I'm probably missing something I want to block ftp from external sources from accessing or trying to access an internal server.
On server itself I told it only accept to ip address on the internal network.
Anyway I decided to also see if I can block access via drayteks firewall so followed these instructions https://www.draytek.com/support/knowledge-base/5204 except setting for wan rather than lan
Setup and then tested external and the ftp client said connected on port 21 awaiting response and then failed.
The firewall log didn't log anything even though it's supposed too and I could see the connection coming in on the syslog.
Checking the logs on the server on show connections on the local lan only and none rejected. So that suggests it is being blocked but the message saying connected on port 21 says it isn't.

Just checking - you have an FTP Server on your LAN and don't want any access to it from the outside world. Is that correct :?:

If so, you don't need to do anything. (In the absence of Port Redirection, Open Ports or a DMZ host the only data allowed in, is in response to stuff that went out.)

(The connection you made is probably to the FTP Server in the Vigor 3910. I'm not familiar with the 3910, but other Vigors tend to respond even when disabled. Assuming it's not enabled, change its port to something other than 21 and see if that stops the connection message.)

Yeh I have an FTP server on the lan and I was logging in via the hostname so the draytek shouldn't respond to that.
I guess I could telnet and see what response I get.

The PIT wrote:
I was logging in via the hostname so the draytek shouldn't respond to that.

By the time the IP packets make it to the Vigor, it has no idea what hostname you used to send them...it would just respond to the contents (if it was feeling that way inclined - which given that it has an internal (optional) FTP server, it might be!)