A non-nethserver-yet-linux-based firewall keeps following from several years a little office. After three hardware incarnations, now has… 5 NICs (one does not work but whatever) and a little group of devices were put into a Orange zone.
Currently there are
NIC1: current internet connection
NIC2: future internet connection
NIC3: wireless/blue segment
NIC4: orange segment (the costrained zone)
NIC5: green lan, the one, the only, the supreeeem…
Ok, I’ll stop the coffee overdose, sorry.
So:
Orange to internet. Great.
Green to internet. Great
Blue to internet. Great
Green to orange (some devices need to be connected, among them printers) ok; Windows can reach printers and receive status back.
FTP from Orange to Green 
What on earth? 
Basic inter-zone firewall does not explicitly allow communication from Orange to green. That’s fine.
But there’s a nice little rule, on top of all, from the IP of the device (no ports specified) to the ip and port of the FTP server that tells you “dude, you can go”. Port 20 and 21 T+U
FileZilla server on Windows don’t even receive a connection. And works like a charm in Green.
Windows firewall allows NAT-traversal access to the service (explicitly on the executable)
No “meaning” log on the firewall.
I also tried to NAT the FTP Server from the firewall to the server. I used that trick few years ago from RED interface to dump data recovered from a not-so-dead thumbdrive, and it worked flawlessly.
What on earth I’m doing wrong? What I’m missing out?