Help ipset whitelist mode

how do i whitelist in IPSET? instead of blocking cidr ranges it whitelists then?

i am using netgear nighthawk x10 r9000 and the version of my openwrt is 6.6.47

Please explain what you want to achieve or which problem you are trying to solve.

Same way as blocking, instead of dropping the traffic you permit it, but the default lan->wan rule should reject or drop, not accept.

hello if i do that i would lose the access to my gateway. im so noob could you please help me?

An ipset does not block or allow traffic, it just groups a set of addresses. You can create a firewall rule that blocks all the addresses in the ipset, or you can create a rule that blocks everything except the addresses in the ipset.

would you be able to guide me? im so sorry

Unless it's in your allowed ipset...

yes my ipsets do contain a lot of isp's ip so i would also allow it right?
192.168.1.0/24 i mean i will add this ip

i really dont wanna mess this again and go on to failsafe mode as i am losing the access to the gateway and resetting everything back

this is what i need to achieve!!

If you don't know how to do it yourself, install the banip package.

can i ask is this doable in the LUCI interface?

i prefer to do this in the LUCI interface i would like to ask if this is possible?

Banip have a luci interface.

there is no interface for banip it wouldnt install now

im sorry im a newbie with this and i need help

  1. i need to make my firewall mode to whitelist mode
  2. i have already uploaded the ipsets which contains the ip addresses to be accepted from incoming WAN connections and drop the connections that are not inside the ipsets
  3. if i do create 2 traffic rules one is to block all connections and another one is to allow all connections in the ipset, still the block all connections overrides everything which makes the second traffic rule useless.

If its possible i would only like to use the LUCI interface my version is (24.243.35685~648a099)

please help me ive been struggling to do this since i came from a traditional router which is GPON ONU that has simple firewall configurations

You mean the router itself should accept connections from specific IPs, right?

Make sure the default input policy for the wan zone is set to reject or drop.

Set the Packet Field Match for the ipset to src_net.

image

Create a traffic rule like this.

1 Like

thank you for your answer but still the open port checker still sees the webserver as visible the ip addresses that are in the whitelist.txt are only the philippines ISP cloudflare and google,

check here