DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Strange Firewall Issue 2866ax
- cartmane
- Topic Author
- Offline
- Junior Member
-
15 Aug 2025 21:02 #105371
by cartmane
Strange Firewall Issue 2866ax was created by cartmane
I just recently swapped out my 2860Vac for a 2866ax by backing up the config then restoring - everything copied across & is working fine. I'm now looking to clean up my firewall rules and am getting a very strange issue.
The final rule in the chain from the 2860 successfully blocks unwanted inbound traffic but when I replace it with one that looks identical (see below) & place it on a different page of rules, the new one does not
Original New
Details under the advanced button are identical for both
I'm configured for Multi-NAT & the firewall with the new config seems to let certain traffic pass on any of my block of IPs whereas the old rule blocks identical requests
2025-08-15 20:38:45 Local0.Info 192.168.1.254 Aug 15 20:38:47 DrayTek: [FILTER][Pass][WAN->LAN/RT/VPN, 19:08:03 ][@S:R=13:1, 103.102.230.4:35525->x.x.x.x:8728][TCP][HLen=20, TLen=40, Flag=S, Seq=1094424458, Ack=0, Win=65535]
I can't even diagnose because the above request shows as "The packet is not handled by firewall.(
" when I test to see why it was passed.
Does anyone have any idea what could be happening?
The final rule in the chain from the 2860 successfully blocks unwanted inbound traffic but when I replace it with one that looks identical (see below) & place it on a different page of rules, the new one does not
Original New
Details under the advanced button are identical for both
I'm configured for Multi-NAT & the firewall with the new config seems to let certain traffic pass on any of my block of IPs whereas the old rule blocks identical requests
2025-08-15 20:38:45 Local0.Info 192.168.1.254 Aug 15 20:38:47 DrayTek: [FILTER][Pass][WAN->LAN/RT/VPN, 19:08:03 ][@S:R=13:1, 103.102.230.4:35525->x.x.x.x:8728][TCP][HLen=20, TLen=40, Flag=S, Seq=1094424458, Ack=0, Win=65535]
I can't even diagnose because the above request shows as "The packet is not handled by firewall.(
" when I test to see why it was passed.Does anyone have any idea what could be happening?
Please Log in or Create an account to join the conversation.
- piste basher
- Offline
- Big Contributor
-
- cartmane
- Topic Author
- Offline
- Junior Member
-
16 Aug 2025 16:18 #105376
by cartmane
Replied by cartmane on topic Strange Firewall Issue 2866ax
Hi
The next filter set 12 dropdown is definitely configured but I don't have that many rules, I only put it there out of the way for testing.
Even if I added the rule into set 1 or set 3, it still seemed to fail. As you can see, the untouched, old rule that works is in set 2.
This said I seem to have fixed the problem despite me doing something that didn't seem to work yesterday.
The log below has the source & destination IPs in the final 2 columns (the final one is truncated to obscure my IP on purpose)
At the time I've marked it in red I added a WAN > Localhost block rule in a set before the old, working WAN > LAN/RT/VPN one
As you can see everything above that that is directed at my internet facing IPs was blocked by the old rule, everything below is blocked by the new one. You can't see it here but anything that passes through my NAT & tries to hit a port on a local IP that I don't want is blocked by the old rule.
It seems as though my old 2860 rule was blocking WAN > LAN/RT/VPN/Localhost whereas the new ones created by the 2866 are more granular so need 2 to be set up
Log
The next filter set 12 dropdown is definitely configured but I don't have that many rules, I only put it there out of the way for testing.
Even if I added the rule into set 1 or set 3, it still seemed to fail. As you can see, the untouched, old rule that works is in set 2.
This said I seem to have fixed the problem despite me doing something that didn't seem to work yesterday.
The log below has the source & destination IPs in the final 2 columns (the final one is truncated to obscure my IP on purpose)
At the time I've marked it in red I added a WAN > Localhost block rule in a set before the old, working WAN > LAN/RT/VPN one
As you can see everything above that that is directed at my internet facing IPs was blocked by the old rule, everything below is blocked by the new one. You can't see it here but anything that passes through my NAT & tries to hit a port on a local IP that I don't want is blocked by the old rule.
It seems as though my old 2860 rule was blocking WAN > LAN/RT/VPN/Localhost whereas the new ones created by the 2866 are more granular so need 2 to be set up
Log
Please Log in or Create an account to join the conversation.
Moderators: Chris