Hi,

I can't get the firewall to work on my Vigor 2927 (firmware v4.2.2). I have a fibre connection to WAN1 and and a VDSL connection to WAN2 (via a Vigor 2860 that is set up as a modem).

I am trying to block certain IP addresses from accessing my mail server, but they continue to get through, and I see them trying to connect in my mail server logs.

In the Firewall General Setup page:

• Data Filter is enabled, and 'Start Filter Set' is set to 'Set#1'.


• Allow pass inbound fragmented large packets is enabled (I've also tried to disable)


• Enable Strict Security Firewall is enabled (again, I've tried to disable this)


• Block routing connections initiated from WAN is also enabled for IP4 and IP6

In the Firewall Filter Setup page, Set#1 (Default Data Filter) is set up as follows:

• Rule 1 is the standard xNetBios -> DNS rule


• Rule 2 is the rule I am struggling with.

Rule 2 is set up as follows:

• Schedule Profile are all set to None


• Clear sessions when schedule is ON is unchecked


• Direction is WAN -> LAN/DMZ/RT/VPN


• Source IP is 212.70.149.71


• Destination IP is Any


• Service Type is Any


• Fragments is Don't Care


• Filter is Block Immediately (Syslog is enabled for this rule)

212.70.149.71 is still getting through to my mail server, and I don't know why. If I try to use the Firewall Diagnose tool I get the following message:

The packet is not handled by firewall.(6)

I've also tried setting up a Filter Set 2, but that doesn't work either.

I also don't see anything appearing in the Syslog.

Any idea why this is not working?

This is probably nothing to do with your problem but prompted to look at mine by your post I noticed that the 2927 no longer has a "Default Call Filter". First time I've seen this on a Draytek. Wonder why they have deemed it redundant after all these years?

What I would say is that the 2927 has some other features which don't work properly, e.g. in the Mesh Status page. It could just be that there is a problem, before you tear your hair out

chaser wrote:
212.70.149.71 is still getting through to my mail server, and I don't know why. If I try to use the Firewall Diagnose tool I get the following message:

The packet is not handled by firewall.(6)

I get the same message on my 2860 for that IP address. (It should definitely match an existing rule, given that it is a Bulgarian IP address :wink: - filtering by country, drastically reduces the amount of spam and other attacks that the Mail Server has to deal with)

I'm not sure I've ever got the 'Diagnose' function to do anything useful on the 2860.

I noticed the 'IPF flowtest' command on the 2860, but it's not documented in the manual. I tried copying and pasting the sample commands from Page 804 of the Vigor 2926 manual - but that also gave same message. (To be fair, it would take a fair while to understand what those commands actually do :wink: )

Are you sure Syslog is actually configured and receiving data?. (I have never had much success with the Web Gui interface - I much prefer the SyslogRD daemon.)

chaser wrote:
If I try to use the Firewall Diagnose tool I get the following message:

The packet is not handled by firewall.(6)

and I wrote:
I'm not sure I've ever got the 'Diagnose' function to do anything useful on the 2860.

It turns out, I was doing it all wrong

As @Hopkins35 pointed out, (in 2018!), the Destination Address needs to be the WAN address and not the LAN IP address of the target machine. :idea:

See: https://forum.draytek.co.uk/viewtopic.php?f=14&t=22520&p=92960#p92960

Now I get a Firewall Hit on your "212.70.149.71"

hornbyp wrote:
Are you sure Syslog is actually configured and receiving data?. (I have never had much success with the Web Gui interface - I much prefer the SyslogRD daemon.)

I'm using the WebGUI and I'm definitely getting lots of other messages flooding in!

hornbyp wrote:
It turns out, I was doing it all wrong

As @Hopkins35 pointed out, (in 2018!), the Destination Address needs to be the WAN address and not the LAN IP address of the target machine. :idea:

See: https://forum.draytek.co.uk/viewtopic.php?f=14&t=22520&p=92960#p92960

Now I get a Firewall Hit on your "212.70.149.71"

Ah. Thank you. Sounds like that's where I'm going wrong! I'll give that a try, and see if it works any better...

Using the WAN IP address instead of the LAP IP address has got the Diagnose tool working. However, it's reporting a PASS status from the default rule. It appears to be ignoring the rule that I set up in the Default Data Filter.

Edit: This is confusing. So, in filter set 1 (default data filter) I have:

Rule 1: xNetBios
Rule 2: Immediate block 212.70.149.71
Rule 3: Immediate block 212.70.149.71 (Duplicate of Rule 2)

If I run the Diagnose tool on 212.70.149.71, it blocks on Rule 2 (good!)
If I then swap rules 2 & 3 around and run the Diagnose tool on 212.70.149.71, it blocks on Rule 3 (good that it blocks, but bad that it seems to skip past rule 2).
If I then change rule 2 (the one that was originally rule 3) IP address to something different and run the Diagnose tool on that new IP address, it ultimately passes on default rule (bad)
If I then change rule 3 (the one that was originally rule 2) IP address to something different (same IP as the step above) and run the Diagnose tool on that new IP address, it blocks on Rule 3 (again good that it blocks, but bad that it seems to skip past rule 2).

I don't understand why only one of rules 2 & 3 seems to work? This issue actually extends beyond just rules 2 & 3. Ignoring rule 1, I can only get one of the other rules in set 1 to correctly block. All the others incorrectly pass! Even trying to set up new rules in Set 2 doesn't work.