Ban some IP addresses

Hello, i'm trying to ban some IP addresses using firewall traffic rules, but it doesn't work. Why it doesn't work? I have this strings in my /etc/config/firewall file:

config rule                           
        list dest_ip '52.222.236.80'
        list dest_ip '34.160.144.191' 
        list dest_ip '2.20.255.114'     
        list dest_ip '34.149.100.209'
        list dest_ip '13.33.243.33'
        list dest_ip '52.85.49.122'   
        list dest_ip '34.107.243.93'
        list dest_ip '62.115.253.147'           
        list dest_ip '95.101.111.144'    
        list dest_ip '34.117.121.53'  
        option src 'lan'           
        option dest 'wan'                                  
        list src_mac '54:1C:46:12:4A:85'    
        list proto 'all'                       
        option target 'DROP'   

Just a guess:
You have a src MAC defined - are you sure this MAC address is correct/constant? For testing purposes, I would remove it.
NB: Modern devices, like smart phones, use random MAC addresses by default.

1 Like

it works just fine here, after I replaced the MAC with one from my LAN.

1 Like

It doesn't work if i remove MAC too.

It's strange, i have no idea why it doesn't work for me.

you'll need to post your configs, if you want additional help ...

firewall and network files, to start with.

Here my files, is it enaugh?

etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd86:e852:a298::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr '11:11:11:11:11:11'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'user'
	option password 'password'
	option type 'bridge'
	option ipv6 '0'
etc/confog/firewall
config defaults
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'
	option input 'DROP'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'wan'
	list network 'freedom'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '21'
	option dest_ip '192.168.1.2'
	option name 'FTP'
	list proto 'tcp'
	list proto 'udp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '5901'
	option dest_ip '192.168.1.2'
	option dest_port '5901'
	option name 'VNC viewer'
	option enabled '0'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '5500'
	option dest_ip '192.168.1.2'
	option dest_port '5500'
	option name 'VNC repeater'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'FTP passive'
	option src 'wan'
	option src_dport '60000-60100'
	option dest_ip '192.168.1.2'
	option dest_port '60000-60100'

config rule
	option name 'FTP'
	list dest_ip '192.168.1.2'
	option target 'ACCEPT'
	option src 'wan'
	option dest 'lan'
	option src_port '21 60000-60100'
	option dest_port '21 60000-60100'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'https'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.2'
	option dest_port '443'
	option enabled '0'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'web'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.2'
	option dest_port '80'
	option enabled '0'

config rule                           
        list dest_ip '52.222.236.80'
        list dest_ip '34.160.144.191' 
        list dest_ip '2.20.255.114'     
        list dest_ip '34.149.100.209'
        list dest_ip '13.33.243.33'
        list dest_ip '52.85.49.122'   
        list dest_ip '34.107.243.93'
        list dest_ip '62.115.253.147'           
        list dest_ip '95.101.111.144'    
        list dest_ip '34.117.121.53'  
        option src 'lan'           
        option dest 'wan'                                  
        list src_mac '54:1C:46:12:4A:85'    
        list proto 'all'                       
        option target 'DROP'   

OpenWrt 22.03.5, r20134-5f15225c1e

Router Xiaomi Ax6s

Can we see the output of:

nft list chain inet fw4 forward_lan

Here

root@OpenWrt:/# nft list chain inet fw4 forward_lan
Error: No such file or directory
list chain inet fw4 forward_lan
                ^^^

For some reason the fw4 table does not exist.
Post the output of:

ubus call system board; fw4 restart; nft list ruleset
root@OpenWrt:~# ubus call system board
{
	"kernel": "5.10.176",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Xiaomi Redmi Router AX6S",
	"board_name": "xiaomi,redmi-router-ax6s",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r20134-5f15225c1e",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
	}
}
root@OpenWrt:~# fw4 restart
-ash: fw4: not found

