IPSet does not block IP

Hi all!

I have the following config, in my firewall4 config:

config rule 'doh_deny'        
        #since I don't specify dest_port, it will apply to any port
        option name 'Deny-DoH'
        option src '*'         
        option dest 'wan'                    
        option proto 'all'       
        option family 'ipv4' 
        option ipset 'doh'      
        option target 'REJECT'             
                              
config ipset 'doh'           
        option name 'doh'     
        option family 'ipv4'                
        #option storage 'hash'   
        option match 'ip'             
        list entry '101.198.191.4'

I tried to test this config with ping.

ping 101.198.191.4 returns some packets. I was expecting it to timeout.

Is there a problem in my config, or am I missing something conceptually?

You need to specify the direction here. Use dest_ip or dest_net.

https://openwrt.org/docs/guide-user/firewall/firewall_configuration#ip_set_types

Then you need to set the target in the firewall rule to DROP. Otherwise you will see Destination port unreachable.

Also note that you should run the ping from a lan client, not the router itself.

3 Likes

Ah perfect! It's all working now, thanks!

Is there a way to have the ipset match both dest_ip and src_ip?

No. Although LuCI allows you to list them both, this will break the set.

But you can use an existing set the way you like in custom rules.

nft insert rule inet fw4 forward ip saddr @doh counter reject
2 Likes

Understood, thank you!

1 Like

Just a note, be sure to block IPv6, too. From my DoH-block rules over the last 30 days:

 @doh_ipv4 counter packets 3192 
 @doh_ipv6 counter packets 956
1 Like

Thanks for that. I am not allowing IPv6 on my router. It makes it easier for me to think about my network and play with the configuration.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.