Firewall - Port Forwards - multiple ip addresses from WAN->LAN with LuCi?


is there a way to use the "Firewall - Port Forwards" menu under LuCi to choose multiple IP-Adresses/MAC Adr. (or even a whole IP-Range) for forwarding traffic from WAN and to a specific IP Adr/Port in the LAN?
I dont want to make the same port - rules for every ip adr...

BTW - i use a FriendlyElc NanoPi R2S between a lan and a printer which should be only used by specific Computers in the network and unfortunately HP Accesslists/whitlistening/ACLs is not longer available in their JetDirect Cards...:frowning:


You can specify a range very easily... (5000-6000 in this example)

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'test'
	option src 'wan'
	option src_dport '5000-6000'
	option dest_ip ''
	option dest_port '5000-6000'

But I don't this is what you want if this is related to the printer.... can you be more specific about your goal?

I want to do a Whitelist of Computers in the Network which should be able to use the printer. According to the HP Software (HP Click) it uses this ports: 8080, 8085, 8086, 9100, 9102 TCP and 161 UDP.

The easiest way for me and for other users in the future would be a way to choose under LuCi under "Firewall - Port Forwards" multiple IP Adr. per port forward...

Are the computers and the printer on the same subnet?

Yes - they in a companys network behind a firewall... in the same non-private subnet...

You wouldn't need to do port forwarding here -- you'd simply be looking at a firewall rule with a block list and/or allow list of IP addresses...
Since they are in the same subnet, you cannot (easily) filter them using your router.... the traffic will never hit the firewall since it is happening at L2 (switching), so you won't achieve the goal with this method.

If put the printer on a differnet subnet, you can filter it fairly easily. Alternatively, you could see if a bridge firewall might work (assuming you can insert this device directly between the printer and its network connection), or you could ditch the jetdirect serer and use an OpenWrt based print server and then you can probably use an access control list.

Maybe i made a wrong impression - the Printer is behind an openwrt router... the printer communicates in a nw and the openwrt router has now the printers external mac/ip adr....

Ok... so the printer itself is behind the OpenWrt rotuer with NAT masquerading enabled?

In that case, yes, you can create port forward rules for this. You can create a range, but I think it either needs to be a subnet or a contiguous range. I don't think you can create single rule with the allow-listed IPs... you'll have to create multiple rules.

That was my impression to that i have to forward all these ports extra for any enabled ip adr...


You could try something that looks like this... not sure if it'll work, though since it isn't technically a DNAT rule.

config rule
	option name 'test'
	option src 'wan'
	list src_ip ''
	list src_ip ''
	list src_ip ''
	option target 'ACCEPT'
	option dest 'lan'
	list dest_ip ''
	option dest_port '8080 8085 8086 9100 9102'

If it's suffiiciently easy to create a deny-list, you could create a list of IPs that should get dropped/rejected, the rest would then be able to continue to the port forward rule.