The ftp rule is not working

my computer has an address 172.21.163.80 and I connect to the remote ftp server 93.185.104.24
I have a rule:

config rule
	option name 'ftp'
	option src 'lan'
	list src_ip '172.21.163.80/29'
	option dest 'wan'
	option dest_port '21'
	option target 'ACCEPT'
	option helper 'ftp'
	option family 'ipv4'
	list proto 'tcp'

and that doesn't work.
On the lan i see outgoing packet:

root@www:~# tcpdump -n -i br-lan host 93.185.104.24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
17:10:35.520592 IP 172.21.163.80.55514 > 93.185.104.24.21: Flags [S], seq 718708166, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:10:36.522451 IP 172.21.163.80.55514 > 93.185.104.24.21: Flags [S], seq 718708166, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:10:38.529306 IP 172.21.163.80.55514 > 93.185.104.24.21: Flags [S], seq 718708166, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:10:42.540960 IP 172.21.163.80.55514 > 93.185.104.24.21: Flags [S], seq 718708166, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:10:50.550765 IP 172.21.163.80.55514 > 93.185.104.24.21: Flags [S], seq 718708166, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

but I don't see any packets on the wan
however, when I add a rule:

config rule
	option name 'FTP server'
	option src 'lan'
	option dest 'wan'
	list dest_ip '93.185.104.24'
	option target 'ACCEPT'
	list proto 'tcp'
	option family 'ipv4'

so everything works and I see packets on LAN and WAN

root@www:~# tcpdump -n -i br-lan host 93.185.104.24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
17:50:04.017274 IP 172.21.163.80.60745 > 93.185.104.24.21: Flags [S], seq 2837568723, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:50:04.021194 IP 93.185.104.24.21 > 172.21.163.80.60745: Flags [S.], seq 830974324, ack 2837568724, win 17920, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
17:50:04.021534 IP 172.21.163.80.60745 > 93.185.104.24.21: Flags [.], ack 1, win 1026, length 0
17:50:04.046342 IP 93.185.104.24.21 > 172.21.163.80.60745: Flags [P.], seq 1:10, ack 1, win 140, length 9: FTP: 220 FTP
17:50:04.057676 IP 172.21.163.80.60745 > 93.185.104.24.21: Flags [P.], seq 1:18, ack 10, win 1026, length 17: FTP: USER 
17:50:04.061990 IP 93.185.104.24.21 > 172.21.163.80.60745: Flags [.], ack 18, win 140, length 0
17:50:04.062319 IP 93.185.104.24.21 > 172.21.163.80.60745: Flags [P.], seq 10:48, ack 18, win 140, length 38: FTP: 331 Password required for 
17:50:04.105825 IP 172.21.163.80.60745 > 93.185.104.24.21: Flags [.], ack 48, win 1026, length 0
17:50:06.412526 IP 172.21.163.80.60745 > 93.185.104.24.21: Flags [P.], seq 18:24, ack 48, win 1026, length 6: FTP: QUIT
17:50:06.416122 IP 93.185.104.24.21 > 172.21.163.80.60745: Flags [P.], seq 48:62, ack 24, win 140, length 14: FTP: 221 Goodbye.
17:50:06.416399 IP 93.185.104.24.21 > 172.21.163.80.60745: Flags [F.], seq 62, ack 24, win 140, length 0
17:50:06.418580 IP 172.21.163.80.60745 > 93.185.104.24.21: Flags [.], ack 63, win 1026, length 0
17:50:06.430243 IP 172.21.163.80.60745 > 93.185.104.24.21: Flags [R.], seq 24, ack 63, win 0, length 0

where could be the problem?

You're trying to connect out to 93.185.104.24 via FTP?

By default outgoing traffic should be allowed and you shouldn't need any special firewall rules.

