I am writing an invert firewall rule to block access to all IPs on a ZeroTier network (!) except 10.1.1.8/32 and 10.1.1.30/32. Adding one invert rule works as expected.
I want to add multiple IPs to this list but chaining them together doesn't work. Adding 2 invert rules obviously doesn't work either. In OPNSense, you would make an alias which then you would assign multiple IPs/Subnets there then use the Alias in the invert rule.
My question is, what is the method/is it possible to add multiple IPs in an invert rule in OpenWRT?
You just need to set up an "IP Set" (also called an "alias" in some other router/firewall ecosystems like opnsense, pfsense, etc.) first, and then enter or select that "IP Set" in the Destination Address field of your firewall rule:
I agree with @johnsmith31 that IPSets are the way to go.
There is another approach though -- make the default action to drop/reject, and then allow specifically those IP addresses (which can be done in the single rule).
I don't know the history behind why OpenWRT chose to refer to firewall "aliases" as "IP Sets," and of course changing established nomenclature for major functionality within a project is likely to cause ripples, but it might be worth the dev team's consideration to re-name the feature to "aliases" to make it in-line with the more common and widely-used parlance.
