Luci ipset functionality help

xize · March 25, 2026, 9:35pm

Hello!,

I'm trying to get a network very restricted, so that only a few domain names are accessible and hopefully their subdomains too!.

Currently I try to implement it through luci:

Dhcp:

config ipset
        list name 'aqara'
        list domain 'aqara.com'
        list domain 'myqcloud.com'
        list domain 'devolo.net'

Firewall (the zone aqara does not forward to wan):

config ipset
        option name 'aqara'
        option family 'ipv4'
        list match 'dest_ip'
        option counters '1'

config rule
        option src 'aqara'
        option dest 'wan'
        option ipset 'aqara'
        option target 'ACCEPT'
        option name 'aqara-restrict'

When I resolve even when restarting firewall and dnsmasq it will not populate, it will however populate after a router restart.

Now I got a question about this:

PBR for example is able to use wildcarding on domains I know in the past within the migration of iptables ipset to nftset there were some problems with wildcarding.

However when I lookup the wiki it isn't clear to me wether this ipset function automatically wildcards or not?

Or could I be using the wrong data type as ipset?

frollic · March 25, 2026, 9:44pm

Wouldn't this be enough?

xize · March 25, 2026, 9:57pm

I'm afraid not, because I have other networks aswell which I want to let work normally, I want it to be working in a firewall rule.

Basicly aqaranet can only communicate with aqara and subdomains since some of my devices are on a non openwrt repeater with a weaker password I just want to be sure the internet is not so interesting to use, I do have a pcap with dns so that I know which domains to track for a ipset but it would be very convient if it can get wildcard subdomains too which I'm not sure about.

dave14305 · March 25, 2026, 10:31pm

Subdomains will be covered. Do you actually have dnsmasq-full installed?

Post some output:

nft list set inet fw4 aqara
nft list ruleset | grep aqara
grep nftset /var/etc/dnsmasq.conf.*

xize · March 25, 2026, 10:54pm

The output is:

table inet fw4 {
        set aqara {
                type ipv4_addr
                elements = { 43.131.7.8, 43.158.112.3,
                             43.158.112.30, 149.248.211.216,
                             159.69.96.138, 162.159.135.42,
                             195.201.179.93 }
        }
}

        set aqara {
                iifname "br-lan.178" jump input_aqara comment "!fw4: Handle aqara IPv4/IPv6 input traffic"
                iifname "br-lan.178" jump forward_aqara comment "!fw4: Handle aqara
IPv4/IPv6 forward traffic"
                oifname "br-lan.178" jump output_aqara comment "!fw4: Handle aqara IPv4/IPv6 output traffic"
                iifname "br-lan.178" jump helper_aqara comment "!fw4: Handle aqara IPv4/IPv6 helper assignment"
        chain input_aqara {
                jump accept_from_aqara
        chain output_aqara {
                jump accept_to_aqara
        chain forward_aqara {
                meta l4proto tcp ip daddr @aqara counter packets 24 bytes 1440 jump
accept_to_wan comment "!fw4: aqara-restrict"
                meta l4proto udp ip daddr @aqara counter packets 4 bytes 5194 jump accept_to_wan comment "!fw4: aqara-restrict"
                jump reject_to_aqara
        chain helper_aqara {
        chain accept_from_aqara {
                iifname "br-lan.178" counter packets 474 bytes 30901 accept comment
"!fw4: accept aqara IPv4/IPv6 traffic"
        chain accept_to_aqara {
                oifname "br-lan.178" counter packets 101 bytes 11328 accept comment
"!fw4: accept aqara IPv4/IPv6 traffic"
        chain reject_to_aqara {
                oifname "br-lan.178" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject aqara IPv4/IPv6 traffic"
                meta l4proto tcp ip daddr 10.233.10.67 counter packets 0 bytes 0 jump accept_to_aqara comment "!fw4: @rule[58]"
                meta l4proto udp ip daddr 10.233.10.67 counter packets 0 bytes 0 jump accept_to_aqara comment "!fw4: @rule[58]"
                meta l4proto tcp ip daddr 10.233.10.76 counter packets 0 bytes 0 jump accept_to_aqara comment "!fw4: devolo-maintenance"
                meta l4proto udp ip daddr 10.233.10.76 counter packets 0 bytes 0 jump accept_to_aqara comment "!fw4: devolo-maintenance"
                iifname "br-lan.178" jump dstnat_aqara comment "!fw4: Handle aqara IPv4/IPv6 dstnat traffic"
        chain dstnat_aqara {

nftset=/image.tmdb.org/themoviedb.org/tmdb.org/4#inet#fw4#tmdb
nftset=/aqara.com/myqcloud.com/devolo.net/devolo.com/devolo.global/4#inet#fw4#aqara

It does work, but if I go lets say to any subdomain it doesn't for me.

dnsmasq-full is installed.

dave14305 · March 25, 2026, 10:58pm

What about ipv6? Will dnsmasq resolve IPv6 addresses from the domains? You would need another ipv6 ipset.

