Hi Everyone,
As title, below is my firewall uci config. Can someone help me how to add ip ranges on except rule on uci firewall config?
My default Wan firewall rule is reject any connection. I need add 10.1.0.0/16 . 192.168.4.0/24 . 172.21.0.0/16 this ips to allow to connect my ap route.
Many thanks!
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config dmz
option name 'Allow-DMZ'
option enable '0'
option ip ' '
(just a side note:
unless you really know what you are doing, opening private ranges, basically any size but as big as /16 on the wan is usually not the best idea at least from two aspects.
security: not sure what you want to achieve but if you need to access internal hosts (i.e. hosts on your lan) remotely (i.e. via internet) you should use some kind of vpn instead of exposing your whole internal network,
private ranges are not routable over internet (=wan ), so it won't work.
In your case you need a rule to allow traffic from these networks either to the device or to forward to the lan, depends on what you want to achieve. Negation is not needed here.
Where you might need it is in the exclusion of these networks from the masquerade of the wan zone.
Yes , I already success add rule on firewall uci config. I use white list method for my firewall rule means default access from LAN or WAN is drop ip package . Add while list ips before the drop firewall rule .