After lots of trial and error I have discovered that the when using the service filter to block WAN access to a port by everyone other than a specific IP address , the filter only applies to resolved ports not inital ports (when port redirection is used).

e.g. I have a PC behind the firewall that I need access to port 22 via the WAN. I want to use port 60000 to access it. So I use port redirection and redirect port 60000 to port 22 of PC on the LAN. Everything works fine up to this point. But I want to be more secure.

I will only need to access my LAN PC from a small range of IP addresses on the WAN.

So I add to Firewall > Filter Setup > Set 2 > Filter Rule 2 (new), the inverse of my source IP's. Again up to this point all work OK. But as expected I have now shut out access to all other WAN IP's to other ports on the router, so I now add a service type to the same rule.

This is where the bug/error is, if I add service port 60000 to the rule it doesn't work. but if I add service port 22 (the resolved port) it does work.

It seems the filter is applied after the port redirection which is unusual/problematic as filters on port access from WAN are applied to the landing port, not the resolved port. This has wasted several hours of my time to work out what was wrong.

Does anyone know how can we get this fixed? Or if it can't be fixed the literature should at least clearly state that the filter is applied after port redirection and thefore the ports need to be the resolved ports not the landing ports.

Thanks