Hi,

Is it possible to selectively allow FTP access to an internal IP - ie only from a handful of external hosts.

If I setup open ports or forwarding to the LAN IP of the NAS, source traffic isn't filterered.

(in filtering I've added a block all FTP traffic after a rule allowing only a group IP object containing the external hosts - I've included this in both the call and data filters set by default...

Thanks,
Simon

Hi I use this for selective access to my Nas's ftp/management gui etc.

How can I configure my Vigor to only allow specific IP Address(es) on the Internet access to a Server running on my LAN ?

First you need to allow the incoming traffic through the NAT of your Vigor. Configure Open Ports.

Next you need to setup IP Filters, firstly to Block the Open Port you have just created above and then to Pass the specific IP Address(es) you want to allow. In the Default Data Filter (Set #2) of your Vigor go into Filter #2 (ignore the first default rule) and setup the following Block Filter:

Enable and Name the Filter
Block If No Further Match
Direction IN
Protocol
Source any
Destination
Destination Start Port

Hit OK and the Vigor is now passing the incoming traffic through NAT, but Blocking it by the above Filter. In Filter #3 set up the following:

Pass rule:
Enable and Name the Filter
Pass Immediately
Direction IN
Protocol
Source
Destination IP
Destination Start Port

Click OK. This Pass Filter will now Pass incoming traffic from the Trusted User on the Internet to the internal Server on the required Port.

I'm still able to access from other IP when I do this [any IP with just the block in place and no whitelist IP object active] - it seems to me that opening a port bypasses filtering altogether.