IP Sets with nftables in LuCi

Installing and Using OpenWrt Network and Wireless Configuration
1

Up-to-date LuCi has this:

image
image1865Γ—660 49.5 KB

What can we do with this?

In the old fw3 wiki it states here:

image
image1350Γ—246 23.6 KB

My question is: has all of this been handled? For example I'd like to DNS hijack any DNS queries to nordvpn.com and redirect that to 1.1.1.1. Also I'd like to filter on IP set for firewall rules to block certain domains at certain times of the day.

Can this be done in LuCi?

2

It’s not very usable at the moment with fw4/nftables because dnsmasq is still waiting for the bump to v2.87 where nftables sets are supported. At the moment, those configs will ask dnsmasq to populate ipsets that won’t exist on 22.03 or master. It would work fine with 21.02.

1 Like
3

Not with 22.03/fw4 currently. The fw4 no longer creates ipset from its config and creates nft sets instead, however dnsmasq which supports nft sets is not in OpenWrt 22.03 repo yet.

1 Like
4

I've been able to install dnsmasq 2.89 from https://downloads.openwrt.org/snapshots/packages/arm_cortex-a15_neon-vfpv4/base/ on m 22.03 openwrt.
Should it now work? I am stuck at the instruction for luci
If you want to manage the settings using web interface.

  • Navigate to **LuCI β†’ Network β†’ Firewall β†’ Traffic Rules β†’ Filter-IPset-DNS-Forward to manage firewall rules.
  • Navigate to LuCI β†’ Network β†’ DHCP and DNS β†’ IP sets to manage domains.
    The second configuration I can find and control. But the first line confuses me.
    Is Filter-IPset-DNS-Forward an option or tab I should find in the Traffic Rules screen? (It is not there for me)
    Or is it simply the name of a Traffic rule I should create (In that case, where do I link a rule to an IP set?)
5

The linked how-to targets the current stable OpenWrt release and relies on resolveip to populate the IP sets, although it should also work for snapshots.