Blocking access to specific IP not working

I am using a LEDE 17.01.4 on a Raspberry Pi 3 with Lan into the Pi acting as Wan, and then using the Wan to forward and generate a wifi network using the Pi's built in 802.11n wifi. I am trying to implement blocking specific ip's using firewall rules. As per the LEDE and openwrt wikis I created the following rule in /etc/config/firewall to block all access to the ip (just an ip for the website

config rule
option name Block-IP
option src lan
option dest wan
option dest_ip
option target REJECT

After refreshing all networking and firewall the rule shows up in Luci properly (see attached picture) however I can still ping on any device connected to the network produced by the raspberry pi. This should according to the LEDE wiki block all communication with however after messing around with the rule for quite a while I can't figure out how to make it work. Anyone know what I'm doing wrong? Thanks!

Order of rules does matter: if the forwarding rule is upper on the config file than this one, packets are going to be forwarded.

Hi! Thank you for the response, I tried moving the rule to above the forwarding rule so in /etc/config/firewall they are now listed as:

config rule
    option name        Block-IP
    option src         lan
    option dest        wan
    option dest_ip
    option target      REJECT
    option family      ipv4

config forwarding
    option src         lan
    option des         wan

I added the family so that I stopped getting the "Skipping due to different family of ip address" error when I refreshed the firewall. Currently in /etc/config/firewall the only rules above the Block-IP rule are config defaults, and configs for the lan and wan zones. However after moving the Block-IP rule to that position I can still ping the address from any device connected to the network, do you have any other ideas as to why this is not working?

Either a typo in your message or an error in your config file. That should be "dest".

Just post you whole /etc/config/firewall if you want sensible answers.

You could also do "fw3 print" to see the actual iptables rules generated:

root@LEDE:~# fw3 print
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N syn_flood
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
iptables -t filter -A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
iptables -t filter -A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
iptables -t filter -A syn_flood -m comment --comment "!fw3" -j DROP
iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
iptables -t filter -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
iptables -t filter -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT

Hi hnyman, thanks for the reply, that was a typo in my message, here is my etc/config/firewall file
Also the output of fw3 print contains the lines:

iptables -t filter -A zone_lan_forward -p tcp -d -m comment --comment "!fw3: Block-IP" -j zone_wan_dest_REJECT
iptables -t filter -A zone_lan_forward -p udp -d -m comment --comment "!fw3: Block-IP" -j zone_wan_dest_REJECT

which would make me think that rules should be applied.

Hello, after doing a bunch of research and getting some help from a friend who has more iptables experience than myself I have found something very odd with UCI firewall. When I load the firewall with this /etc/config/firewall and then run iptables-save I receive the following file . This shows that the rule I specified

-A zone_lan_forward -d -m comment --comment "!fw3: Block-IP" -j zone_wan_dest_REJECT

Specifies that any traffic from should be directed to be handled by a rule defined by zone_wan_dest_REJECT however for some reason (I'm not sure if this is an actual bug in LEDE or not) there is no default rule(s) written for zone_wan_dest_REJECT so since this traffic was not being rejected as it should be the traffic was being accepted by another one of zone_lan_forward rules. I fixed this problem by adding the line

-A zone_wan_dest_REJECT -j DROP

and there defining a rule for zone_wan_dest_REJECT that drops all traffic directed to this section. I am not sure why I had to do this as there should be a default rule for zone_wan_dest_REJECT but this is how I resolved the problem.