Firewall rule to DROP everything from lan to wan besides few dest_ip's?

Hello friends,

I use OpenWrt primarily as my VPN gateway. I use a firewall rule as a kind of a kill switch in case my VPN connection on tun0 goes down. But several IP's on the wan still need to be accessible from lan, so my rule looks like this:

config rule
        option family 'ipv4'
        option proto 'all'
        option src 'lan'
        option target 'DROP'
        option name 'Drop-OUT_InvalidDEST'
        option dest_ip '!192.168.178.120'
        option dest 'wan'

The dest_ip on 192.168.178.120 is accessible from lan, which is great. Now I need to add a few more IP's, for example 192.168.178.125 and 192.168.178.143.
How would I go about this?

I tried it this way:

config rule
        option family 'ipv4'
        option proto 'all'
        option src 'lan'
        option target 'DROP'
        option name 'Drop-OUT_InvalidDEST'
        option dest_ip '!192.168.178.120,!192.168.178.125,!192.168.178.143'
        option dest 'wan'

But it didn't work unfortunately. Any ideas?

(INFO: lan subnet: 192.168.1.0/24, wan is connected to another router with the subnet 192.168.178.0/24)

1 Like

Allow service on local network only - #22 by vgaetera

  • Remove the LAN to WAN firewall forwarding.
  • Add a permissive traffic rule for specific IPs.
  • Use spaces for separators or better list entries.

That works as desired, thanks a lot!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.