Firewall rule and ipset using CIDR don't work together

Following on from my thread here, I have now managed to get automatic IP generation working.

That created the IP Sets which I can use in Network > Firewall. However, I notice that unless the IP is definite in itself, it will not work. In another word, if the IP is in CIDR format, it will not be picked up by the firewall to process.

I've tested this with a couple of IPs to be sure.

For example, 142.250.187.238 which is a Youtube/Google IP.
If I stated this IP like this inside the file included in the IP Set, and block it with the Firewall, then I won't be able to ping it. I tested with another website's IP, and I cannot go on it. Wireshark shows as well that these IP cannot be reached.

However, if I delete 142.250.187.238 off in the file, and list it as 142.250.0.0/16, I can still ping this address, and when I go on Youtube, this IP will show in Wireshare as communicating ok with my machine.

I've tested with my company's website IP, let's say 10.100.10.5. If this is included as such in the file, it will be blocked and I can't access the site, but if I change this to 10.100.5.0/24, I can access the site again.

I can see a lot of professionals are here using the open-wrt firmware for their router. Surely they use IP sets to manage their network. I find it surprising that no one has raised this issue, unless it's a me problem?

@vgaetera You helped me last time in my thread. I followed the link to your guide to get ipset setup working. Could you help test my theory this time? I am on OpenWrt SNAPSHOT r23411-68ef2d1856 / LuCI Master git-23.158.78004-23a246e with a Netgear WNDR3700v1

Please post your current firewall config and dhcp config (if using dnsmasq ipset feature).

If you want to use both IP and CIDR in the set, use net instead of ip in the match field.

Hi Dave, thanks for taking a look. The ipset was using match as "net" when they were set up, but that didn't work.

My Firewall here. I've removed some standard rules to keep this clean.

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'test block a few'
	option dest 'wan'
	option target 'REJECT'
	option src 'lan'
	option ipset 'example123'
	list proto 'all'

config rule
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	option name 'Allow'
	list proto 'all'
	list src_ip '192.168.1.100'
	list src_ip '192.168.1.248'

config rule
	option name 'Block-time'
	list proto 'all'
	option src 'lan'
	option dest 'wan'
	option target 'DROP'
	option start_time '23:00:00'
	option stop_time '07:00:00'

config ipset
	option name 'example123'
	option family 'ipv4'
	option loadfile '/var/ipset-example'
	option match 'net'

and my dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'MLAKN'
	option dns '1'
	option mac '74:D0:2B:C9:91:F1'
	option ip '192.168.1.100'

config ipset
	list name 'youtube'
	list name 'youtube6'
	list domain 'youtube.com'
	list asn 'AS1026'
	list asn 'AS11344'
	list asn 'AS36040'
	list asn 'AS36561'
	list asn 'AS43515'

config ipset
	list name 'example'
	list domain 'example.com'
	list domain 'example.net'
	list domain 'bbc.co.uk'

Try option ipset 'example123 dest'

2 Likes

Thanks Dave, that seems to do it.
I've tried creating another set of rules, with just ipv6 for bbc.co.uk
also set option ipset 'example6 dest' and can't get on the BBC now.

Could you explain why putting dest in would get this done, even though I can't see this documented in the few guides I've read, and it would not be put in their by default normally. Thank you

By default, fw4 seems to assume an ipset is associated with source addresses instead of destination. For LAN to WAN traffic, external IPs would be the destination.

There are some descriptions on the wiki. You can put the direction in the firewall ipset definition or the rule definition (in case you want to use the set in multiple directions in different rules).

2 Likes

Thanks for this :slight_smile: I will make sure to read it again more carefully. At first, I wasn't so confident with cmd line and rely much on the GUI. After this, now that I have acquainted myself with using the terminal and WinSCP to edit the file directly, I think it will make more sense when I read it again.

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.