[SOLVED] Http, traffic-rules, ipsets, ping - why a drop-rule is not working?

anon22003091 · April 25, 2026, 5:42pm

Heres the traceroute from the router diagnosis tab:

traceroute to facebook.com (185.60.217.35), 20 hops max, 46 byte packets
 1  192.168.40.1  0.686 ms
 2  *
 3  172.17.224.112  8.223 ms
 4  172.17.224.34  8.987 ms
 5  172.17.224.17  8.800 ms
 6  172.17.112.21  14.094 ms
 7  *
 8  172.17.112.86  11.065 ms
 9  10.249.251.16  9.167 ms
10  10.249.250.1  8.962 ms
11  157.240.90.238  8.873 ms
12  129.134.45.153  10.080 ms
13  129.134.94.130  9.944 ms
14  129.134.116.115  11.963 ms
15  *
16  *
17  *
18  *
19  *
20  *

I dont use a vpn. As far as I know. Last think I can think of is my OS, but no, I can load facebook and its IP in my Phone with vanadium. But my testipset with the isp-router (yknow the loginpage at 192.168.40.1) is blocked, on both phone and laptop.

anon22003091 · April 25, 2026, 5:42pm

I can ping from the router:

PING facebook.com (185.60.217.35): 56 data bytes
64 bytes from 185.60.217.35: seq=0 ttl=51 time=14.178 ms
64 bytes from 185.60.217.35: seq=1 ttl=51 time=6.549 ms
64 bytes from 185.60.217.35: seq=2 ttl=51 time=6.247 ms
64 bytes from 185.60.217.35: seq=3 ttl=51 time=7.504 ms
64 bytes from 185.60.217.35: seq=4 ttl=51 time=6.635 ms

--- facebook.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 6.247/8.222/14.178 ms

But not from my cli on the laptop.

anon22003091 · April 25, 2026, 5:44pm

ping from the router via ssh:

/ # ping 185.60.217.35
PING 185.60.217.35 (185.60.217.35): 56 data bytes
64 bytes from 185.60.217.35: seq=0 ttl=51 time=9.520 ms
64 bytes from 185.60.217.35: seq=1 ttl=51 time=7.577 ms
64 bytes from 185.60.217.35: seq=2 ttl=51 time=6.511 ms
64 bytes from 185.60.217.35: seq=3 ttl=51 time=6.850 ms
64 bytes from 185.60.217.35: seq=4 ttl=51 time=6.597 ms
64 bytes from 185.60.217.35: seq=5 ttl=51 time=6.968 ms
64 bytes from 185.60.217.35: seq=6 ttl=51 time=7.312 ms
^Z[2]+  Stopped                    ping 185.60.217.35
/ #

dave14305 · April 25, 2026, 5:45pm

Tests from the router don’t matter because the rules only block traffic originating from lan. Test from the laptop and then re-run this earlier command on the router:

nft list chain inet fw4 forward_lan

anon22003091 · April 25, 2026, 5:48pm

you mean test pinging from the laptop?

anon22003091 · April 25, 2026, 5:51pm

$ping 185.60.217.35
PING 185.60.217.35 (185.60.217.35) 56(84) bytes of data.
[*]

its stuck here endlessly, same for pinging the url.

/ # nft list chain inet fw4 forward_lan
table inet fw4 {
        chain forward_lan {
                ip daddr @Facebook-IPv4Set counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: Facebook-BlockIPv4Set"
                meta l4proto tcp ip daddr @Debug counter packets 9 bytes 540 jump reject_to_wan comment "!fw4: DebugIPSets"
                meta l4proto udp ip daddr @Debug counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: DebugIPSets"
                tcp dport 80 counter packets 5 bytes 300 jump accept_to_wan comment "!fw4: http"
                tcp dport 443 counter packets 1060 bytes 63592 jump accept_to_wan comment "!fw4: https"
                tcp dport { 25, 465, 993, 4190 } counter packets 23 bytes 1380 jump accept_to_wan comment "!fw4: smtps, imap"
                tcp dport { 22, 7777 } counter packets 7 bytes 420 jump accept_to_wan comment "!fw4: ssh"
                udp dport 123 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: ntp"
                udp dport 1194 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: openVPN"
                udp dport 51820 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: wireguard"
                tcp dport 5222 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: xmpp"
                tcp dport 11371 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: openPGP Schlüsselserver"
                counter packets 1551 bytes 1398512 jump drop_to_wan comment "!fw4: Blocke alles"
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_lan
        }
}

anon22003091 · April 25, 2026, 5:58pm

tried with deactivating the custom traffic rules again, except for the IPv4+6 and the isp test rule. still loading. ping on laptop is working now. Wasnt working before.

Could it be, that some of the default traffic-rules interfere?

/ # nft list chain inet fw4 forward_lan
table inet fw4 {
        chain forward_lan {
                ip daddr @Facebook-IPv4Set counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: Facebook-BlockIPv4Set"
                meta l4proto tcp ip daddr @Debug counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: DebugIPSets"
                meta l4proto udp ip daddr @Debug counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: DebugIPSets"
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_lan
        }
}

anon22003091 · April 25, 2026, 6:04pm

guys, its saturday evening. Thanks for headin back here and help with my ruleset! <3

dave14305 · April 25, 2026, 6:20pm

Ok, looking back, your ipset isn’t loading with the netmask applied. What is in your source file? It should have the /24 etc. after the IP start addresses.

