Luci Firewall does not block internet from IP

Hi all,
I would like to prevent a specific range of IP addresses from dialing outside my network. I created the following Firewall rule, but it does not seem to work. I have also moved it to the very top of my Firewall list.

Any advice?

Thanks.

Change the Source Zone.

Thank you very much for your immediate reply!

I just did that and slight correction... It looks like devices can still ping out and only some sites are blocked?

Is IPv6 active on the devices in question? The rule doesn’t cover IPv6.

Oooo very interesting...I believe it is active. I'll test that.

Side question: Do I really need IPv6? Any issues if I just disable it? I only have ~20-25 devices on this network...

I think it does block IPv6

By specifying a source IPv4 address range, the rule will only apply to IPv4 traffic.

1 Like

Gotcha. Thanks that must be it!

So...I am struggling to find a good guide to help be block the IPv6 as well...can anyone point me in the right direction?

Thanks!

add to raw_prerouting this rule
iifname "eth0.2" ip6 saddr ::/0 drop

and add to the output raw_output this rule
oifname "eth0.2" ip6 saddr ::/0 drop
eth0.2 is an interface, see what you have

also add via sysctl
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.icmp.echo_ignore_all=1
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0

Firstly, don't add rules to raw_prerouting or raw_output, or start changing sysctl settings.

Secondly, it'd be easier to advise if we had some more details about your setup. So, please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

It'd also be helpful to get an idea about what you're trying to achieve. What is the end result you want?

As I understand it, he wants to cut off the ipv6 without any explanation, just so that this traffic does not walk, so I answered how he wants.
i answered using my own example and it helped me

Look, let's not get into another discussion about what you do and don't understand. Disabling ipv6 entirely is not a supported configuration for OpenWRT. If what you've done works for you then great, but it's not good advice for other users.

As for the OP, their original request was to prevent certain IPv4 addresses from accessing the internet. They've now asked how to do the same with IPv6. That is not the same as blocking all traffic (and certainly doesn't require anything you suggested).

Let's just leave this now for the OP to provide the requested info and then appropriate advice can be given to them.

Well, maybe I missed something, because in theory the traffic should be stopped completely, at least from WAN
and if I didn't take something into account, then tell me what I missed.
my task is to completely turn off ipv6 by any means, even if not standard, the main thing is to turn it off

I've already answered above. There's no need to derail this thread any further. So let's just leave it now until the OP responds.

As usual, the responses and support from everyone on Openwrt forums are excellent and I sincerely appreciate others taking the time to provide me with advice!

I am probably not using the best network configuration but I'll explain. It here along with what I am trying to accomplish. So far everything I've done with Openwrt has been through the Luci interface, but I am not shy about Ssh.

I have a home network with an R7800 and a wired access point to help extend signal. I have several cameras and IoT devices that I would like to isolate from accessing any outside traffic. I would like, say my phone, to be able to access the devices while connected to the wifi.

Does that help?

Yeah, it provides the context to your requests. Now we just need to see the current config files.

allocate a static IP address for IP cameras in the router and in the firewall for these addresses close access to WAN completely.
try to do this and then no one will break your cameras)
the phone connects via the IP camera server, configure the cameras so that they work without a server.
the ip camera server is located somewhere there, the camera manufacturer.
your phone connects to your IP cameras through this server and you need to configure it so that everything works without this server

Thanks again. I'll take a look at this a little later and see about getting those config files

The advice from @fkl7834456 is one way you could do it, but it's unlikely to be the best approach to take. I would strongly advise on holding off doing anything until we've had a chance to look at your current setup.