Sorry if this is a dumb question, I'm not network guy 
I'm trying to set up port forwarding using ipsets, so I can restrict connection to the forwarded port behind router only from certain IPs (allow to connect only from one contry). I successfully created ipset with IPs, but what is the proper way to implement it ? I think I should use firewall custom rules as Luci doesn't allow specify ipsets, but i don't know how the proper iptable rule(s) shloud looks like.
Thanks
I am not sure either about the correct syntax, but you can ignore Luci to some extent. Luci is only a GUI handling the existing firewall config. The actual firewall package (fw3) is the definite one.
Based on wiki it looks like you can just replace the IP address in normal forward rule with an ipset declaration. It is also mentioned is a redirect advice.
https://lede-project.org/docs/user-guide/firewall_configuration#using_ipsets
https://lede-project.org/docs/user-guide/firewall_configuration#redirects
But I am not sure if you can use Luci to manage the rule after that. Might be that Luci throws a fit if you go to firewall config.
EDIT:
Other solution angle is direct iptables commands in a firewall custom script. If you want advice how to apply ipsets in that context, you might check the bcp38 packages source, as it uses ipset from a "user firewall script":
https://github.com/openwrt/packages/blob/master/net/bcp38/files/run.sh
https://github.com/openwrt/packages/blob/master/net/bcp38/
Thank you @hnyman , You pointed me into right direction. I was able to create ipset, than referenced to it in /etc/config/firewall and finally created redirect rules.
Thank you again
Do you mind sharing the solution so that others with the same problem can benefit from your experience?
Of course not, sorry for not doing so in the first place 
ipset create NameOfTheIpset hash:net
ipset add NameOfTheIpset x.x.x.x/29
ipset add NameOfTheIpset x.x.x.x/24
Every line represent one ip network in CIDR format.
At the end of the file add this :
sleep 1
/etc/init.d/firewall restart
This will wait 1 second after creating ipset and then restart firewall to allow reference in iptables to this iptest. If you don't add this two commands, firewall rules will be created before ipset exists as firewall is initialized before executing custom files.
Then I uploaded this file into the router (/etc/) and made it executable. In Local Startup configuration in Luci (https://router_ip/cgi-bin/luci/admin/system/startup) I added path to this file and saved settings. This way ipset is recreated after every reboot.
After this I adjusted /etc/config/firewall like this :
config ipset
option external 'NameOfTheIpset'
option match 'src_net'
option family 'ipv4'
option storage 'hash'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option ipset 'NameOfTheIpset'
option proto 'tcp'
option src_dport 'WanPortNumber'
option dest_ip 'IpToRedirect'
option dest_port 'LanPortNumber'
option name 'Name'
First config enables ipset to use in firewall, second shows how to use it in port redirection.
To confirm your ipset is used, type "ipset list" , find your ipset (there will be few another ipsets) and check "Referenced" attribute. This will be the number of how many times your ipset is used. If you use your ipset in two rules there will be number 2.
Thank you again for your help guys