Info/Help on how to simply setup a single rule to block internet access for a range of reserved IPs

Hi! I'm definitely a novice to open source but I've been able to config as needed and the stock firmward doesn't cut it. :slight_smile: I have been running DD-WRT flavors for a while and decided to try LEDE. I have everything configured (really just DHCP reservations and some forward rules) except one thing which I don't see a simple way to do like I could in DD-WRT. Basically I have DHCP reservations for 16 cameras and I block them from getting to the internet. (I use BlueIris so I can remotely view, etc.}

Question/Help: Can someone point me to any info on setting up a simple traffic block rule for a contiguous range of internally reserved IPs? I think I might see how to do it ... with a rule for each camera. But I'd rather just have a range of IPs blocked -- I don't want these phoning home to their manufacturer or trying to open ports etc. I hoped it was a simple thing to do in the GUI, but I can put in custom/commands as well if it doesn't mean needing one for each camera.

Thank you for any info! I really appreciate it!
Bill

You can specify a network range at "src_ip" in any firewall rule; for example, "192.168.1.128/25" will refer to all hosts with IP address "192.168.1.128" or higher.

Thank you eduperez! You encouraged me with that to look at what I think is writing a custom rule -- I was hoping I could do this super simply like I did in DD-WRT in the UI. But wonder is there also a way to have a start/stop range? I guess I could re-reserve the IPs for cameras and just hit the high range. I might actually just copy/paste duplicates of this rule for all the cameras -- it wouldn't be too hard. I think I see I could do the same with MAC address. Here is what I'm trying, I'll test to see if the camera tries to phone home. :slight_smile: Thank you!

CameraBlock Rule - Block Internet Access for Range 192.168.1.160 - 192.168.1.176

config rule
option src lan
option dest wan
option src_ip 192.168.1.160
option proto all
option target REJECT

Not in a "IP from ... to" kind of way, no. But as eduperez said, you can specify ranges by entering a so-called netmask, that's the part with the slash and another number after an IP address, which makes it a range. Unfortunately, it's not possible to create a single netmask that starts at .160 and ends at .176. What you could do, however, is something very close: a bitmask that covers .160 to .175:

192.168.1.160/28

You can enter that in the "src_ip" parameter, it covers 192.168.1.160 - 192.168.1.175. (If you really want to cover the .176, you can duplicate the rule for the .176 IP, without any netmask of course. So you can do it in one or at most two rules, which is a bit better than 16 or 17.)

Explaining the concept and calculation of a netmask is hard to explain in a hand-typed forum post since it requires you to know about binary numbers and bitwise operations. But it's really not rocket surgery either, and since it's not a concept unique to OpenWrt/LEDE, there are webpages that explain it that quite well, and also calculators. Just consult your favorite search engine.

Thank you! OK, I think I'll try the netmask. (It has been on my list to actually learn networking so I think this may be officially my kick to do it :). I'm trying this and based on what I see I think the cameras are now not trying to get to their manufacturers sites (dlink, foscam, wansview).

Thanks!
Trying this just for reference:

CameraBlock Rules - Block Internet Access for Range 192.168.1.160/28 (160-175) + 192.168.1.176

config rule
option src lan
option dest wan
option src_ip 192.168.1.160/28
option proto all
option target REJECT

config rule
option src lan
option dest wan
option src_ip 192.168.1.176
option proto all
option target REJECT