Block IP(s) from accessing WAN not working as intended

I am trying to create a simple rule to block specific devices on the network from accessing the Internet. I enter the following traffic rules and only some of the devices are blocked.

Device 1: Server PC (blocked)
Device 2: iPhone (not blocked)
Device 3: Linux VM on Server PC with a static LAN IP on the same subnet (not blocked)

Here's the rule configured from Luci

config rule
	option name 'BlockDeviceNetTest'
	option dest 'wan'
	list src_ip ''
	list src_ip ''
	list src_ip ''
	option src 'lan'
	option target 'DROP'
	list proto 'all'

I've tried both REJECT and DROP. Why would the iPhone and VM still be able to access the WAN, but the server machine not?

Router: Netgear R7800
Firmware: hnyman OpenWrt 21.02-SNAPSHOT r16469-b59f3b08b4

did you restart the firewall? (different than reload)

A few more reasons can be that devices are using IPv6, they are using ephemeral mac addresses and acquire different IP from the DHCP server, there is some other rule allowing the traffic with precedence.

I just tried the following commands, but the devices are still not blocked.

/etc/init.d/firewall restart
service firewall restart

let's see your complete firewall file

Thanks. I had suspected IPv6 as a possibility. The traffic rule indicates "restrict to address family" as both IPv4 and IPv6, so I thought that would handle it. Is there a quick way to disable IPv6 in Luci or via config? I've seen a list of UCI commands, but not comfortable inputting a bunch of commands I've yet to understand.

In any case, the server has IPv6 off in Windows config, and I'd much rather handle the issue in the firewall instead of on a per device basis.

Not if you specify IPv4 as source or destination.

Disable wan6 interface.


It is indeed IPv6 that's the issue. I have to add one of the IPv6 addresses to the block list for it to work. This works, but due to the fact that there are multiple addresses it isn't always as simple as picking a MAC or IP.

I'll look into the feasibility of disabling the WAN6 interface. Thanks.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.