Is this possible because I can't make this work in the Forward or Dstnat chain rules but it works GREAT on the Input chain?
Example, I have a port knock scenario that adds an IP to an Address List named "Safe"
On the Input chain firewall rule for router access I reference the list "Safe" (under Advanced -> Src. Address List) and it works great! It will deny access to the router unless the source IP is on the "Safe" list.
However, when I try adding my "Safe" list into the Forward chain or Dstnat rules I lose connectivity to the server behind the firewall and I have verified the IP I'm using is on the "Safe" list. Removing the "Safe" list from the filter rule restores access to the server.
Any ideas why that is happening? I'm trying to avoid VPN access for a certain reason.
Thanks in advance.