Block certain sites in wifi zone using IPSET

Hi everybody,
I am trying to get ipset running according to thencein's howto in Blocking websites on your router.
I replaced the dnsmsq package by dnsmsq-full and installed additional packages (ipset, ipset-dns, kmod-ipt-ipset, libipset13). The goal is to block a lot of websites on the wifi interface (in my configs it is called wlan with a firewall zone wlan_fw_kn).
Unfortunately it is still possible to reach the below example websites like from the wifi zone.

My /etc/config/firewall

config ipset
        option name 'IP-Bereiche'
        option match 'dest_ip'
        option family 'ipv4'
        option storage 'hash'
        option enabled '1'

config rule
        option target 'REJECT'
        list proto 'all'
        option src 'wlan_fw_kn'
        option name 'Sammelregel'
        option ipset 'IP-Bereiche'
        option dest 'wan'

My /etc/config/dnsmasq only contains


This is my /etc/config/dhcp

config dnsmasq
        option domainneeded     1
        option boguspriv        1
        option localise_queries 1
        option local            '/lan/'
        option domain           'lan'
        option expandhosts      1
        option authoritative    1
        option readethers       1
        option leasefile        '/tmp/dhcp.leases'
        option resolvfile       '/tmp/'
        option localservice     1
        option rebind_protection 0
#newly added:
        list ipset '/'
        list ipset '/'
        list ipset '/'

config dhcp lan
        option interface lan
        option start     100
        option limit     150
        option leasetime 12h
        option dhcpv6    server
        option ra        server
        option ra_management 1

config dhcp wan
        option interface wan
        option ignore    1

config odhcpd odhcpd
        option maindhcp     0
        option leasefile    /tmp/hosts/odhcpd
        option leasetrigger /usr/sbin/odhcpd-update
        option loglevel     4

config dhcp WLAN
        option leasetime 12h
        option limit     150
        option interface WLAN
        option start     10

config host
        option mac '00:68:EB:68:F4:CC'
        option ip ''

config dhcp LAN
        option start 100
        option leasetime 12h
        option limit 150
        option interface LAN

config host
        option mac '00:90:4C:C5:12:38'
        option ip ''

config host
        option mac '16:82:52:E5:2A:33'
        option ip ''

ipset list IP-Bereiche
gives me no entries an no members (!?):

Name: IP-Bereiche
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 56
References: 1
Number of entries: 0

The strange thing is when I do iptables -nvL zone_wlan_fw_kn_forward
it gives me

Chain zone_wlan_fw_kn_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    9   476 forwarding_wlan_fw_kn_rule  all  --  *      *              /* !fw3: Custom wlan_fw_kn forwarding rule chain */
    0     0 zone_wan_dest_REJECT  all  --  *      *              match-set IP-Bereiche dst /* **!fw3: Sammelregel** */
    0     0 ACCEPT     tcp  --  *      *              tcp dpt:4444 /* !fw3: KN_SSH_lan2wlan */
    9   476 zone_wan_dest_ACCEPT  all  --  *      *              /* !fw3: Zone wlan_fw_kn to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *              ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wlan_fw_kn_dest_ACCEPT  all  --  *      *              /* !fw3 */

Isn't it strange to habe the negation !fs3: Sammelregel in line 2 ?

Another thing related to this is that in LUCI there is no option to edit the ipsets as described in

Navigate to LuCI → Network → Firewall → Traffic Rules → Filter-IPset-DNS-Forward to manage firewall rules.
Navigate to LuCI → Network → DHCP and DNS → General Settings → DNS forwardings to manage domains.

Anyhow, does anybody of you have an idea where the problem is or how I can investigate further?
THX a lot!

1 Like

The how-to on the wiki describes a few more steps:

  • Filter both IPv4 and IPv6
  • Preresolve domains
  • Utilize ipset-dns

Those are missing in your case.

1 Like

That was a good point, vgaetera!

  • ipv6 is not configured in my network, therefore I didnt configure it here neither
  • pre-resolve I didn't configure due to lack of understanding...
  • Regarding ipset-dns I added in my /etc/config/ipset-dns the following:
    option ipset 'IP-Bereiche'
    Then I reduced the number of blocked domains in /etc/config/dhcp to
    list ipset '/'

Butipset list gives me

Name: IP-Bereiche
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 216
References: 1
Number of entries: 4

Those IPs are actually not pingable from within the wifi zone.