Change the ipsets from dest_ip to dest_net.

anon22003091 · April 25, 2026, 7:05pm

Ill do! Yes, its only IP ranges, heres a snippet:

57.144.120.0/23
57.144.122.0/23
66.220.144.0/20
66.220.144.0/21
66.220.152.0/21
69.63.176.0/20
102.132.119.0/24
102.132.120.0/24
102.132.121.0/24
102.132.122.0/24
102.132.123.0/24
102.132.124.0/24

Btw: the test IP txt from the ISP is:

192.168.40.1/24
2a03:2880:f164::/48

and the settings is dest_ip from he test traffic-rule, too, but with this IP set the block is working.

You know what 100% packet loss means? :-)))

└──╼ $ping 185.60.217.35
PING 185.60.217.35 (185.60.217.35) 56(84) bytes of data.
From 192.168.100.1 icmp_seq=1 Destination Port Unreachable
From 192.168.100.1 icmp_seq=2 Destination Port Unreachable
From 192.168.100.1 icmp_seq=3 Destination Port Unreachable
From 192.168.100.1 icmp_seq=4 Destination Port Unreachable
From 192.168.100.1 icmp_seq=5 Destination Port Unreachable
From 192.168.100.1 icmp_seq=6 Destination Port Unreachable
From 192.168.100.1 icmp_seq=7 Destination Port Unreachable
From 192.168.100.1 icmp_seq=8 Destination Port Unreachable
From 192.168.100.1 icmp_seq=9 Destination Port Unreachable
From 192.168.100.1 icmp_seq=10 Destination Port Unreachable
From 192.168.100.1 icmp_seq=11 Destination Port Unreachable
From 192.168.100.1 icmp_seq=12 Destination Port Unreachable
^C
--- 185.60.217.35 ping statistics ---
12 packets transmitted, 0 received, +12 errors, 100% packet loss, time 11243ms

┌─[✗]─[usr@domain]─[~]
└──╼ $ping facebook.com
PING facebook.com (185.60.217.35) 56(84) bytes of data.
From name.lan (192.168.100.1) icmp_seq=1 Destination Port Unreachable
From name.lan (192.168.100.1) icmp_seq=2 Destination Port Unreachable
From name.lan (192.168.100.1) icmp_seq=3 Destination Port Unreachable
From name.lan (192.168.100.1) icmp_seq=4 Destination Port Unreachable
From name.lan (192.168.100.1) icmp_seq=5 Destination Port Unreachable
From name.lan (192.168.100.1) icmp_seq=7 Destination Port Unreachable
From name.lan (192.168.100.1) icmp_seq=8 Destination Port Unreachable
From name.lan (192.168.100.1) icmp_seq=9 Destination Port Unreachable
From name.lan (192.168.100.1) icmp_seq=10 Destination Port Unreachable
^C
--- facebook.com ping statistics ---
10 packets transmitted, 0 received, +10 errors, 100% packet loss, time 9205ms

┌─[✗]─[usr@domain]─[~]
└──╼ $ping facebook.com
PING facebook.com (185.60.217.35) 56(84) bytes of data.
From name.lan (192.168.100.1) icmp_seq=1 Destination Port Unreachable
From name.lan (192.168.100.1) icmp_seq=2 Destination Port Unreachable
From name.lan (192.168.100.1) icmp_seq=3 Destination Port Unreachable
From name.lan (192.168.100.1) icmp_seq=4 Destination Port Unreachable
^C
--- facebook.com ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3058ms

I suczessive reenabled all the custom rules, also the browserfeatures DNS over https, and IPv6 networking, too, and it seems working for now. I dont trust the peace and think of caching, or anything strange. But it seems to work flawlessly!

I de- and reactiveated the traffic-rules for make sure this is working and everything works now. Heres nft list chain inet fw4 forward_lan again:

/ # nft list chain inet fw4 forward_lan
table inet fw4 {
        chain forward_lan {
                ip daddr @Facebook-IPv4Set counter packets 60 bytes 4752 jump reject_to_wan comment "!fw4: Facebook-BlockIPv4Set"
                meta l4proto tcp ip daddr @Debug counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: DebugIPSets"
                meta l4proto udp ip daddr @Debug counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: DebugIPSets"
                tcp dport 80 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: http"
                tcp dport 443 counter packets 9 bytes 540 jump accept_to_wan comment "!fw4: https"
                tcp dport { 25, 465, 993, 4190 } counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: smtps, imap"
                tcp dport { 22, 7777 } counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: ssh"
                udp dport 123 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: ntp"
                udp dport 1194 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: openVPN"
                udp dport 51820 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: wireguard"
                tcp dport 5222 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: xmpp"
                tcp dport 11371 counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: openPGP Schlüsselserver"
                counter packets 9 bytes 26544 jump drop_to_wan comment "!fw4: Blocke alles"
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_lan
        }
}

ip daddr @Facebook-IPv4Set counter packets 60 bytes 4752 jump reject_to_wan comment "!fw4: Facebook-BlockIPv4Set"

Maybe some thoughts on this whole thing later. But this right now: I'm really glad and fortune, that I'm able to keep the whole company out of my network now. But as mentioned above from dharmik parmar fb and all the other bigtechs will change this on a regular basis. So that whole thing needs maintenance. So, I will try out all other options for blocking and controlling network traffic, too. Ĺike DNS IPSets filter. And surely I will take a look on ipBAN. Some tests will follow.

Thank you and all the other helpers here!

Hopefully we dont see us again with this SetsIP-Rule-Traffic-Firewall-Stuff.

reinerotto · April 25, 2026, 7:18pm

not good idea

anon22003091 · April 25, 2026, 7:21pm

he reinerotto,

thank you! I changed this!

dave14305 · April 25, 2026, 7:30pm

For this earlier test, it worked because the portion before the /24 was coincidentally the same IP you were testing against. In the Facebook list, the IP imported as 185.60.217.0 (instead of 185.60.217.0/24) and that was not the test IP 185.60.217.35.

Glad it’s working.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!