banIP to block domain on ipv4 and ipv6 for certain client

As per title,
can someone guide me how to properly setup for this?
i have followed some guide but it did not work.

please guide.


Create ipsets matching the is_* names in the config ?

For ipset setup, google "man ipset".

What do you mean by "client"? Regardless, ipset is not available with recent OpenWrt versions which moved from iptables+ipset+firewall3 to nftables+firewall4

this is my config

yes, and it doesn't contradict my last post, assuming ipset still works in your openwrt release.

client means user.

guide me how to use nftables to block

this is my firewall config

my last and 2nd last posts are still valid.

as fot your 1st post "it did not work", won't get you very far.
what did not work ?

and please stop posting screen dumps.

paste the cli output, mark it, and use the </> button.

nft list sets

blocking not working. that MAC address user that i define is still can access

skip the MAC, does the filter work at all ?

why are you using IPs, instead of DNS names ?
IPs can change, DNS names won't, at least not as often.

i followed this instructions

sure, if you use ipsets, but it's not the optimal solution here.

ok guide me, what is the optimal solution

Blocking YouTube blocks other Google services will probably still work, but it'll apply to all your devices.

this looks better though, along with the DNS names in the thread above.


There is no easy method to achieve this AFAIK. I can't really guide you but you can look at this solution which dynamically maps nftables sets to domain names, then learn how to create nftables rules involving sets, then combine the 2 solutions.

@frollic judging by the screenshots, clearly @9M2PJU has nftables+fw4 rather than iptables+ipset+fw3.

Or you could just use the relevant UCI config files (dhcp and firewall) to do the same thing. firewall to create the set and relevant rules, and dhcp to map domain names to it. It works perfectly well under firewall4 + nftables.

I'm pretty sure you can do most (if not all) of the required configuration in LuCi on recent builds so you don't even have to mess around with editing files directly.

Sure, it is possible to create nft sets via UCI. But can one create dynamic nft sets via UCI? I bet not.

Edit: one could, of course, create a similar script which would use UCI to interface with nftables in order to implement dynamic sets, but this involves learning concepts and syntax for both nftables and for UCI, and I don't see how this is easier than only learning concepts and syntax for nftables alone.

What is your definition of a dynamic set?