Hi all.

Is it possible to use the FTP server with a USB drive connected. And at the same time have DMZ activated, forwarding all connections to a PC running Zone Alarm. (The WL-500g firewall should also be activated)

I have tried to get this to work. But the only way I can get the server to work, is when I deactivate DMZ and the WL-500g firewall.

What am I missing.

Whoppers.
New happy owner of a WL-500g Deluxe router.
Using latest firmware (Asus 1.9.5.0)

I did some more testing today. :confused:

With theese settings:
Enable Firewall? Yes
Logged packets type: None
Enable Web Access from WAN? No
Port of Web Access from WAN:
Respond LPR Request from WAN? No
Respond Ping Request from WAN? NO

And
Enable FTP Server? Yes
Allow Anonymous User to Login? No
Allow Super User to Login? No
FTP Port: 4546
Maximum Users Allowed to Log in: 5
Login Timeout in Seconds:
Stay Timeout in Seconds:

User:testsubject Pass:subject1 Max Login:2 Rights:R/W/E

With no DMZ or any other port redirections ect.
My testsubject can login, but get a timeout everytime he tries to transfer a file.
If I disable the firewall, everything works perfectly. But I don't want to do that, or do I?

Using port 21 seems to solve the upload problem. (still not fixed in 1.9.5.0 then)

Hi again.

So I've tried alot of different ways, to solve my original question. None of them has worked. :(

So can anyone in here, help me with the WAN & LAN filters.
I've got two PC's connected. The first should have all packects send to it. (192.168.1.2) And the second one, should be protected by the WL-500gx firewall. (192.168.1.3)
I've tried lots of settings, and none of them worked. Theese WAN & LAN filter settings, don't act logical in my opinion.

please help. :)

If you gimme some time I'll test your scenario I'll try to help you. Just a lil busy these days. Maybe I have results tomorrow.

Thx TheEagle.

Ok I tried to do what you tried. Tho I couldn't get my ftp running in 1.9.5.0 (might have to do with the card reader I'm using), I could reproduce your problem in Olegs firmware. DMZ means DMZ and there's no way round, every incoming connection is send to the DMZ, and no filter or virtual server will stop iptables from doing that. But there could be a simple workaround. Instead of setting up a DMZ simply create a virtual server, port range 1024:65535, IP is your "DMZ", protocols "BOTH". Ok this isn't a real DMZ, but the most programs will run with it. AND you can still access the ftp server on the router. (Even with router firewall set to "enabled"). If you really want all ports < 1024 redirected to your "almostLikeADMZ" you can create 2 virtual server rules, one with port range 1:19 and one with port range 22:65535. And if you need special protocols (aside from TCP/UDP) to be forwarded to the DMZ, just add another rule for that protocol number( numbers listed here (http://lastbit.com/trafmeter/manual/q0001.htm) ).

Hope it helps ...

Thx. That worked very nicely. :)

Just one or two questions.
What do the WAN to LAN filters do then?
If I make two filters. One for UDP and one for TCP.
Source IP: *.*.*.*
Port Range: 10
Destination IP: 192.168.1.2
Port Range: 10
Protocol: TCP/UDP
And I set 'Packets not specified will be: ACCEPT
Should that not let all other packs through the firewall?

Thanks again, for the fine and simple soloution. :)

well yes that should let every >>INBOUND<< packet pass except packets with SOURCE(!!) port 10 and >>DESTINATION<< port also 10 and >>DESTINATION<< IP 192.168.1.2. Of course you most likely would have to set up a "mirror" rule for LAN/WAN filter if it is enabled.

Tho this special rule doesn't make so much sense to me, but one never knows :) Maybe you tell me/us what you want to achieve with LAN/WAN filters. What shall be allowed, what not?

Really, it's much (much, much, much!!!) better to install Oleg's firmware and to to all filterings throug "iptables". There are less bugs and more features!! (such as a simple operator NOT ([!]) ). Today i sloved huge problem in four lines, but with web interface there was no solution even in 300 lines. (i need to add lots of IP addresses into filter tables)

Tho this special rule doesn't make so much sense to me, but one never knows Maybe you tell me/us what you want to achieve with LAN/WAN filters. What shall be allowed, what not?

