I want to put a multi-function printer in a zone blocked from accessing WAN. But I need to exclusively allow its address to send email via smtp (port 25). to achieve its "Scan-to-Email" function. Therefore, I added a Traffic Rule in UI (Luci) to accept forwarding from its address to WAN, but it still cannot acces external email server. How can I solve it (in Luci)?
(Sorry I really cannot find solution for this simple question.)
Are you sure it is port 25? Most mail servers work on different ports these days with more security.
I'd recommend that you start by allowing the printer to access the internet in general so that you can verify the mail server settings without any restrictions. This will be a traffic rule that will be set to accept TCP from source < IP address of printer > to destination zone WAN.
Configure your printer and get everything working. When it is working, you can close that down by simply putting a destination port in the rule above.
Yes, the device has DHCP enabled. The device work properly under an unblocked zone. But now I want to move it into a blocked zone, for overall better security, but specifying a traffic rule for allowing it to send via smtp exclusively. It rule is put in the topest position under Traffic Rules Tab of Luci.
Do you allow DHCP in the blocked zone (so the device gets an IP address)?
If so, perhaps you should show us your /etc/config/firewall (or screenshot) and network config to better understand how you set up the zone/firewall/network/etc..
Please see my above explanation to lleachii, which is also related to your message.
Ok... so, you need to know the IP address of the printer. If the printer uses DHCP, be sure to set a DHCP reservation so that it always gets the same IP address on the network.
Verify the port setting per the configuration within the printer. If everything is already configured and working on that printer, use that port number to create the rule as I described.
You can show a screenshot of your rule if you want verification.
This was unrelated:
Which reminds me:
Most ISPs do not allow outbound 25/tcp (SMTP). This is in the RFCs regarding certain non-static hosts.
If you do not have a business ISP account, have you verified your ISP allows SMTP outbound? 
This is what I was thinking when I said that it is unusual for any mail servers to use port 25.
As I said, the device worked properly under an unblocked zone (vlan_boxed), using my ISP's email server via Port 25. I have "just" tried tomove it into another zone (vlan_devout). All configurations are the same. The only difference is on zone level: vlan_boxed zone allow forwarding to WAN which vlan_devout doesn't allow. I want to use Traffic rule to overwrite it for my printer, if feasible.
Ok... so you can follow the advice I gave before to create your firewall rule allowing the device to connect to the internet. As I said earlier, I'd recommend allowing it full access (allow all ports) to verify the rule is functioning, then restrict it to only allow port 25 (assuming you are absolutely positive that port 25 is the correct port).
Remove the source port. Only destination port should be specified.
Let's take a look at a few things:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
Sure, the printer's IP is correct. I also haven't modified its SMTP setting, which work for years.
< NETWORK >
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdcd:39d9:59fa::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
list dns '208.67.222.222'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'try'
option peerdns '0'
list dns '2001:4860:4860::8888'
list dns '2620:119:35::35'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 4 3 2 1'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '6t 5'
config interface 'vlan_doubt'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'eth1.5'
config interface 'vlan_guest'
option proto 'static'
option netmask '255.255.255.0'
option type 'bridge'
option ipaddr '192.168.5.1'
option ifname 'eth1.6'
config interface 'vlan_boxed'
option proto 'static'
option type 'bridge'
option netmask '255.255.255.0'
option ipaddr '192.168.6.1'
option ifname 'eth1.6'
config interface 'vlan_devin'
option proto 'static'
option ipaddr '192.168.21.1'
option netmask '255.255.255.0'
config interface 'vlan_devout'
option proto 'static'
option ipaddr '192.168.22.1'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'eth1.8'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 4t'
option vid '5'
config switch_vlan
option device 'switch0'
option vlan '5'
option ports '0t 4t'
option vid '6'
config switch_vlan
option device 'switch0'
option vlan '6'
option ports '0t 4t'
option vid '8'
< FIREWALL >
config rule
option src 'vlan_devout'
list src_ip '192.168.22.100'
option dest 'wan'
option target 'ACCEPT'
option dest_port '25'
option name 'Allow-SMTP-ForwardTo'
config rule
option src_port '25'
option src 'wan'
option name 'Allow-SMTP-ForwardFm'
option dest 'vlan_devout'
list dest_ip '192.168.22.100'
option target 'ACCEPT'
option dest_port '25'
option enabled '0'
config rule
option src_port '25'
