Since you have vsftpd running on the nat box, you only need the firewall traffic rule. Get rid of the port forward and nat rules. Also, ftp uses tcp only; get rid of allowing udp.
Sorry, I forgot, add seccomp_sandbox=NO to your vsftpd configuration.
Also, make sure you have a strong password on that ftp server. Since you're exposing it to the public internet, it's only a matter of time before botnets find it, possibly in as little as a few minutes.
You may also want to consider using port knocking for protection by installing luci-app-fwknopd so that your ftp server can't just be accessed by anyone.