Sure. :)

I was trying to get the router to act like I had DMZ set to 192.168.1.2 (Except for, in this case, port 10)
But no matter how I try, the firewall will always block incomming packs.

well thats because DMZ option obviously overrides it all. :p

Really, it's much (much, much, much!!!) better to install Oleg's firmware and to to all filterings throug "iptables". There are less bugs and more features!! (such as a simple operator NOT ([!]) ). Today i sloved huge problem in four lines, but with web interface there was no solution even in 300 lines. (i need to add lots of IP addresses into filter tables)

Sure it is better ... but depending on what one wants to do and IS ABLE to do, it's not SIMPLER ;). Takes a while to understand this sh*t, I'm currently slowly diggin into it :cool:

well thats because DMZ option obviously overrides it all. :p
:confused: DMZ was deactivated. Only thing activated, was the WAN/LAN filters.

I think you misunderstood some things, maybe we need this clarification: Well WAN/LAN filter does NOT forward traffic to machines, it FILTERS traffic (either allows or denies a packet to be passed to a pc). To say new incoming packets (that are not part of an already established outgoing connection from 1 pc) on a special port should be always REDIRECTED (! thats another thing than filtered) you need to setup a Virtual Server rule instead of a filter rule.

(So disabling the DMZ and setting up a filter instead of course cannot work :) )

Hope thats makes you understand a little better. Don't know how to say it better or more "professional" ;)

Okay.
But if DMZ is off and the firewall is active, and I set WAN/LAN to accept all packets, not redirect/forward, except port 10. Why do packets still get blocked by the firewall?
I just want the firewall to accept all packs destinated for 192.168.1.2 nothing else.

But we already solved this problem with the virtual server, so lets finnish this before I get more confused. :)

Yeah maybe I'm talking of apples and you of tomatoes :).

Feel free to contact me in ICQ if you need help any day.

Well, I have to ask. :)

I did some testing tonight, and I really don't get this WAN to LAN stuff. (as you already know)
I've disabled all NAT settings, and only thing thats enabled is the firewall and the WAN to LAN filters.
I then try theese settings.
Packets(WAN to LAN) not specified will be: DROP
Source IP Port Range Destination IP Port Range Protocol
BLANK 70 BLANK BLANK TCP
BLANK 70 BLANK BLANK UDP

Can we agree, that with theese settings, I should not have any normal internet access. If so, why can I still access the internet and all other services that I use? (email, irc ect.)

One other thing. I read about the hidden admin page, in another post, and I tried the "iptables -L -v -n" command. When I run this command, I get no output. It just refreshes the hidden admin page. Does this comman only work with the oleg firmware?

Packets(WAN to LAN) not specified will be: DROP
Source IP Port Range Destination IP Port Range Protocol
BLANK 70 BLANK BLANK TCP
BLANK 70 BLANK BLANK UDP

Can we agree, that with theese settings, I should not have any normal internet access. If so, why can I still access the internet and all other services that I use? (email, irc ect.)

Well we somehow can agree ... tho I have to say that every outgoing packet is not filtered cause you didn't enable LAN to WAN filter. Still it's more than unlikely that all the services you use have port 70 as source port, and so YES you shouldn't be able to do email and stuff. Could you post screenshots of the settings you made? Just to be sure? :)


One other thing. I read about the hidden admin page, in another post, and I tried the "iptables -L -v -n" command. When I run this command, I get no output. It just refreshes the hidden admin page. Does this comman only work with the oleg firmware?Do not press ENTER, klick the "Refresh Button" on that page. Tho I'm not 100% positive that it works with ASUS firmware ... more like 99% ;)

Here you go.
616

And here are the output from "iptables -L -v -n"
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
509 29767 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 420 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
136 45516 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
4 264 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 4 packets, 256 bytes)
pkts bytes target prot opt in out source destination
86 15156 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
0 0 ACCEPT tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 ACCEPT icmp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8
0 0 ACCEPT udp -- vlan1 br0 0.0.0.0/0 0.0.0.0/0 udp spt:70
0 0 ACCEPT tcp -- vlan1 br0 0.0.0.0/0 0.0.0.0/0 tcp spt:70
0 0 ACCEPT udp -- * * 0.0.0.0/0 255.255.255.255 udp dpt:47624
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.2 udp dpt:14506
0 0 logdrop all -- vlan1 br0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 649 packets, 370K bytes)
pkts bytes target prot opt in out source destination

Chain MACS (0 references)
pkts bytes target prot opt in out source destination

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (6 references)
pkts bytes target prot opt in out source destination
4 264 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP'
4 264 DROP all -- * * 0.0.0.0/0 0.0.0.0/0



Hope thats enough. :)

Tried Oleg's firmware 1.9.2.7-6b
Sadly, it did not solve my little problem. :confused: