Jonathan,

If I were to use the DMZ strategy would I have to create a 'block all' rule for the server? Or would checking the IPv4 option on the firewall page for 'Block routing connections initiated from WAN'' have that effect?

According to the router's 'Firewall->General Setup' page the firewall filters are applied in the following order: 1.Data Filter Sets and Rules, 2.Block routing connections initiated from WAN, 3.Default Rule.

I have both 'Block routing connections initiated from WAN' checked for IPv4 and IPv6 and a firewall default rule - Firewall->General Setup->Default Rule - of 'block'. The difference between the two is that the former applies to routed traffic and the latter to NATed traffic - that's my understanding anyway.

Filter sets and rules are applied prior to these and allow inbound traffic as required.

Thank you for that, it makes sense. I'll have another go at this tomorrow but in the meantime I've also pinged DrayTek support. I'd just not expect this amount of hassle on something so trivial and I haven't even got round to looking at why the IPv6 rules aren't working yet.

Yay! Progress has been made.

At least on the IPv4 front and with luck it'll work with IPv6. The problem was the change of gateway address. My old router is at .254, whereas this is at .1.

Fundamentally the problem was the result of my server using a static IP address. This meant that a number of values needed to be manually changed to work with the new router. So what I eventually changed was:

* Change the default gateway on IPv4 and IPv6.
* Change the DNS servers for IPv4 and IPv6.
* Create an IPv6 object for the mail server, specifying its IPv6 address.
* Create another IPv6 object specifying 'Any address'. This might be optional but it's what I've done and it works. My guess is that simply using the 'Any address' option on the filter rather than the object means any IPv4 address.
* When creating a filter select 'Group or object' as the source/destination type.
* Create filters for 'Any address' object -> 'mail server' object for each required port.
* I also wanted a ping to my server for monitoring so I needed another filter specifying 'ICMP v6' as the service (NB:don't pick ICMP as that's IPv4).
* Move the management UI ports out of the way.
* Update the server's IPv6 address as it had changed. This had me scratching my head for a long time. Just one digit had changed (:0: became :1:). I'm not entirely sure what this means but I think it's the IPv6 equivalent of 10.* v. 192. on IPv4. So the server is now on a different network.
* Ask domain provider to update MX, AAAA and SPF records.

A lot of this could have been avoided if I'd changed the router's address to .254 and presumably somewhere there's a way of telling the router what IPv6 network to use. I think that might be the routing prefix and might be changeable in LAN\General\IPv6\ but I don't really know. Mind you some of stress could have been avoided with better documentation and I suspect better error checking when setting up filters. For example it shouldn't be possible to create a filter that mixes IPv4 and IPv6 addresses nor an IPv6 filter for ICMP v4 packets.

Major gotcha: IPv6 and IPv4 will work to an extent even if one or more values are incorrect. Windows will sometimes report 'No internet access' but other times Windows will claim everything is tickety boo when it isn't. Sometimes only restarting a machine will reconfigure the network.

Anyway it's all working now. The only issue remaining is that ICMP responses have high latency.
Router ICMP

Server ICMP

Can't really complain about that since ICMP should always be low priority but it seems odd. It's not like I'm streaming at the moment and my previous router as can be seen on those graphs typically responded/passed through ICMP packets pretty quickly.