FTP USB DMZ Question.

[whoppers]

Hi all.

Is it possible to use the FTP server with a USB drive connected. And at the same time have DMZ activated, forwarding all connections to a PC running Zone Alarm. (The WL-500g firewall should also be activated)

I have tried to get this to work. But the only way I can get the server to work, is when I deactivate DMZ and the WL-500g firewall.

What am I missing.

Whoppers.
New happy owner of a WL-500g Deluxe router.
Using latest firmware (Asus 1.9.5.0)

[whoppers]

I did some more testing today.

With theese settings:
Enable Firewall? Yes
Logged packets type: None
Enable Web Access from WAN? No
Port of Web Access from WAN:
Respond LPR Request from WAN? No
Respond Ping Request from WAN? NO

And
Enable FTP Server? Yes
Allow Anonymous User to Login? No
Allow Super User to Login? No
FTP Port: 4546
Maximum Users Allowed to Log in: 5
Login Timeout in Seconds:
Stay Timeout in Seconds:

User:testsubject Pass:subject1 Max Login:2 Rights:R/W/E

With no DMZ or any other port redirections ect.
My testsubject can login, but get a timeout everytime he tries to transfer a file.
If I disable the firewall, everything works perfectly. But I don't want to do that, or do I?

[whoppers]

Using port 21 seems to solve the upload problem. (still not fixed in 1.9.5.0 then)

[whoppers]

Hi again.

So I've tried alot of different ways, to solve my original question. None of them has worked.

So can anyone in here, help me with the WAN & LAN filters.
I've got two PC's connected. The first should have all packects send to it. (192.168.1.2) And the second one, should be protected by the WL-500gx firewall. (192.168.1.3)
I've tried lots of settings, and none of them worked. Theese WAN & LAN filter settings, don't act logical in my opinion.

please help.

[TheEagle]

If you gimme some time I'll test your scenario I'll try to help you. Just a lil busy these days. Maybe I have results tomorrow.

[whoppers]

Thx TheEagle.

[TheEagle]

Ok I tried to do what you tried. Tho I couldn't get my ftp running in 1.9.5.0 (might have to do with the card reader I'm using), I could reproduce your problem in Olegs firmware. DMZ means DMZ and there's no way round, every incoming connection is send to the DMZ, and no filter or virtual server will stop iptables from doing that. But there could be a simple workaround. Instead of setting up a DMZ simply create a virtual server, port range 1024:65535, IP is your "DMZ", protocols "BOTH". Ok this isn't a real DMZ, but the most programs will run with it. AND you can still access the ftp server on the router. (Even with router firewall set to "enabled"). If you really want all ports < 1024 redirected to your "almostLikeADMZ" you can create 2 virtual server rules, one with port range 1:19 and one with port range 22:65535. And if you need special protocols (aside from TCP/UDP) to be forwarded to the DMZ, just add another rule for that protocol number( numbers listed here ).

Hope it helps ...

[whoppers]

Thx. That worked very nicely.

Just one or two questions.
What do the WAN to LAN filters do then?
If I make two filters. One for UDP and one for TCP.
Source IP: *.*.*.*
Port Range: 10
Destination IP: 192.168.1.2
Port Range: 10
Protocol: TCP/UDP
And I set 'Packets not specified will be: ACCEPT
Should that not let all other packs through the firewall?

Thanks again, for the fine and simple soloution.

[TheEagle]

well yes that should let every >>INBOUND<< packet pass except packets with SOURCE(!!) port 10 and >>DESTINATION<< port also 10 and >>DESTINATION<< IP 192.168.1.2. Of course you most likely would have to set up a "mirror" rule for LAN/WAN filter if it is enabled.

Tho this special rule doesn't make so much sense to me, but one never knows Maybe you tell me/us what you want to achieve with LAN/WAN filters. What shall be allowed, what not?

[FilimoniC]

Really, it's much (much, much, much!!!) better to install Oleg's firmware and to to all filterings throug "iptables". There are less bugs and more features!! (such as a simple operator NOT ([!]) ). Today i sloved huge problem in four lines, but with web interface there was no solution even in 300 lines. (i need to add lots of IP addresses into filter tables)

[whoppers]

Tho this special rule doesn't make so much sense to me, but one never knows Maybe you tell me/us what you want to achieve with LAN/WAN filters. What shall be allowed, what not?

Sure.

I was trying to get the router to act like I had DMZ set to 192.168.1.2 (Except for, in this case, port 10)
But no matter how I try, the firewall will always block incomming packs.

[TheEagle]

well thats because DMZ option obviously overrides it all.

[TheEagle]

Really, it's much (much, much, much!!!) better to install Oleg's firmware and to to all filterings throug "iptables". There are less bugs and more features!! (such as a simple operator NOT ([!]) ). Today i sloved huge problem in four lines, but with web interface there was no solution even in 300 lines. (i need to add lots of IP addresses into filter tables)

Sure it is better ... but depending on what one wants to do and IS ABLE to do, it's not SIMPLER . Takes a while to understand this sh*t, I'm currently slowly diggin into it

[whoppers]

well thats because DMZ option obviously overrides it all.

DMZ was deactivated. Only thing activated, was the WAN/LAN filters.

[TheEagle]

I think you misunderstood some things, maybe we need this clarification: Well WAN/LAN filter does NOT forward traffic to machines, it FILTERS traffic (either allows or denies a packet to be passed to a pc). To say new incoming packets (that are not part of an already established outgoing connection from 1 pc) on a special port should be always REDIRECTED (! thats another thing than filtered) you need to setup a Virtual Server rule instead of a filter rule.

(So disabling the DMZ and setting up a filter instead of course cannot work )

Hope thats makes you understand a little better. Don't know how to say it better or more "professional"