
-A zone_l2tp_output -m comment --comment “!fw3: user chain for output” -j output_l2tp_rule
-A zone_l2tp_output -m comment --comment “!fw3” -j zone_l2tp_dest_ACCEPT
-A zone_l2tp_src_ACCEPT -i l2tp+ -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
-A zone_l2tp_src_ACCEPT -i xl2tp+ -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment “!fw3” -j ACCEPT
-A zone_lan_forward -m comment --comment “!fw3: user chain for forwarding” -j forwarding_lan_rule
-A zone_lan_forward -s 192.168.1.0/24 -d 10.158.0.0/16 -p tcp -m comment --comment “!fw3: NAT_TO_IPSEC” -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.0/24 -d 10.158.0.0/16 -p udp -m comment --comment “!fw3: NAT_TO_IPSEC” -j zone_wan_dest_ACCEPT
-A zone_lan_forward -p icmp -m comment --comment “!fw3: Ping” -j ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_lan_forward -m comment --comment “!fw3” -j zone_lan_src_ACCEPT
-A zone_lan_input -m comment --comment “!fw3: user chain for input” -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_lan_input -m comment --comment “!fw3” -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment “!fw3: user chain for output” -j output_lan_rule
-A zone_lan_output -m comment --comment “!fw3” -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
-A zone_pptp_dest_ACCEPT -o pptp+ -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_pptp_dest_ACCEPT -o pptp+ -m comment --comment “!fw3” -j ACCEPT
-A zone_pptp_dest_REJECT -o pptp+ -m comment --comment “!fw3” -j reject
-A zone_pptp_forward -m comment --comment “!fw3: user chain for forwarding” -j forwarding_pptp_rule
-A zone_pptp_forward -m comment --comment “!fw3: forwarding pptp → lan” -j zone_lan_dest_ACCEPT
-A zone_pptp_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_pptp_forward -m comment --comment “!fw3” -j zone_pptp_src_REJECT
-A zone_pptp_input -m comment --comment “!fw3: user chain for input” -j input_pptp_rule
-A zone_pptp_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_pptp_input -m comment --comment “!fw3” -j zone_pptp_src_ACCEPT
-A zone_pptp_output -m comment --comment “!fw3: user chain for output” -j output_pptp_rule
-A zone_pptp_output -m comment --comment “!fw3” -j zone_pptp_dest_ACCEPT
-A zone_pptp_src_ACCEPT -i pptp+ -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
-A zone_pptp_src_REJECT -i pptp+ -m comment --comment “!fw3” -j reject
-A zone_sstp_dest_ACCEPT -o sstp-+ -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_sstp_dest_ACCEPT -o sstp-+ -m comment --comment “!fw3” -j ACCEPT
-A zone_sstp_dest_REJECT -o sstp-+ -m comment --comment “!fw3” -j reject
-A zone_sstp_forward -m comment --comment “!fw3: user chain for forwarding” -j forwarding_sstp_rule
-A zone_sstp_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_sstp_forward -m comment --comment “!fw3” -j zone_sstp_src_REJECT
-A zone_sstp_input -m comment --comment “!fw3: user chain for input” -j input_sstp_rule
-A zone_sstp_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_sstp_input -m comment --comment “!fw3” -j zone_sstp_src_REJECT
-A zone_sstp_output -m comment --comment “!fw3: user chain for output” -j output_sstp_rule
-A zone_sstp_output -m comment --comment “!fw3” -j zone_sstp_dest_ACCEPT
-A zone_sstp_src_REJECT -i sstp-+ -m comment --comment “!fw3” -j reject
-A zone_vpn_dest_ACCEPT -o tun_+ -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_vpn_dest_ACCEPT -o tun_+ -m comment --comment “!fw3” -j ACCEPT
-A zone_vpn_forward -m comment --comment “!fw3: user chain for forwarding” -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment “!fw3: forwarding vpn → lan” -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_vpn_forward -m comment --comment “!fw3” -j zone_vpn_src_ACCEPT
-A zone_vpn_input -m comment --comment “!fw3: user chain for input” -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_vpn_input -m comment --comment “!fw3” -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment “!fw3: user chain for output” -j output_vpn_rule
-A zone_vpn_output -m comment --comment “!fw3” -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun_+ -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_ACCEPT -o wwan0 -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_wan_dest_ACCEPT -o wwan0 -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_forward -m comment --comment “!fw3: user chain for forwarding” -j forwarding_wan_rule
-A zone_wan_forward -s 10.158.0.0/16 -p tcp -m comment --comment “!fw3: NAT_TO_IPSEC” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -s 10.158.0.0/16 -p udp -m comment --comment “!fw3: NAT_TO_IPSEC” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment “!fw3: forwarding wan → lan” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment “!fw3: forwarding wan → vpn” -j zone_vpn_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_wan_forward -m comment --comment “!fw3” -j zone_wan_src_ACCEPT
-A zone_wan_input -m comment --comment “!fw3: user chain for input” -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment “!fw3: Allow-DHCP-Renew” -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment “!fw3: Allow-Ping” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment “!fw3: Allow-vpn-traffic” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment “!fw3: Allow-vpn-traffic” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment “!fw3: Enable_SSH_WAN” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 22 -m comment --comment “!fw3: Enable_SSH_WAN” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment “!fw3: Enable_HTTPS_WAN” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 443 -m comment --comment “!fw3: Enable_HTTPS_WAN” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1701 -m comment --comment “!fw3: Allow-l2tpd-on-1701” -j ACCEPT
-A zone_wan_input -p esp -m comment --comment “!fw3: Allow-IPsec-ESP” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment “!fw3: Allow-IPsec-NAT-T” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment “!fw3: Allow-IPsec-IKE” -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_wan_input -m comment --comment “!fw3” -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment “!fw3: user chain for output” -j output_wan_rule
-A zone_wan_output -m comment --comment “!fw3” -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i wwan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_src_REJECT -i wwan0 -m comment --comment “!fw3” -j reject

For the “not-working” router, the ftp client login correctly to the ftp server but it “freeze” waiting the welcome response from server and does not receive dir list.
I tried to open all traffic for test but it does not want to work. Any help is greatly welcome
Benedetto

This topic was automatically closed after 15 days. New replies are no longer allowed.