Ver - OpenWrt 24.10.4, r28959-29397011cc
I’ve put a simple firewall rule in via Luci to block access to 8.8.8.8 but can still ping 8.8.8.8 from a device on the local WLAN.
Here’s a snip of the rule in /etc/config/firewall
config rule
option src 'lan'
option dest 'wan'
option name 'Google '
list dest_ip '8.8.8.8'
option target 'REJECT'
option family 'ipv4'
I’m assuming that since this rule is at the end of the list it will take precedence of any rules above.
I’m also assuming that ping to 8.8.8.8 should not work from any device on the LAN/WLAN?
Any pointers ?
Thanks
egc
January 24, 2026, 10:29am
3
Move the rule up and use for protocols: any
No luck with the above suggestions unfortunately.
Tried ‘protocols any’ first, then moved the rule to the top.
Made no difference, pings to 8.8.8.8 still getting through.
brada4
January 24, 2026, 12:19pm
6
cancunia:
Made no difference
Did you wait 2 minutes for conntrack to expire?
1 Like
alaudet
January 24, 2026, 12:26pm
7
EDIT: Don’t do this. As explained lower down.
I think a better way to block access to google dns servers are with static routes to 0.0.0.0. Nothing on your network will use these dns servers with these two entries in /etc/config/network. In Luci add them in Network–>Routing–>Static IPv4 Routes
config route option interface 'wan' option target '8.8.8.8/32' option gateway '0.0.0.0' option table 'main' config route option interface 'wan' option target '8.8.4.4/32' option gateway '0.0.0.0' option table 'main'
brada4
January 24, 2026, 1:08pm
8
loopback interface is always up....
config route
option interface 'loopback'
option type 'blackhole'
option target '8.8.8.8/32'
option metric '8888'
egc
January 24, 2026, 2:17pm
9
This rule is of course from lan to wan so to stop your lan clients from connecting to 8.8.8.8
The router itself is not affected by this rule
I have tested it and it is working
Edit both rules, one for stop forwarding (lan clients) and one to stop output for the router
config rule
option src '*'
option dest 'wan'
option name 'stop-8888-forw'
list dest_ip '8.8.8.8'
option target 'REJECT'
list proto 'all'
config rule
option dest 'wan'
option name 'stop-8888-outp'
list dest_ip '8.8.8.8'
option target 'REJECT'
list proto 'all'
2 Likes
_bernd
January 24, 2026, 6:06pm
10
@alaudet please dont.
@brada4 but that's an uci thing. With plain ip route a black hole route does not need an interface.
alaudet
January 24, 2026, 6:56pm
11
Thanks @_bernd . I honestly thought it was fine but reading up a little more on this realize it isn’t.
cheers
brada4
January 24, 2026, 7:03pm
12
That is not only route interface, that is hotplug interface also.
hnyman
January 24, 2026, 7:07pm
13
The rule may not be applied, as it has a syntax error:'Google '.
The space at the end might cause uci to choke. Not quite sure about that, but I think that space is not allowed there. (and also not sure if that is from your actual config or just a typo in the message here.)
Edit:
1 Like
Could not see anything that needed to be changed so pasted both rules into /etc/config/firewall
Unfortunately, this does not work for me as I can still ping 8.8.8.8
config rule
option src '*'
option dest 'wan'
option name 'stop-8888-forw'
list dest_ip '8.8.8.8'
option target 'REJECT'
list proto 'all'
config rule
option dest 'wan'
option name 'stop-8888-outp'
list dest_ip '8.8.8.8'
option target 'REJECT'
list proto 'all'
Thanks for the ideas on changing the routing tables but would like to get to the bottom of why these (and maybe other) firewall rules don’t work.
Please post the output of:
uci export firewall
nft list chain inet fw4 forward
nft list ruleset | grep -B1 " hook "
Just want to see how the forward rules look.
uci export firewall
uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network '4G'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src '*'
option dest 'wan'
option name 'stop-8888-forw'
list dest_ip '8.8.8.8'
option target 'REJECT'
list proto 'all'
config rule
option dest 'wan'
option name 'stop-8888-outp'
list dest_ip '8.8.8.8'
option target 'REJECT'
list proto 'all'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
nft list chain inet fw4 forward
nft list chain inet fw4 forward
table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;
ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ip daddr 8.8.8.8 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: stop-8888-forw"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "wwan0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump handle_reject
}
}
nft list ruleset | grep -B1 " hook "
nft list ruleset | grep -B1 " hook "
chain input {
type filter hook input priority filter; policy drop;
--
chain forward {
type filter hook forward priority filter; policy drop;
--
chain output {
type filter hook output priority filter; policy accept;
--
chain prerouting {
type filter hook prerouting priority filter; policy accept;
--
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
--
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
--
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
--
chain raw_output {
type filter hook output priority raw; policy accept;
--
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
--
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
--
chain mangle_input {
type filter hook input priority mangle; policy accept;
--
chain mangle_output {
type route hook output priority mangle; policy accept;
--
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
Run this on the router then try your test again.
echo 8.8.8.8 > /proc/net/nf_conntrack
Once your test is done, run the forward chain again:
nft list chain inet fw4 forward
Ideally the counter on the 8.8.8.8 rule increases. If not, does the client being tested from have any special connectivity (e.g. vpn)?
2 Likes
Sorry, not sure what you mean by “Ideally the counter on the 8.8.8.8 rule increases”
nft list chain inet fw4 forward
table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;
ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ip daddr 8.8.8.8 counter packets 1 bytes 60 jump reject_to_wan comment "!fw4: stop-8888-forw"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "wwan0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump handle_reject
}
}
The client being tested uses DHPC from the router, but has custom settings for the DNS (1.1.1.1, 1.0.0.1) as I use Pi-Hole for DNS for other clients. No VPN
Earlier the counter above was 0 packets. Now it’s 1. Did your Ping test fail?
Ah, I understand!
Ping test is still working, but counter has incremented by another 1
able inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;
ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ip daddr 8.8.8.8 counter packets 2 bytes 120 jump reject_to_wan comment "!fw4: stop-8888-forw"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "wwan0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump handle_reject
}
}
Hmm. Please post (redact your wan IP):
nft list chain inet fw4 reject_to_wan
nft list chain inet fw4 handle_reject
ip route
ip rule
Feels like your traffic to Google isn’t going out the wan interface.