What happens when you nslookup those subdomains from the router?

nslookup www.aqara.com 127.0.0.1
nft list set inet fw4 aqara

xize · March 25, 2026, 11:48pm

Hmmm I tested against a few other sites, and it works just fine also the subdomains.

Aqara does something strange and gives me also a error with quic, I suppose something client side, from nslookup I could not see a ipv6 address.

dave14305 · March 25, 2026, 11:50pm

Make sure your clients are always using the router as the DNS IP and the browsers are not bypassing dnsmasq with any DoH service built-in.

xize · March 26, 2026, 12:34pm

hmm it seem that the wildcarding is not working, I tested this by hardcoding the domains and then it works, not sure if this is intended behaviour or that I should report it as a bug

forum.aqara.com shows multiple A records on nslookup, but aqara.com shows a singular, if I define forum.aqara.com in the ipset it works.

thank you very much for the help and everyone else

dave14305 · March 26, 2026, 12:52pm

I tested it on 24.10.6 with dnsmasq-full 2.90 and it behaves as expected. What version are you running? It’s possible it’s a bug in newer dnsmasq versions. You could enable query logging in dnsmasq temporarily to see what it reports when looking up the subdomain.

root@router:/tmp# nft list set inet fw4 aqara
table inet fw4 {
        set aqara {
                type ipv4_addr
                comment "Aqara test"
        }
}
root@router:/tmp# grep nftset /var/etc/dnsmasq.conf.cfg01411c
nftset=/aqara.com/myqcloud.com/devolo.net/4#inet#fw4#aqara

root@router:/tmp# dig aqara.com

; <<>> DiG 9.20.18 <<>> aqara.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38447
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;aqara.com.                     IN      A

;; ANSWER SECTION:
aqara.com.              600     IN      A       162.159.135.42

;; Query time: 40 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Mar 26 08:47:46 EDT 2026
;; MSG SIZE  rcvd: 54

root@router:/tmp# nft list set inet fw4 aqara
table inet fw4 {
        set aqara {
                type ipv4_addr
                comment "Aqara test"
                elements = { 162.159.135.42 }
        }
}
root@router:/tmp# dig forum.aqara.com

; <<>> DiG 9.20.18 <<>> forum.aqara.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3970
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;forum.aqara.com.               IN      A

;; ANSWER SECTION:
forum.aqara.com.        600     IN      CNAME   forum.aqara.com.cdn.dnsv1.com.
forum.aqara.com.cdn.dnsv1.com. 600 IN   CNAME   gyu1usfl.ovslegodl.sched.ovscdns.com.
gyu1usfl.ovslegodl.sched.ovscdns.com. 60 IN A   43.159.77.160
gyu1usfl.ovslegodl.sched.ovscdns.com. 60 IN A   43.159.77.250
gyu1usfl.ovslegodl.sched.ovscdns.com. 60 IN A   101.33.20.216
gyu1usfl.ovslegodl.sched.ovscdns.com. 60 IN A   43.159.77.253

;; Query time: 120 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Mar 26 08:48:00 EDT 2026
;; MSG SIZE  rcvd: 195

root@router:/tmp# nft list set inet fw4 aqara
table inet fw4 {
        set aqara {
                type ipv4_addr
                comment "Aqara test"
                elements = { 43.159.77.160, 43.159.77.250,
                             43.159.77.253, 101.33.20.216,
                             162.159.135.42 }
        }
}

xize · March 26, 2026, 1:14pm

I use version 2.92, I will try that

edit:

strange, I see in the logs that it adds it but when I look to the ipset I don't see it:

Thu Mar 26 14:18:17 2026 [1774531097.450] daemon.info dnsmasq[1]: 1681 10.233.10.68/50765 reply www.aqara.com is NODATA
Thu Mar 26 14:18:17 2026 [1774531097.451] daemon.info dnsmasq[1]: 1682 10.233.10.68/4841 reply www.aqara.com is NODATA-IPv6
Thu Mar 26 14:18:17 2026 [1774531097.456] daemon.info dnsmasq[1]: 1683 10.233.10.68/57615 nftset add 4 inet fw4 pbr_wan_4_dst_ip_cfg046ff5 162.159.135.42 aqara.com
Thu Mar 26 14:18:17 2026 [1774531097.456] daemon.info dnsmasq[1]: 1683 10.233.10.68/57615 reply www.aqara.com is 162.159.135.42

table inet fw4 {
        set aqara {
                type ipv4_addr
                elements = { 43.131.7.8, 43.158.112.3,
                             43.158.112.30 }
        }
}

dave14305 · March 26, 2026, 1:36pm

It’s only adding to the pbr set, which is interesting. Do you still have all the nftset lines in dnsmasq.conf?

xize · March 26, 2026, 1:52pm

Yup that is correct.

dave14305 · March 26, 2026, 2:16pm

Ok, I think it’s a dnsmasq problem. I’ve added another nftset duplicating aqara.com and placed it so it appears first in dnsmasq.conf, and the IP is only added to the first set that specifies the domain. The second one appears to be ignored. So when you add the subdomain directly, it’s considered unique and probably works ok.