How to add except firewall rule on uci config?

Hi Everyone,
As title, below is my firewall uci config. Can someone help me how to add ip ranges on except rule on uci firewall config?
My default Wan firewall rule is reject any connection. I need add 10.1.0.0/16 . 192.168.4.0/24 . 172.21.0.0/16 this ips to allow to connect my ap route.

Many thanks!

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'


config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config dmz
	option name 'Allow-DMZ'
	option enable '0'
	option ip ' '

hi,

prefix ! usually used for negation.

(just a side note:
unless you really know what you are doing, opening private ranges, basically any size but as big as /16 on the wan is usually not the best idea at least from two aspects.

  1. security: not sure what you want to achieve but if you need to access internal hosts (i.e. hosts on your lan) remotely (i.e. via internet) you should use some kind of vpn instead of exposing your whole internal network,
  2. private ranges are not routable over internet (=wan ), so it won't work.

search for DMZ and VPN.)

1 Like

In your case you need a rule to allow traffic from these networks either to the device or to forward to the lan, depends on what you want to achieve. Negation is not needed here.
Where you might need it is in the exclusion of these networks from the masquerade of the wan zone.

I don't know what the customer want to achieve. I think it is base on security. Thank you for your answer.

Yes , I already success add rule on firewall uci config. I use white list method for my firewall rule means default access from LAN or WAN is drop ip package . Add while list ips before the drop firewall rule .

Thank you for your kind reply.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Use #5 step. This problem have been resolved.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.