FW4 and IPSET for grouping ip addresses

kuumaur · February 15, 2025, 9:53pm

Hi,
I try to use ipset in version 23.05.05 on Archer C7 V5 ath79.
Trying to group some often used ip addresses.
Cant get it to work, it just is ignored.
After some reading, it is still unclear to me if that version is able to use the ipset feature from fw4.
Am I miss understanding the function of ipsets? I thought I could use it for grouping for example ip addresses.
Kr kuu

brada4 · February 15, 2025, 10:50pm

Show one segment from /etc/config/firewall with the set you define. Obviously corrupt any IP numbers to no recognition there.

lleachii · February 16, 2025, 6:53am

Can you show the config (redacting real IPs as noted)?

After you create the "group" (i.e., the IP set), what firewall rule do you create?

It's able, not sure why you think that.

kuumaur · February 16, 2025, 11:30am

Here is an example of my config:

config rule
        option name 'ZTN_VPN_PING'
        option family 'ipv4'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        option src 'ztn'
        option dest 'vpn'
        option target 'ACCEPT'
        list proto 'icmp'
        list dest_ip '192.168.196.114'
        list dest_ip '192.168.200.102'
        list dest_ip '192.168.196.106'
        list dest_ip '192.168.193.2'
        option ipset 'vpn_clients'


config ipset
        option name 'vpn_clients'
        option family 'ipv4'
        list match 'ip'
        list entry '192.168.189.240'
        list entry '192.168.189.242'
        list entry '192.168.189.243'
        list entry '192.168.189.246'
        list entry '192.168.189.247'
        list entry '192.168.189.244'

I noticed that if I reboot the router, the ipset is working until I do some changes to the ruleset.

lleachii · February 16, 2025, 1:24pm

How are you changing the ruleset?

kuumaur · February 16, 2025, 1:35pm

I do it with luci.
Just upgraded to 24.10.0.
Same behavior.
Instead of rebooting the whole router, restarting firewall service is enough to make ipsets work again.

lleachii · February 16, 2025, 2:41pm

Since you're required to restart/reload after making any firewall change - I'm not sure if this is the issue you're describing, or something else.

What you described is normal behavior. Feel free to provide more details if further help is needed.

kuumaur · February 16, 2025, 2:53pm

Ok, if the service restart after every firewall change is a normal behavior than that is the solution. I didnt know that. I thought that is part of the "save & apply" button as it had worked for since a long time.

lleachii · February 16, 2025, 2:56pm

Wait, you're saying you hit:

Save and Apply
Hit Restart...where?

or just

Save and apply?

Do you stop/restart your ping tests after Saving and Applying?

kuumaur · February 16, 2025, 3:11pm

Well, I use the Luci Web Interface and using the save-and-apply button.
Yes, I stopped and startet my ping test everytime.
I restartet the firewall service in Luci system/startup.

lleachii · February 16, 2025, 3:15pm

Try:

option match 'ip'

kuumaur · February 16, 2025, 3:26pm

Sorry, I do not understand what you mean. I am currently using the option match 'ip' already. Tried option match 'src-ip' too.

lleachii · February 16, 2025, 4:12pm

Apologies, I understood your post to say "list". I was ensuring it was "option"

kuumaur · February 18, 2025, 6:37am

I am a little bit confused by you last answer. What exactly should I do?