Firewall rule for router remote access from specific domain name (ip set)

simtcrom · October 14, 2025, 6:01am

What I am trying to achieve is,

I have a remote openwrt router. I want to access luci console without doing a VPN. But restrict access to it from specific ipv6 address only. So I setup a firewall rule as below,

config rule
        option src 'wan'
        option family 'ipv6'
        option dest_port '80'
        option target 'ACCEPT'
        option name 'router_remote_access'
        list proto 'tcp'
        list src_ip '2xx:7xx:xx:xxxx:xxxx:7xxx:fxxx:xxxx'

And it worked.

Above ipv6 address is not static, so I have a domain name with dynamic dns service updating latest ipv6 address to AAAA record.

I am exploring ip set as per https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset to see instead of putting a src ip, add ip set.

I ran

uci set dhcp.filter="ipset"
uci add_list dhcp.filter.name="filter6"
uci add_list dhcp.filter.domain="ipv6.xxx.freeddns.org"
uci commit dhcp

Next when I am trying uci set firewall.filter.name="router_access_ipset" and getting error, uci: Invalid argument

Am I doing it incorrect?

brada4 · October 14, 2025, 6:09am

You need to resove dynamically and add IPs to the set (and to wg)

reinerotto · October 14, 2025, 6:47am

Another approach would be an always running script on router, with an infinite loop and sleep 10, to do ‘nslookup ipv6.xxx.freeddns.org ‘ and update firewall rule, in case of any change.

simtcrom · October 14, 2025, 7:16am

Got it. I ditched ipset and took this approach.

slh · October 15, 2025, 11:59pm

While that might be fine within a tiered local setup (strictly between multiple of your own/ trusted networks, explicitly NOT traversing the internet), you really shouldn't do this over the open internet (regardless of the src_ip restriction). Wireguard is easily set up for a roadwarrior style VPN and will just offer this in a secure way.

psherman · October 16, 2025, 1:34am

I agree with the suggestion to use WireGuard. In addition to providing a secure method to connect to your router (and your network or even appear to be using the internet via your home ISP while away from home), you also do not need to worry about any source IP restrictions. That's because WG is secure and is not 'chatty` so it won't appear in port scans and only responds when it receives valid cryptographic connections.

simtcrom · October 16, 2025, 3:48am

Thank you all for the inputs.
I already have wireguard setup. This was just for time being to test something.
I removed the rule.

simtcrom · October 17, 2025, 4:12am

I have a tailscale network (managed by my own self-hosted Tailscale control server - headscale)
Is adding the remote router to that network generally considered safe?