nft list ruleset give back nothing

here my package list, there no firewall4, just firewall, if fw4 about it

Package list
base-files bmon busybox ca-bundle cgi-io confuse curl 
dnsmasq-full dropbear etherwake firewall fstools fwtool 
getrandom hostapd-common htop ip-full iw iwinfo jansson 
jshn jsonfilter kernel kmod-bonding kmod-cfg80211 
kmod-crypto-acompress kmod-crypto-aead kmod-crypto-ccm 
kmod-crypto-cmac kmod-crypto-crc32c kmod-crypto-ctr 
kmod-crypto-gcm kmod-crypto-gf128 kmod-crypto-ghash 
kmod-crypto-hash kmod-crypto-hmac kmod-crypto-kpp 
kmod-crypto-lib-chacha20 kmod-crypto-lib-chacha20poly1305 
kmod-crypto-lib-curve25519 kmod-crypto-lib-poly1305 
kmod-crypto-manager kmod-crypto-null kmod-crypto-rng 
kmod-crypto-seqiv kmod-crypto-sha256 kmod-gpio-button-hotplug 
kmod-hwmon-core kmod-ifb kmod-leds-gpio kmod-lib-crc-ccitt 
kmod-lib-crc32c kmod-lib-lzo kmod-mac80211 kmod-mt76-connac 
kmod-mt76-core kmod-mt7615-common kmod-mt7615-firmware 
kmod-mt7615e kmod-mt7915e kmod-nf-conntrack 
kmod-nf-conntrack-netlink kmod-nf-conntrack6 
kmod-nf-flow kmod-nf-ipt kmod-nf-log kmod-nf-log6 
kmod-nf-nat kmod-nf-nat6 kmod-nf-reject kmod-nf-reject6 
kmod-nfnetlink kmod-nft-core kmod-nft-fib kmod-nft-nat 
kmod-nft-offload kmod-ppp kmod-pppoe kmod-pppox 
kmod-sched-cake kmod-sched-core kmod-slhc kmod-thermal kmod-tun 
kmod-udptunnel4 kmod-udptunnel6 kmod-wireguard libblobmsg-json 
libbpf libc libcap libcap-ng libconfig libcurl libelf libgmp 
libiwinfo libiwinfo-data libiwinfo-lua libjson-c libjson-script 
liblua liblucihttp liblucihttp-lua liblzo libmbedtls libmnl 
libncurses libnetfilter-conntrack libnettle libnfnetlink 
libnftnl libnghttp2 libnl-core libnl-route libnl-tiny libopenssl 
libopenssl-conf libpcre libprotobuf-c libpthread librt libstdcpp 
libubox libubus libubus-lua libuci libuci-lua libuclient libucode 
libustream-wolfssl libuuid libuv logd lua luci-app-ddns 
luci-app-firewall luci-app-openvpn luci-app-opkg luci-app-upnp 
luci-app-wireguard luci-app-wol luci-base luci-compat 
luci-i18n-attendedsysupgrade-ru luci-i18n-base-ru 
luci-i18n-firewall-ru luci-i18n-ddns-ru luci-i18n-openvpn-ru 
luci-i18n-opkg-ru luci-i18n-upnp-ru luci-i18n-wol-ru 
luci-lib-base luci-lib-ip luci-lib-jsonc luci-lib-nixio 
luci-mod-admin-full luci-mod-network luci-mod-status 
luci-mod-system luci-proto-bonding luci-proto-ipv6 
luci-proto-ppp luci-proto-wireguard luci-theme-bootstrap 
miniupnpd-nftables mtd mtr-json nano net-tools-route 
netdata netifd nftables-json nginx nginx-mod-luci 
nginx-mod-luci-ssl nginx-ssl nginx-ssl-util nginx-util 
odhcp6c odhcpd-ipv6only openssl-util openvpn-easy-rsa 
openvpn-openssl openwrt-keyring opkg ppp ppp-mod-pppoe 
procd procd-seccomp procd-ujail resolveip rpcd rpcd-mod-file 
rpcd-mod-iwinfo rpcd-mod-luci rpcd-mod-rrdns tc-tiny terminfo 
ubi-utils uboot-envtools ubox ubus ubusd uci uclient-fetch 
ucode ucode-mod-fs ucode-mod-ubus ucode-mod-uci umurmur-mbedtls 
urandom-seed urngd usign uwsgi uwsgi-cgi-plugin uwsgi-luci-support 
uwsgi-syslog-plugin wireguard-tools wireless-regdb 
wpad-basic-wolfssl zlib vncrepeater mwan3 luci-app-mwan3 ddns-scripts-noip

So currently there is no active firewall at all. Given that there is no NAT enabled, there is no explanation how anything even works. You could try to install firewall4 manually, but better reflash the device to the latest version available.

I installed OpenWrt in VirtualBox, and IP ban doesn't work again. All traffic goes thrue this virtual router.

/etc/config/firewall
config defaults                                 
        option input 'DROP'                     
        option output 'ACCEPT'                  
        option forward 'ACCEPT'                 
        option synflood_protect '1'             
                                                
config zone                                     
        option name 'lan'                       
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'ACCEPT'                 
        option masq '1'                         
                                                
config zone                                     
        option name 'wan'                       
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'ACCEPT'                 
        option masq '1'                         
        option mtu_fix '1'                      
        list network 'wan'                      
        list network 'wan6'                     
        list network 'lan'                      
                                                
config forwarding                               
        option src 'lan'                        
        option dest 'wan'                       
                                                
config rule                                     
        option name 'Allow-DHCP-Renew'          
        option src 'wan'                        
        option proto 'udp'                      
        option dest_port '68'                   
        option target 'ACCEPT'                  
        option family 'ipv4'     