1 Like

but I don't have a default setting, I changed the settings so that only allowed traffic goes through and I disable everything else

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Edit:

Without seeing your config I would expect it would be something like

config rule                           
        list proto 'tcp'                
        option src 'lan'      
        list src_ip '172.21.163.80'
        option dest 'wan'            
        list dest_ip '93.185.104.24'        
        option dest_port '21'                   
        option target 'ACCEPT'              

172.21.163.80/29 covers 172.21.163.80 - 172.21.163.87
You want
172.21.163.80/32 in CIDR notation to specify the single IP.

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd4a:882a:2f8a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'lan1'

config device
	option name 'lan2'

config device
	option name 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.192'
	option ipaddr '172.21.163.126'

config device
	option name 'wan'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'I_WIFI2'
	option proto 'static'
	option device 'wlan0'
	option ipaddr '172.21.164.254'
	option netmask '255.255.255.0'

config interface 'I_WIFI5'
	option proto 'static'
	option device 'wlan1'
	option ipaddr '172.21.165.254'
	option netmask '255.255.255.0'

firewall

config defaults
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	list device 'tun+'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'Z_WIFI2'
	list network 'I_WIFI2'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option family 'ipv4'

config forwarding
	option src 'Z_WIFI2'
	option dest 'wan'

config zone
	option name 'Z_WIFI5'
	list network 'I_WIFI5'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option family 'ipv4'

config forwarding
	option src 'Z_WIFI5'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'udp'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option icmp_type 'echo-request'
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'icmp'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'igmp'

config rule
	option name 'blokovat z wifi2'
	option src 'Z_WIFI2'
	list src_ip '172.21.164.240/28'
	option dest 'wan'
	option target 'DROP'
	option family 'ipv4'

config rule
	option name 'blokovat z wifi5'
	option src 'Z_WIFI5'
	list src_ip '172.21.165.240/28'
	option dest 'wan'
	option target 'DROP'
	option family 'ipv4'

config rule
	option name 'DHCP DNS NTP'
	option src '*'
	option dest_port '67 53 123'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'udp'

config rule
	option name 'management'
	option src 'lan'
	list src_ip '172.21.163.80'
	option dest_port '22 80 443'
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp'

config rule
	option name 'NTP'
	option dest 'wan'
	option dest_port '123'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'udp'

config rule
	option name 'NTP'
	option src '*'
	option dest 'wan'
	option dest_port '123'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'udp'

config rule
	option name 'DHCP DNS NTP'
	option src '*'
	option dest_port '67 53 123'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'udp'

config rule
	option name 'Ping do wan'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'icmp'

config rule
	option name 'blokovano lan DHCP'
	option src 'lan'
	list src_ip '172.21.163.64/28'
	option dest 'wan'
	option target 'DROP'
	option family 'ipv4'

config rule
	option name 'vse lan'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	list src_ip '172.21.163.96/28'
	option family 'ipv4'

config rule
	option name 'http https'
	option src 'lan'
	list src_ip '172.21.163.80/28'
	option dest 'wan'
	option dest_port '80 443'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'

config rule
	option name 'smtps imaps pop3s'
	option src 'lan'
	list src_ip '172.21.163.80/30'
	option dest 'wan'
	option dest_port '465 993 995'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'

config rule
	option name 'ftp'
	option src 'lan'
	list src_ip '172.21.163.80/29'
	option dest 'wan'
	option dest_port '21'
	option target 'ACCEPT'
	option helper 'ftp'
	option family 'ipv4'
	list proto 'tcp'
	
config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option target 'ACCEPT'
	option proto 'udp'

config rule
	option src 'lan'
	option name 'FTP server'
	option dest 'wan'
	list dest_ip '93.185.104.24'
	option target 'ACCEPT'
	list proto 'tcp'
	option family 'ipv4'
	option enabled '0'

config rule
	option name 'blokovat vse z lan'
	option src 'lan'
	option dest 'wan'
	option target 'DROP'
	option family 'ipv4'
	list proto 'all'