lintentech wrote: having a slimier issue, I need to block SMTP Port 25 from all but one IP (92.63.133.169) so have setup the following rule:

Direction: WAN > LANRT/VPN
Source IP: !92.63.133.169
Destination IP: ANY
Service Type: TCP. Port from 25 to 25
Filter: Block Immediately

yet i can still connect from any IP

You have made a common mistake. The 'from' port is not '25'. It should be set to 'Any'

When a connection is made, typically the from port is a random one. It is the target port that matters.

Just an update on my original problem.

First I have upgraded to firmware 3.6.6 from the international site which brings a few goodies.

One of which, well overdue, is the ability to now specify 'All' for the WAN Interface on Open Ports.

With the help of UK support we have now determined that the router is in fact blocking on both WANs and the issue is something else - the 'something' is yet to be determined. Basically, the rules I mentioned initially are OK and should normally work.

I will update once I get to the bottom of this.

I dont know whether you sorted this but I had this issue and needed to do the following. The source port needs to be 1~65535 (Any) and the destination port needs to be exact (as detailed below for SMTP). Hope this helps others whom it confuses!

You are right to point that out as many people make the mistake of specify the source port to match the target port. The sourse port can be anything.

In my case that was not the issue.

I have yet to finalise the issue but it seems I now understand what is going on.

- My WAN2 IPS (cable) has not only allocated a fixed IP to the line but also a dynamic one. This has been proven to be the case by:

1. Setting the router to block/report DOS attacks and also turning on logging.
2. Running a trace-route to the IP
3. We get an immediate email about a DOS from the testing IP and the firewall logs show the incoming packets.

- It seems that connections coming in via the dynamic IP are being totally ignored by the 2850 firewall.

Thats it in a nutshell. I have just not the time to progress this with Draytek or my ISP.

Update:

The firewall in my switchboard VM was blocking what came through the router so I did not follow this through with Draytek.

However, last week I installed Firmware Version 3.6.6.1_232201 and it has seemed to cure this an other problems. I have not done any formal testing but my VM firewall has stopped complaining and I have not had a single banned IP since.