New Member
Posts: 5
Registered: ‎05-09-2017

Firewall Outbound Port Blocked

What am I missing here? If I change default action to allow then port 9000 works, but with the current config it does not.


I would prefer to have WAN_OUT drop/reject traffic unless there's an exception rule, but I could have default action allow and turn on the BlockedOutbound Ports group (if I could get rule working properly) so please discuss both scenarios. Rebooted my ERX last night (after installing latest firmware) for the 1st time in over 6 months. I prefer the set it and forget it methods, but I login to Traffic Analysis and Dashboard almost daily.



Regular Member
Posts: 701
Registered: ‎01-26-2015
Kudos: 185
Solutions: 65

Re: Firewall Outbound Port Blocked

[ Edited ]

Well, your naming is quite weird and kind of mixed up. An outbound port is an outgoing port and you use it as incoming ports (like in WAN_IN). So maybe you are mixing the destination/source and thus it doesn't work as expected.



name WAN_OUT {
        default-action drop
        description ""
        rule 1 {
            action accept
            destination {
                group {
                    port-group OutboundPortAllow
            log enable
            protocol tcp_udp
            source {
                group {

This will let traffic pass if the destination port matches one of the ports in the OutboundPortsAllow list. It means if you try to connect to somewhere:9000 <-- this is the destination port at the target server and will trigger the accept rule. The source port at the ER where the reply is sent to is usually random (something above 49000) and the WAN_IN will allow the reply as established/related.


However, you use the same port list in your WAN_IN ruleset as well, which means the port 9000 would be on the ER's side and not the remote server's side. So this might be your fault as you probably mixed up source/destination ports for incoming/outgoing connections.




How exactly are you testing whether the firewall works or not? Do you open a connetion from your laptop to "somewhere:9000" or do you open a connection from somewhere else to your ER:9000?