23.05 dnsmasq, ipsets and mwan3 incompatibility?

Add to the wiki now.

Just wondered if you considered moving this into a gist? You can embed gists on the community forum platform along with the fact for easy installation, this can get used as a wget target to automatically download and place on an OpenWrt router?

Thanks for updating the Wiki. I see the update toward the top in reference to 23.05. It might be a good idea to update the text in the ipset section as well.

As already noted on the Github Issue there is now a Gist also available:

Installation with it is now as easy as:

wget -O/etc/init.d/nft2ipset https://gist.github.com/Kishi85/b7f379f9aa19f4878af28b8e1a8887ab/raw/
chmod +x /etc/init.d/nft2ipset
service nft2ipset enable
service nft2ipset start

@jmccabe06 Thanks for spotting that. Also added in the warning banner as well alongside the gist update.

@Kishi Gist version now published on the wiki as well.

Thank you so much. Just implemented today.
It works for me, finally!!
Just noticed that it is necessary to let the ipset family to ipv4+ipv6 otherwise, if set as ipv4, the ipset is ignored. There is a note here from jmccabe06
It is also not super obvious ipset must be declared both in dnsmasq settings (in luci DHCP & DNS > General tab) and in ipset settings section (in luci DHCP & DNS > IP Sets tab), in addition to firewall advanced settings.
...and I have no idea why... :rofl:

For me it works by properly by:

  1. Define the nftables sets under "Firewall->IP Sets" first. Important: Use the correct family (IPv4 or IPv6) there, match on dest_ip and define separate sets for IPv6 and IPv4 if necessary. Adding a timeout (I personally use 600s) helps clearing old entries out of the ipsets automatically.
  2. Then add those sets to the DNSMASQ set resolving under "DHCP & DNS -> IP Sets" (Note: add both the IPv4 and the IPv6 set to the IP set option of the element as necessary. Multiple nftables sets are possible to be specified for each group.)
  3. Finally add them to mwan3 rules. I use specific, separate rules for IPv4/IPv6, but IPv4+IPv6 works as well because it'll match the family if the ipset anyway (which is IPv4 by default if not explicitly defined under "Firewall -> IPsets" as it is the default family for ipset).

Nothing else should be required (it's not for me at least). Most people probably forget to do step 1 and just let dnsmasq define nftables sets with defaults (IPv4 without timeout) hence things not working properly with IPv6.

I'll add this additional info to the Wiki as well for clarity.