Firewall rule is ignored

Hi all,

I have a firewall problem after rebooting my router, not changing my config at all.
Can someone please help me understanding this issue?

This VLAN does not need WAN access unless.
Only, the unless condition doesn't do it's job any longer.

So, to my understanding unless I create a forwarding, the forward is REJECT by default.

Zone config:

config zone
	option name 'FW_VLAN20_MEDIA'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN20_MEDIA'

Exception rule:

config rule
	option src 'FW_VLAN20_MEDIA'
	option dest 'wan'
	option name 'VLAN20_MEDIA: Allow storage01 to WAN'
	option target 'ACCEPT'
	list src_ip '10.0.20.100'
	list proto 'tcp'
	list proto 'udp'

This makes the device deny WAN access.

Unless I add:

config forwarding
	option src 'FW_VLAN20_MEDIA'
	option dest 'wan'

So, basicly giving the whole VLAN WAN access.
Reloading and restarting the firewall service didn't help. Restarting the router neither.

Anyone any ideas?

Thanks in advance for thinking along with me!

If you are using ping to test the connection, this should be replaced with list proto 'all'.

You are so right!

But I need to allow just 3 ports. HTTP, NTP and HTTPS.
Doesn't go with the ALL option.
I stead I'll go with TCP, UDP and ICMP.

Thanks alot @pavelgl!

config rule
	    option src 'FW_VLAN20_MEDIA'
	    option dest 'wan'
	    option name 'VLAN20_MEDIA: Allow storage01 to WAN'
	    option target 'ACCEPT'
	    list src_ip '10.0.20.100'
	    option dest_port '80 123 443'
	    list proto 'tcp'
	    list proto 'udp'
	    list proto 'icmp'

Or use the router as an NTP server and change the rule to

config rule
	    option src 'FW_VLAN20_MEDIA'
	    option dest 'wan'
	    option name 'VLAN20_MEDIA: Allow storage01 to WAN'
	    option target 'ACCEPT'
	    list src_ip '10.0.20.100'
	    option dest_port '80 443'
	    list proto 'tcp'
	    list proto 'icmp'

Yeah, I know.
Already fixed it.
Thanks again!