Hardware : RB2011UAS-2HnD
OS: ROS 6.0 & 6.1

Scenario:

use-ip-firewall set to "no":

1. A firewall address-list named "ISP" is created to store the WAN IP (ip address: A) 2. A bridge is created in LAN side with member ports.
3. A FTP server (ip address: B) is hosted on LAN
4. A DNAT firewall rule is created to NAT the destination address from A to B for all connection. (A corresponding Hairpin NAT is created for completing the loopback NAT for LAN to A:21)

5. Another PC (say ip address C) inside LAN access to A:21 successful. View the firewall statistic, the two related firewall rules do have hit.

However, the DNAT firewall rule don't work if "user-ip-firewall" set to yes... (WAN to LAN DNAT still works)
Findings:
a. the firewall rule as specified in 4 do have hit, but the hairpin firewall rule don't record any hit. I replace the hairpin rule with the following relaxed rule, no hit was recorded too. b. from the built-in packet sniffer, router do receive the FTP sync packet (C to A:21), but no packet is transmitted from router afterwards, the router seems drops the packet.[/color]

I suspect there might be a software bug in the bridging firewall which cannot re-transmit the packet back to the LAN bridge after DNAT the packet from bridge.

Anyone could help to solve this issue? Or is there anything I missed in the setup? Thanks in advance!

Same in 6.2.

Hairpin works only if use-ip-firewall=no in bridge settings.

There were changes in packet flow in ROS 6.

Returned to 5.25. - All works as desired.


Please, FIX THIS IN 6...

tawh please generate support output file and send it to support so we can see the exact configuration. Additional network diagram of what comes in from where and on what port exactly would be nice addition (or description)