cp /etc/config/nov6.lst /tmp/nov6.lst
service firewall reload
/etc/config/firewall
...
config ipset
option name nov6
option family ipv6
option match dst_net
option loadfile /tmp/nov6.lst
option enabled 1
config rule
option name nov6
option family ipv6
option ipset nov6
option src lan
option dest wan
option target REJECT
option enabled 1
OpenWrt 22.03.3, r20028-43d71ad93e
root@openwrt:~# service firewall reload
/dev/stdin:5412:48-52: Error: datatype mismatch, expected IPv6 address, expression has type IPv4 address
meta nfproto ipv6 meta l4proto tcp ip6 daddr @nov6 counter jump reject_to_wan comment "!fw4: nov6"
~~~~~~~~~ ^^^^^
I do not use native ipv6 provided by ISP instead i use 6-in-4 tunnel (don't ask why plz)
Some modern popular web services/sites work slower through tunnel. ipv6 protocol has priority over ipv4.
So i want to block outgoing traffic (LAN>WAN) with firewall REJECT rule using ipv6 subnet (CIDR) list file as match parameter with ipset loadfile option
CIDR list file is copied with startup script from flash (/etc) to RAM (/tmp) for better performance.
List file edited in notepad++ with Unix (LF) mode.
i haven't seen config string like this before
can you share link to documentation or forum topic please?
i'm a little bit scared to take your advice without double checking because i don't want to lose access to remotely managed router a second time ;.)
ps i tried without success
config ipset
option name nov6
option family inet6
option match dst_net
option loadfile /tmp/nov6.lst
option enabled 1
config rule
option name nov6
option family inet6
option ipset nov6
option src lan
option dest wan
option target REJECT
option enabled 1
root@openwrt:~# service firewall reload
/dev/stdin:5412:48-52: Error: datatype mismatch, expected IPv6 address, expression has type IPv4 address
meta nfproto ipv6 meta l4proto tcp ip6 daddr @nov6 counter jump reject_to_wan comment "!fw4: nov6"
~~~~~~~~~ ^^^^^
nov6.lst file consists of ipv6 subnets, a subnet per single string
2001:4860::/32
2001:4860:4864::/48
...
etc
I don't think this would do what you'd expect it to. Rejecting the traffic means just that, your client requests the IPv6 connection and gets the rejection, it will not make it fall back to IPv4 (even less remember that).
is it possible to configure OpenWRT to reject with icmp "no route" message ?
i'm using that scheme in mikrotik RouterOS and it works just fine, clients don't use ipv6 while accessing some websites.
anyway i'm just try to use loadfile option in ipset section of fw4 (/etc/config/firewall) using ipv6 like i'm using it successfully for ipv4.
If you don't want your lan (or another interface) to have IPv6 connectivity, use ip6class to announce only the wanted prefixes (e.g. local only for ULA prefixes). If you need a more complex behaviour, you'll need to go into the details - but this is not a firewall issue, but a routing policy.
i want use all prefixes except some (414 prefixes at this moment)
why can't i try to use loadfile option with ipv6 CIDRs list like some members of this forum do?
why am i getting an error using documented firewall4 feature?
well, you can list all of the wanted (interface based) ones via ip6class (inclusive, not excluding).
EDIT: Just as example (note, it does not include (==exclude) the also configured henet tunnel interface/ prefixes, which was exclusively used as static prefix for my wireguard road-warrior clients, but not available to my lan):
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.225.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6hint '1'
list ip6class 'local'
list ip6class 'wan6'
I'm having a very similar issue I configured my firewall with the help of documentation and using ipv4 based ipsets works well but for ipv6 with the following rule and set throws an error:
config rule
option target 'DROP'
option src 'lan'
list proto 'all'
option dest 'wan'
option ipset 'testv6-dest'
option name 'BlockAdaV6'
option family 'ipv6'
config ipset
option name 'testv6-dest'
option match 'dest_net'
option enabled '1'
option family 'ipv6'
option loadfile '/etc/config/fw-alias-testv6.list'
# service firewall restart
/dev/stdin:158:31-42: Error: datatype mismatch, expected IPv6 address, expression has type IPv4 address
meta nfproto ipv6 ip6 daddr @testv6-dest counter jump drop_to_wan comment "!fw4: BlockAdaV6"
~~~~~~~~~ ^^^^^^^^^^^^
The rendered ruleset contains errors, not doing firewall restart.
When I changed from option family 'ipv6' to option family inet I get the following error:
Skipping invalid entry '2606:4700::1111/64' in file '/etc/config/fw-alias-testv6.list' for set 'testv6-dest'
I'm using fw4 with the latest snapshot
EDIT: I don't think inet is the right option to give since when I change my desired IPv6 address to an IPv4 address in the list the config loads without issue
config ipset
option name 'testv6-dest'
option match 'dest_ip'
option enabled '1'
option family 'ipv6'
option loadfile '/etc/config/fw-alias-testv6.list'
config rule
option target 'DROP'
option src 'lan'
list proto 'all'
option dest 'wan'
option ipset 'testv6-dest'
option name 'BlockAdaV6'
option family 'ipv6'
The only difference being I changed the match option from dest_net to dest_ip
same error.
but i desided to copy-paste your example and it worked so i was excited to play around with config text and i read some info about hashtables yesterday. i didn't want to believe in hash collision in my case but i desided to change name option of ipset section anyway and it worked
i even didn't fix misprint of dst_net option and router didn't return any error. give me a little bit more time i'll test the rule
config ipset
option name no-v6-set
option family ipv6
option match dst_net
option loadfile /tmp/nov6.lst
option enabled 1
config rule
option name nov6
option family ipv6
option ipset 'no-v6-set'
option src lan
option dest wan
option target REJECT
option enabled 1
because of the error
