Firewall config: redirect wan traffic from limited set of IPs

OpenWrt 18.06.1
I am using this firewall rule to redirect traffic from one specific IP address to a computer in my LAN:

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_ip ''
        option src_dport '1234'
        option dest_ip ''
        option dest_port '1234'
        option name 'Redirect to server'

If I'd skip the option src_ip row, then it would accept traffic from any IP address. So I have a choice between one or all IP addresses. However, how I can configure this rule to accept traffic from a set of IP addresses? Of course, I am looking for a solution that does not require implementing a separate rule for each address.

  • Reference them in an ipset

You can then:

  • Define that IP set in the config file
  • You can then simply make firewall rules against the ipset, or use:

option extra '-m set --match-set foo src'

Is there a specific config file where ipsets are to be defined? Or, it's just a script containing bunch of ipset commands and registered to run at startup? Also, it seems to be kind of excessive to restart router just to add one address to the set. Optimally, the set should be reloaded when I do /etc/init.d/firewall restart

I just provided the WIki link above. You make an ipset and add it to the firewall configs:

I also provided an example of the extra argument in the firewall rule:

I'm not sure what you're asking, since neither the WIki nor my instructions mention creating scripts. If you're referring to creating the ipset, obviously, it has to be populated in some manner. You can choose to add your set commands to /etc/rc.local, and then you make firewall rules as noted above. If you're getting these IPs from some software, then obviously you'll need a script.

I never stated that you had to reboot.

It is, if you add the firewall rule in the normal location, as I noted (using option extra).

My fresh install of 18.06.1 does not have the ipset command. Why it is not included in the core, and must be installed as an extra? Perhaps this version of OpenWrt encourages some other way of managing ip sets?



#######################BOGON FILTER ########################
ipset create bogons hash:net

ipset -A bogons
ipset -A bogons
ipset -A bogons
ipset -A bogons
ipset -A bogons
ipset -A bogons
ipset -A bogons
ipset -A bogons
ipset -A bogons
ipset -A bogons
ipset -A bogons
ipset -A bogons
ipset -A bogons
ipset -A bogons


config rule
	option name 'Drop-Bogons_In_WAN'
	option family 'ipv4'
	option proto 'all'
	option src 'wan'
	option extra '-m set --match-set bogons src'
	option target 'DROP'
1 Like

You just add it, not that serious. There is no handling of ipsets by default (since ipset is not installed by default). As you noted, wihtout ipset, you would otherwise add a rule for each IP, one-by-one. BTW, the information about needing to install ipset is located in the WIki.

To install ipset from CLI:

opkg update
opkg install ipset

Thanks man, it works.

1 Like