The IP in the WAN-139 group is a public IP. it’s just using 139 as that’s the last octet of the public IP.
the WAN-* all 3 contain one public IP. The DNAT rule is the only one that references the private IPs in the “translation address” section of the DNAT rule. Otherwise, the firewall rule only references the public IP that was the destination, and the port(s).
The only explicit drop is in the default action for this firewall. Otherwise, all rules exist only to allow.
So, it still makes no sense. Especially the logs being empty. Because I’m definitely getting to that address. I’m wondering if there’s something in there that is separate that’s stopping it before that rule is triggered. Which is pretty much what you just said, but the only rule before 1801 is the default deny, that isn’t even in a numbered rule, just the default action.
But, I’m still very lost. I get how it’s supposed to work, but I can’t seem to get my head around the config to get there, or why the rules aren’t even being hit. Or, if the rules are getting triggered, but there’s another reason they aren’t allowing the traffic and the firewall logging is broken… I’m grasping at straws…