Negate 2nd IP address as source in firewall rule

DoubleU · March 11, 2026, 11:52am

Hi,

I'm running a server with AdGuard Home and wanted to redirect all DNS queries to this server (besides queries already originating from this server 192.168.1.10). I've used the following commands on my OpenWRT router:

uci add firewall redirect
uci rename firewall.@redirect[-1]=forward_agh
uci commit firewall


uci set firewall.forward_agh.enabled='0'
uci set firewall.forward_agh.target='DNAT'
uci set firewall.forward_agh.src='lan'
uci set firewall.forward_agh.src_dport='53'
uci set firewall.forward_agh.dest_ip='192.168.1.10'
uci set firewall.forward_agh.dest_port='53'
uci set firewall.forward_agh.src_ip='!192.168.1.10'
uci set firewall.forward_agh.family='ipv4'
uci commit firewall

Now I have a new client (192.168.1.100) which specifically needs to send DNS queries to Google DNS (8.8.8.8). According to the documentation I can't add a second IP address ('!192.168.1.100') to the 'src_ip' parameter. Is that correct?

Are there other possibilities to make this work?

Thanks in advance!

pavelgl · March 11, 2026, 12:33pm

You can use an ipset.

uci add firewall ipset
uci set firewall.@ipset[-1].name='agh'
uci set firewall.@ipset[-1].family='ipv4'
uci set firewall.@ipset[-1].match='src_ip'
uci add_list firewall.@ipset[-1].entry='192.168.1.10'
uci add_list firewall.@ipset[-1].entry='192.168.1.100'

uci del firewall.forward_agh.src_ip
uci set firewall.forward_agh.ipset='!agh'
uci commit firewall
/etc/init.d/firewall restart

You know the rule is currently disabled, right?

DoubleU · March 12, 2026, 7:59pm

Thanks! I'll try this tomorrow!

I've implemented it as being disabled by default in case there were errors while executing the uci-commands. Afterwards I've enabled the rule in the GUI.

DoubleU · March 13, 2026, 7:32pm

Just to make sure I've created a new (disabled) rule which I wanted to use to make the ipset adjustment. That way if anything went wrong I'd still have the original one fully functioning. After creating the rule and restarting the firewall I saw the message:

"Warning: Unable to locate ipset utility, disabling ipset support"
(it appears I'm still running on OpenWRT 21.02)

Is there any way to still be able to create an ipset or am I forced to upgrade (which I intend to do eventually)

Thanks in advance!

pavelgl · March 13, 2026, 8:20pm

You should definitely upgrade.

opkg update; opkg install kmod-ipt-ipset ipset
uci set firewall.@ipset[0].storage='hash'
uci commit firewall
fw3 restart