After upgrading from 19.07 to 22.03 Firewall Rule -m iprange --src-range 192.168.1.100-192.168.1.150 not working
Two things to note:
Firewall4 is used by default, superseding the iptables-based firewall3 implementation in the OpenWrt default images. Firewall4 uses nftables instead of iptables to configure the Linux netfilter ruleset.
And
Sysupgrade from 19.07 to 22.03 is not supported.
2 Likes
Sorry I don't understand I've managed to upload the sysupgrade.bin and proceeded with the upgrade using GUI/Luci.
For the Firewall4 for is there a way to achieve it? if yes not much of an expert but would appreciate much if you can redirect me with sample syntax to achieve it.
option src '192.168.1.100/30'
option src '192.168.1.104/29'
option src '192.168.1.112/28'
option src '192.168.1.128/28'
option src '192.168.1.144/29'
Note: this also covers 192.168.1.151 - I didn't want to get too detailed (why, see next).
Next, I assume this was for the default OpenWrt DHCPv4 range - you configured it incorrectly anyways. It's actually 192.168.1.100-192.168.1.249 (100+150 == 250).
Nonetheless, you could make this easier if it were to reconfigure DHCP to issue IPs on a CIDR bit-barrier. E.g:
192.168.1.128/26 yeilds usable IPs: 192.168.1.129-192.168.1.190
# for LAN in /etc/config/dhcp
option start '128'
option limit '64'
For experts: Why am I using all 64 in DHCP? Because the actual LAN is /24 - it's OK for DHCP and when making references to a bigger network range to use the "unusable" network and broadcast addresses. 
See: https://www.subnet-calculator.com/
You may wish to create a thread/edit title similar to this one in the future: [22.03] Translate extra/raw firewall rules
BTW, it was always possible to express this rule in CIDR notation.
Thanks for the very informative explanation - Really apologize for such being a newbie on subnetting.
The scenario is I want to have static lease below 192.168.1.100. And the rest should be block.
Will follow your advise to use DHCP for 192.168.1.128/26 yeilds usable IPs: 192.168.1.129 -192.168.1.190
Btw is the option src in gui is this one?
1 Like
Yes...but to be clear, your actual network is /24 - therefore .128 and .191 are usable and need to be considered in your firewall. Hence the DHCP config I showed counting them. Using the /26 in the firewall will do that.
Yes, make family IPv4 only and the red might go away?
EDIT: changed DHCP config to 64 (in my head I still subtracted them anyways, lol)
Still can't 
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
list dhcp_option '6,94.140.14.15,94.140.14.16'
option start '128'
option limit '64'
Current Rule
config rule
option src 'lan'
option dest 'wan'
option target 'REJECT'
option name 'Reject 129 to 190'
"option extra '-m iprange --src-range 192.168.1.100-192.168.1.150'"
option enabled '0'
option family 'ipv4'
Mark???
No. Here's a pic:
It says it is Expecting: valid firewall remark
See:
Not sure why you're in advanced settings and adding an IP address range in mark.
Thanks it works now! I just got used to the setting before in old firmware where you add it on extra
- What is the URL to that Wiki you screenshoted?
- The box you typed in isn't that - it says "mark"
- The "extra arguments" box doesn't exist in 22+ (fw4) - as iptables (and its arguments) is not used
What is "add it"?
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.