option src 'vlan_devout'
option name 'Allow-SMTP-Input'
list src_ip '192.168.22.100'
option target 'ACCEPT'
option dest_port '25'
option enabled '0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule
option src_port '500'
option src 'wan'
option target 'ACCEPT'
option dest_port '500'
list proto 'udp'
option name 'Allow-IPSec-IKE-RemotePrinter'
option enabled '0'
option dest 'vlan_devout'
list dest_ip '192.168.22.100'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'VLan_DOUBT_DNS'
option src 'vlan_doubt'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'VLan_DOUBT_DHCP'
option src 'vlan_doubt'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option src 'vlan_guest'
option name 'VLan_GUEST_DNS'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option src 'vlan_guest'
option name 'VLan_GUEST_DHCP'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option src 'vlan_boxed'
option name 'VLan_BOXED_DNS'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option src 'vlan_boxed'
option name 'VLan_BOXED_DHCP'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option input 'REJECT'
option output 'ACCEPT'
option name 'vlan_doubt'
option network 'vlan_doubt'
option conntrack '1'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option name 'vlan_guest'
option network 'vlan_guest'
option conntrack '1'
config zone
option input 'REJECT'
option output 'ACCEPT'
option name 'vlan_boxed'
option network 'vlan_boxed'
option conntrack '1'
option forward 'REJECT'
config zone
option name 'vlan_devin'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'vlan_devin'
option conntrack '1'
config zone
option name 'vlan_devout'
option output 'ACCEPT'
option network 'vlan_devout'
option conntrack '1'
option forward 'REJECT'
option input 'REJECT'
option log '1'
config forwarding
option dest 'wan'
option src 'vlan_boxed'
config forwarding
option dest 'wan'
option src 'vlan_guest'
config forwarding
option dest 'vlan_devin'
option src 'lan'
config forwarding
option dest 'vlan_guest'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'lan'
option src 'vlan_devin'
config forwarding
option dest 'vlan_boxed'
option src 'lan'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'VLan_DEVIn_DNS'
option src 'vlan_devin'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'VLan_DEVIn_DHCP'
option src 'vlan_devin'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'VLan_DEVOut_DNS'
option src 'vlan_devout'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'VLan_DEVOut_DHCP'
option src 'vlan_devout'
config forwarding
option dest 'vlan_devout'
option src 'lan'
config forwarding
option dest 'vlan_devout'
option src 'vlan_doubt'
config forwarding
option dest 'wan'
option src 'vlan_doubt'
config forwarding
option dest 'vlan_doubt'
option src 'lan'
config redirect
option dest_port '9100'
option src 'wan'
option src_dport '9100'
option target 'DNAT'
option dest 'vlan_guest'
option enabled '0'
option dest_ip '192.168.22.100'
option name 'Printer'
list proto 'tcp'
list proto 'udp'
list proto 'icmp'
list proto 'esp'
config nat
option src_port '9100'
option name 'RemotePrintAsRouter'
option target 'SNAT'
option dest_port '9100'
option enabled '0'
option snat_ip '192.168.22.1'
option dest_ip '192.168.22.100'
option src 'vlan_devout'
list proto 'tcp'
list proto 'udp'
list proto 'icmp'
list proto 'esp'
config nat
option src_port '500'
option name 'RemotePrintAsRouter2'
option target 'SNAT'
option dest_port '500'
list proto 'udp'
option enabled '0'
option snat_ip '192.168.22.1'
option dest_ip '192.168.22.100'
option src 'vlan_devout'
config forwarding
option dest 'vlan_boxed'
option src 'vlan_doubt'
config forwarding
option dest 'vlan_guest'
option src 'vlan_doubt'
config forwarding
option dest 'vlan_doubt'
option src 'vlan_devout'
config redirect
option dest_port '25'
option src 'wan'
option name 'Printer_SMTP'
option src_dport '25'
option target 'DNAT'
option dest_ip '192.168.22.100'
option dest 'vlan_devout'
option enabled '0'
config nat
option src_port '25'
list proto 'tcp'
list proto 'udp'
option name 'Printer_SMTP'
option src_ip '192.168.22.100'
option target 'ACCEPT'
option dest_port '25'
option src 'vlan_devout'
option enabled '0'
Your firewall file has a lot of junk in it. Let's clean those up to ensure they are not interfering.
Keep this one (top most rule):
and remove all of these:
Then restart the firewall and try again.
I have followed your advice to remove those 4 junks. But they were disabled originally, so they should not be the reason of problem.
Yes, but it is easier to keep track of things and reduce the likelihood of errors if there is only a single relevant rule.
Please remove the destination port from the firewall rule and test the printer. I do not expect that this will solve the problem, but it makes sense to fully open the printer to the internet to verify that this is true.
I have just tried to further remove the destination port as you indicated, the printer can now 'scan-to-email' again, just like what it could do when I put it into Vlan_Boxed (zone forward-able with WAN) before. So what's next?