So I ask myself how OpenWRT is translating (mentioned in my dhcp config) into all these IPs ?

When I do nslookup from within the wifi zone I get the following:

Nslookup ->
Nslookup ->

nslookup ->
nslookuop ->

Both IPs are in the above listed members of my ipset....

However, both and are pingable from the OpenWRT device.
Any idea?

Does the youtube website load in your browser when connecting from a wifi device? I've never really paid attention to whether pings are successful or not as I was satisfied enough simply knowing the website and app were virtually broken/unusable thanks to the ipset firewall rules.

No, both youtube and dont load in the browser from within the wifi zone.
All IPs from ipset list are not pingable from within the wifi zone.

Another observation:
after doing

/etc/init.d/firewall restart
/etc/init.d/ipset-dns restart
/etc/init.d/dnsmasq restart

due to a minimal change in the configs I get more members in my ipset

~#ipset list
Name: IP-Bereiche
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 256
References: 1
Number of entries: 5
Members:   <---this one is new

This is strange because I still one single line in my /etc/config/dhcp :
list ipset '/'

The configured filtering rule only applies to transit traffic.

This also includes all subdomains resolved with dnsmasq.

Make sure to disable DoH in the client browser.

Yes DoH ist disabled in the client browser.

So blocking of domains is working but I have to live with the mechanism of dnsmasq which resolves these domains into IPs - maybe it is not dnsmasq "fault" that includes the IP of (which I didnt want to block).

Another related question: if I introduce

        option iprange ''
        option iprange ''

in my firewall config I get

~# /etc/init.d/firewall reload
Warning: Section @ipset[0] (IP-Bereiche) iprange ignored

Maybe the notation in the second line is not correct but the same warning comes with only the first option iprange, too.
Unfortunately I didn'T find out how to get iprange running.

Correct. This is the possible, negative side effect of blocking IPs. In case of google, there might even be other services concerned.


You can use CIDR notation.

It looks like the option iprange requires storage=hash:net.


For reference/information, dnsmasq-full has, for some years now, had full ipset support built in, including the functionality of ipset-dns. (I think it was added around the time of Barrier Breaker .. not sure)

This means that installing ipset-dns is superfluous ie. it does nothing.
It should be deprecated as a package I think, and the various Wiki pages updated....

This should not exist and will not be used.
Perhaps you meant /etc/dnsmasq.conf. This is not used either.

The dnsmasq init.d script creates a dnsmasq.conf.cfgxxxxxx file in /tmp/etc/ at startup using the contents of /etc/config/dhcp

The ipset-dns package "provides" web interface to manage IP set domains, and I believe this is important for many users.
I'm happy to update the docs when the ipset dnsmasq option has web interface support.

Interesting. Do you have any details? Does it use uhttpd or something like libmicrohttpd?

This is not correct. It is used, but usually contains no special options. Unless you modify it.

I got myself a coffee and looked it up :wink:

ipset-dns code was merged into dnsmasq in 2013

If you look at the detail of /etc/init.d/dnsmasq it looks like dnsmasq is started using only the generated config file in /tmp/etc
I have done a few quick tests here and anything in /etc/dnsmasq.conf seems to be ignored.
If it does read /etc/dnsmasq.conf, it must be hard coded somewhere and a quick look at the source code did not show it up.
Which special options have you set there?

In my system (without ipset), 'ps' shows:

2327 dnsmasq 1464 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/
2329 root 1460 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/

And, when checking:
root@...~# cat /var/etc/dnsmasq.conf.cfg01411c
Comment: auto-generated config file from /etc/config/dhcp
My (customized) /etc/dnsmasq.contains few special config options, i.e.

Which are effective.

I closed this topic as my initial problem was solved.
Thank you everybody!


Ah! You mean ipset-dns is supported by Luci! This all seems to be a bit of an unfinished and then forgotten work in progress. I wonder if there are any conflicts between dnsmasq-full and ipset-dns?
I might do a few tests....

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.