config rule                                     
        option name 'Allow-Ping'                
        option src 'wan'                        
        option proto 'icmp'                     
        option icmp_type 'echo-request'         
        option family 'ipv4'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-IGMP'                
        option src 'wan'                        
        option proto 'igmp'                     
        option family 'ipv4'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-DHCPv6'              
        option src 'wan'                        
        option proto 'udp'                      
        option dest_port '546'                  
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-MLD'                 
        option src 'wan'                        
        option proto 'icmp'                     
        option src_ip 'fe80::/10'               
        list icmp_type '130/0'                  
        list icmp_type '131/0'                  
        list icmp_type '132/0'                  
        list icmp_type '143/0'                  
        option family 'ipv6'                    
        option target 'ACCEPT' 

config rule                                     
        option name 'Allow-ICMPv6-Input'        
        option src 'wan'                        
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        list icmp_type 'router-solicitation'    
        list icmp_type 'neighbour-solicitation' 
        list icmp_type 'router-advertisement'   
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'     

config rule                                     
        option name 'Allow-ICMPv6-Forward'      
        option src 'wan'                        
        option dest '*'                         
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-IPSec-ESP'           
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'esp'                      
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ISAKMP'              
        option src 'wan'                        
        option dest 'lan'                       
        option dest_port '500'                  
        option proto 'udp'                      
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'yandex'                    
        option src 'lan'                        
        option dest 'wan'                       
        option target 'DROP'                    
        list dest_ip '5.255.255.242'            
        list dest_ip '77.88.55.242'             
        list proto 'icmp' 
etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option proto 'dhcp'
        option device 'eth0'
nft list chain inet fw4 forward_lan
table inet fw4 {
	chain forward_lan {
		meta l4proto icmp ip daddr { 5.255.255.242, 77.88.55.242 } counter packets 0 bytes 0 jump drop_to_wan comment "!fw4: yandex"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_lan
	}
}
ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "12th Gen Intel(R) Core(TM) i3-12100F",
	"model": "innotek GmbH VirtualBox",
	"board_name": "innotek-gmbh-virtualbox",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "x86/64",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
nft list ruleset
table inet fw4 {
	chain input {
		type filter hook input priority filter; policy drop;
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "eth0" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
	}

	chain output {
		type filter hook output priority filter; policy accept;
		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
		oifname "eth0" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		jump accept_from_lan
	}

	chain output_lan {
		jump accept_to_lan
	}

	chain forward_lan {
		meta l4proto icmp ip daddr { 5.255.255.242, 77.88.55.242 } counter packets 0 bytes 0 jump drop_to_wan comment "!fw4: yandex"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_lan
	}

	chain helper_lan {
	}

	chain accept_from_lan {
	}

	chain accept_to_lan {
	}

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
		meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
		jump accept_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
		jump accept_to_wan
	}

	chain accept_from_wan {
		iifname "eth0" counter packets 6 bytes 408 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain accept_to_wan {
		meta nfproto ipv4 oifname "eth0" ct state invalid counter packets 6 bytes 264 drop comment "!fw4: Prevent NAT leakage"
		oifname "eth0" counter packets 194 bytes 19382 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain drop_to_wan {
		oifname "eth0" counter packets 0 bytes 0 drop comment "!fw4: drop wan IPv4/IPv6 traffic"
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "eth0" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
	}

	chain srcnat_wan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		iifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
		oifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
	}

	chain srcnat_lan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 lan traffic"
	}
}

That's not the way it's supposed to work. You have only one interface and it is assigned to the wan firewall zone. No traffic goes through the router, it just leaves the (so-called) router and you probably do the test from the command line of the virtual router itself.

In this case, the correct chain is output_wan, so comment out the source zone in your rule and restart the firewall service.

config rule                                     
        option name 'yandex'                    
        #option src 'lan'                        
        option dest 'wan'                       
        option target 'DROP'                    
        list dest_ip '5.255.255.242'            
        list dest_ip '77.88.55.242'             
        list proto 'icmp' 

I started ping from console in my linux, not from router, and ICPM packages go thrue it. If i set 'DROP' in output no any packages go outside.

nothing happend when i commented string with lan

Your WAN --> REJECT [ Input / Output / Forward ] should be either:
'reject' 'accept' 'reject'
or
'Drop' 'accept' 'drop'

I don't think you really want to Accept all on WAN. :wink:

If i set this parameters nothing doesn't work, i cant load web interface, just SSH

Wait, you have your LAN set for DHCP. You haven't defined static addressing for your internal network. Also, your LAN is bound to eth0.

You may want to fully reset and start config over at this point.

I have Xiaomi AX6s with DHCP, and it gives all IPs to my lan, to this virtual OpenWrt too. This virtual OpenWrt connected over bridge to my Ax6s router.