After upgrading from 19.07 to 22.03 Firewall Rule -m iprange --src-range not working

After upgrading from 19.07 to 22.03 Firewall Rule -m iprange --src-range not working

Two things to note:

Firewall4 is used by default, superseding the iptables-based firewall3 implementation in the OpenWrt default images. Firewall4 uses nftables instead of iptables to configure the Linux netfilter ruleset.

:!: Sysupgrade from 19.07 to 22.03 is not supported.


Sorry I don't understand I've managed to upload the sysupgrade.bin and proceeded with the upgrade using GUI/Luci.

For the Firewall4 for is there a way to achieve it? if yes not much of an expert but would appreciate much if you can redirect me with sample syntax to achieve it.

option src ''
option src ''
option src ''
option src ''
option src ''

Note: this also covers - I didn't want to get too detailed (why, see next).

:warning: Next, I assume this was for the default OpenWrt DHCPv4 range - you configured it incorrectly anyways. It's actually (100+150 == 250).

Nonetheless, you could make this easier if it were to reconfigure DHCP to issue IPs on a CIDR bit-barrier. E.g: yeilds usable IPs:

# for LAN in /etc/config/dhcp

        option start '128'
        option limit '64'

For experts: Why am I using all 64 in DHCP? Because the actual LAN is /24 - it's OK for DHCP and when making references to a bigger network range to use the "unusable" network and broadcast addresses. :wink:


You may wish to create a thread/edit title similar to this one in the future: [22.03] Translate extra/raw firewall rules

BTW, it was always possible to express this rule in CIDR notation.

Thanks for the very informative explanation - Really apologize for such being a newbie on subnetting.
The scenario is I want to have static lease below And the rest should be block.
Will follow your advise to use DHCP for yeilds usable IPs: -

Btw is the option src in gui is this one?


1 Like

Yes...but to be clear, your actual network is /24 - therefore .128 and .191 are usable and need to be considered in your firewall. Hence the DHCP config I showed counting them. Using the /26 in the firewall will do that.

Yes, make family IPv4 only and the red might go away?

EDIT: changed DHCP config to 64 (in my head I still subtracted them anyways, lol)

Still can't :frowning:

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	list dhcp_option '6,,'
	option start '128'
	option limit '64'

Current Rule
config rule
	option src 'lan'
	option dest 'wan'
	option target 'REJECT'
	option name 'Reject 129 to 190'
	"option extra '-m iprange --src-range'"
	option enabled '0'
	option family 'ipv4'


No. Here's a pic:


It says it is Expecting: valid firewall remark




Not sure why you're in advanced settings and adding an IP address range in mark.

Thanks it works now! I just got used to the setting before in old firmware where you add it on extra

  • What is the URL to that Wiki you screenshoted?
  • The box you typed in isn't that - it says "mark"
  • The "extra arguments" box doesn't exist in 22+ (fw4) - as iptables (and its arguments) is not used

What is "add it"?

Here it is.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.