Multiple IPs in Invert Firewall Rule

Hello Everyone,

I am writing an invert firewall rule to block access to all IPs on a ZeroTier network (!) except 10.1.1.8/32 and 10.1.1.30/32. Adding one invert rule works as expected.

The rule looks like this.

I want to add multiple IPs to this list but chaining them together doesn't work. Adding 2 invert rules obviously doesn't work either. In OPNSense, you would make an alias which then you would assign multiple IPs/Subnets there then use the Alias in the invert rule.

My question is, what is the method/is it possible to add multiple IPs in an invert rule in OpenWRT?

Thanks for any direction!

You just need to set up an "IP Set" (also called an "alias" in some other router/firewall ecosystems like opnsense, pfsense, etc.) first, and then enter or select that "IP Set" in the Destination Address field of your firewall rule:

2 Likes

I agree with @johnsmith31 that IPSets are the way to go.

There is another approach though -- make the default action to drop/reject, and then allow specifically those IP addresses (which can be done in the single rule).

3 Likes

Thank you @johnsmith31!.

That is it, I was focusing my search on the word "alias" and that let me down. Appreciate that and it works as expected!

I am also going to try this method and document it for future uses. Appreciate your response on this as well @psherman!

I don't know the history behind why OpenWRT chose to refer to firewall "aliases" as "IP Sets," and of course changing established nomenclature for major functionality within a project is likely to cause ripples, but it might be worth the dev team's consideration to re-name the feature to "aliases" to make it in-line with the more common and widely-used parlance.

I personally never heard of the term "aliases" in conjunction with IP sets. For me, aliases are secondary labelled IP addresses on Linux interfaces.

That's fair, good point. I'd forgotten about that context & usage for "aliases", which also has a long history.