Create rule on Draytek 2800 ADSL router for incoming FTP traffic


I have an ADSL Draytek 2800 router on a site, customer has SBS 2003 hanging off this with small domain, bullet proof ftp is running on the server, currently a port rule is in place so incoming TCP port 25 traffic hits that server, however i've noticed someone is brute force attacking it trying to guess usernames / passwords

The main data we need to come in, is only coming from one IP (webserver), I would like to create a rule that will ONLY allow port 25 tcp traffic through to the SBS server IF it comes from IP address X

That way everyone else can run port scans and won't get a reply on that port, thus stopping people trying to attack it

Anybody know how / best way to setup the rule on the 2800 draytek ?

Please advise,

Andrew LeeManaging DirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Well first choosing port 25 for ftp is kind of a bad idea.  Port 25 is the well known port for SMTP (email) traffic.  So if somebody does scan you, they are going to assume it is smtp.

The problem with FTP (and why it is normally best to use the well known port 21) is that ftp actually uses two connection and thus two ports.  One for the command/control connection and one for the actual data transfer.  And to confuse the matter more, there are two types of data transfers connections; active and passive.  

When doing active ftp data transfers the server actually becomes the client for the data transfer.  The server initiates an outbound connection from port 20 to a random port on the client.  The client told the server what port to connect to on the PORT command.

When doing passive data transfers the client will initiate the data transfer connection to the server.  The server tells the client what port to connect back to it with on the PASV command.

Normally firewalls will watch all traffic on port 21 and watches for PORT and PASV commands and they dynamically allows that traffic through.

Now, reading the V3.0 users guide you can setup firewall rules where you can define specific IP addresses (both source and destination) for both WAN to LAN or LAN to WAN traffic.  What what you should be able to do is setup a firewall rule for WAN to LAN and specify the source IP address for the traffic you want to allow inbound for ftp.
Please have a look at the link below:

Please implement and update.

Thank you.
Oppps posted in wrong window; please excuse.
Simple way the below way is for Setting up a single remote server to have access to the ftp rule

Ensure port 25 (giltjr is correct and you may wish to change this to port 21) byt going to
NAT > port redirection and configuring a rule here with the correct ports and lan ips
once this is done go to

Firewall > Filter Setup
You prob only have a default data filter setup (default configuration) at the moment so select this (set 2)
Select the first available rule

Tick the 'enable rule box at the top' and give a title of allow ftp
Set the direction to WAN > LAN
change the source IP so that it is the public IP of the remote server ie
Destination set this to the local ftp server's Ip address that the ftp rule points to
Service type - set this to use from any port to a destination port of 25 or at least the same as the desitnation porr rule in your nat config
set the filter type to 'allow immediatly'

Then press OK
now click the next free rule line
Tick the 'enable rule box at the top' and then give a title of block ftp
Set the direction to WAN > LAN
Ensure the source ip is set to 'ANY'
Destination set this to the local ftp server's Ip address that the ftp rule points to
Service type - set this to use from any port to a destination port of 25 or at least the same as the desitnation porr rule in your nat config
set the filter type to 'block immediatly'

Firewall > general
Ensure Data filter is enabled and the 'start filter set' is set to Set 2#

This will block all traffic going to port 25 that isnt coming from the allowed host.

This guide is based on a 2800 series running firmware 3.3.3 but should work on others if not upgrade the firmware its quick easy and better than the old firmware. You can get it from


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrew LeeManaging DirectorAuthor Commented:
Hey guys, sorry typo on my part meant port 21 not 25 !

Will review comments above and come back to you, thank you !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.