Blocking services on OpenWrt

Hello all, coming from stock Netgear R7800 firmware I have the option to block ports to certain IP addresses on my network, for instance I have ports 444 upwards blocked to

I've now got openwrt running but can't seem to find the same option in the Luci menus anywhere? Is it hidden away or does anyone know a custom iptables rule to do the same job?


Using Luci

Go to
Select Tab
Traffic Rules
Add and edit
New forward rule

You can specify port or port range eg 444-65535

1 Like

The OpenWrt firewall by default is closed from WAN to LAN. So unless you open something, everything is closed.
You need to make a port forwarding to open a port from the public IP/port to a private IP/port inside your LAN, or to allow with a rule for IPv6.

The ports must allow some traffic as the game application im trying to stop worked as soon as I logged the phone into the wireless network.

My youngest daughter loves Minecraft and plays it for hours, but she goes onto online multiplayer servers and the people on there are nasty, and just pick on her, so on the Netgear router I blocked ports 444 upwards on her phones IP address, so the game played fine just multiplayer didn't... However on my fresh openwrt install it all works as soon as I logged it into wifi... But I couldn't figure out how to disable the ports so for now she's just not allowed on the game.

Rejecting all ports above 444 from a client will basically deny all outgoing connections breaking all internet activity as client port start from 1024 to 65535.
If you want to block just minecraft you'd better block access to the server or even better blackhole the minecraft servers.

Even better play with your daughter and teach her how to deal with such situations. One day she will be old enough to have her own connection, but the problem will remain.

That's strange as her internet works, so does YouTube kids and all other apps.. it's only stopping the Minecraft servers??

Then it must be only for incoming connections, otherwise it would not let any connection going out, therefore her internet wouldn't work. Minecraft uses TCP+UDP/25565 so you know what to block.

That's excellent, I just need to figure out the traffic rules settings now then...

She's only 5 but these servers are run by idiots, that build boxes of unbreakable cubes, then with admin capabilitys teleport her into them so she's stuck... Until she quits the game. It's easier to just block them my end and tell her they don't work today.

I've been reading and I think these ssh commands might help, but I need to make it specific to only her static lan IP

Could I add the line

Option src_ip


Option src_mac AB:CD:EF:GH:IJ:KL

(But using her phone Mac address??)

I can't seem to do it via Luci, I keep looking... And breaking the internet in the process, then resetting and trying again.

WAN->LAN is blocked by default, so you if you don't any port-forward it is already fine.
LAN->WAN is allowed by default, so you need to add a traffic rule to DROP traffic from zone LAN src (if IP is static) or from MAC of her phone to WAN zone dst port 25565 for TCP and UDP.

1 Like