Having issues with port forwarding

Had vsftpd setup and running on a device running openwrt. Today replaced OEM firmware with openwrt and moved everything from second device which was serving as an ftp server to main router. After doing so I lost external access to ftp. Locally can access all services. Web server with forwarded 80 port works perfectly fine. But same thing with 21 port doesnt want to. Checked with online port checkers 80 and 21 are accessible from outside.
here is a config for firewall:

root@OpenWrt:~# cat /etc/config/firewall 

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'web_server'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.0.1'
        option dest_port '80'
        option reflection_src 'external'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Ftp'
        option src 'wan'
        option src_dport '21'
        option dest_ip '192.168.0.1'
        option dest_port '21'
        list proto 'tcp'

Thanks

Is this the address of the router itself?
And is the server running on the router or on a host behind the router?

On the router

This is a bad idea - do not expose the router’s web interface to the internet. Delete this rule:

I would recommend against running an ftp server on your router. But if you insist on doing so, delete this:

And replace it with a traffic rule, not a port forward.

Routers web interface is not exposed to internet. Router actually doesnt even have web interface thats my own webserver running on the router with strict access control.

For second part you mean do exact same thing but in traffic rules? I kinda compared them and couldnt find any significant differences but will give it a try tomorrow see how that goes.

A "config redirect" is used when the server is some machine inside your network. A "config rule" is used when the server is the router itself.

Ok then why forwarding 80 port works in port forwarding section and setting traffic rules and getting rid of port forwarding for 80 port doesnt? Just tried many combinations and the only way its accessible is via port forwarding.

Tried putting ftp in traffic rules same thing it doesnt want to serve to wan.

I also noticed that, my hunch is that the webserver only listens on the LAN side?

For SSH it works with a traffic rule

N.B I use it for routers which are internal and not exposed to the internet

Solved!
I forgot that in vsftpd.conf i used ports 50000-50100.

Created new rule in traffic rules (not port forwarding) for those ports and ftp is up and running.

Thanks everybody for suggestions.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.