[SOLVED] Newby trying to level-up home network!

Hello,
I'm gonna try to level-up my home-network. As I'm not a pro it-tech, I have some questions to things, I don't understand fully.

Here's my setup:

Home Router Schema V011123×794 67.5 KB

1. I didnt do anything other than default settings on both routers (no dmz, no port-forwarding, etc.) and plugged the ISP Router from one of its 4 network-rj45 to the wan-port of the openwrt router. And everthing is running smoothly. -> What is this for a setup then? Nat, doublenat?

2. The gateway of the wifi-device is the ip of the lan device. Is that ok or would you say there is a better way to static setting this both devices lan and wifi?

3. Its not clear for me how I can implement a nftables firewall filter with IP lists (here a list which I gathered from ASN libraries. ->

3.1)
$curl --silent 'https://stat.ripe.net/data/announced-prefixes/data.json?preferred_version=1.1&resource=AS32934' | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}' | uniq > facebooknets.txt

generates a txt file with the associated IPv4s of facebook. But what then?
When I upload this txt-file in the firewall IPSet rider, I am still able to open facebook.com.
What do I have to do exactly to implement the generated IP lists to the firewall of the openwrt router?

Any hints are highly appreciated!
Jason

It is double NAT. The first NAT is your ISP router, the second is your OpenWrt router.

I'm not exactly sure what you mean by this, but fundamentally, the wifi devices should see their gateway as 192.168.200.1 based on your diagram. Within OpenWrt, that network doesn't need a gateway specified -- it will automatically route the the default route which is the wan interface.

IPsets are just sets of IPs. They don't do anything unless you create firewall rules that call on the IPsets. Did you do that? You'd theoretically create a REJECT rule with the source as the lan (and/or wlan), destination wan, and relevant ipsets selected in the destination addresses.

You have double NAT in that configuration.

For the secondary part, is your goal to just block Facebook / other specific domains?

@psherman No, I did not do that. So I need to add the rule in the tab network -> firewall -> IPSets. And additionally in [...] -> traffic-rules? I'll try that now.

EDIT : So I added the ip list to the IPSet entry and in the traffic-rules to block facebook ips. And reboot router. But facebook dot com is still reachable. How would you do that, if you could explain it for someone complete new to this topic.

Firewall - Traffic Rules 2904×661 42.6 KB

@JustAnotherEndUser
I try to block facebook completely and google services, I think completely, too. But more to come, surely! So I generally try to learn and figure out, how I can implement IPSets from ASN Data, so that the router can understand it.

So what would you say, the ISPRouter has the setting for DMZ, where I can give a unique IP adress. But it bypasses the isp-firewall. So I think, it would be better to have 2 firewalls. But I read also, that doublenatting is not that good.

Maybe later I will have hardwired a gaming computer, and I think there might be a problem with doublenatting.

Yes, they see the gateway and get dynamically the right ip. i.e. the handy has the ip 192.168.200.76 when in wifi. In hardwired lan the laptop has the right ip, too.

Another approach you could consider is to block domains (and subdomains thereof) from even being resolved by DNS. (You would obviously also have to additionally take steps to mitigate clients from using external DNS servers.)
From LuCI, Network>DNS:

image868×479 45.2 KB

With Google though, you will likely run into issues if you just start blanket-blocking Google IPs with firewall rules. Many other sites, and even browsers connect to Google services / IPs for numerous things.

Yes I know that this would brake the most sites.
I try to block IP ranges. This is blocking by DNS, right? Ill try that out, but it would be nice to learn how to implement the IPSet thing. Thanks so far for the explanation!

The question is, which format do the fileupload in IPSets need?

Do I need to convert the IP lists generated by the console input above to a nftable format *.nft and load this as IPSet?

From:

10.0.0.9/24
130.200.170.1
[...]

To *.nft format?

I converted the IP Lists from the ASNs to a nftables file.

table inet filter {
    set blocked_ips {
        type ipv4_addr;
        flags interval;
        elements = {
            2a03:2880:f02f::/48, 2a03:2880:f152::/48, 2a03:2880:f20d::/48, 31.13.83.0/24, 2a03:2880:f23a::/48,
            2a03:2880:f035::/48, 2a03:2880:f277::/48, 2a03:2880:f008::/48, 157.240.14.0/24, 163.70.128.0/17,
            2a03:2880:f134::/48, 2a03:2880:f159::/48, 2a03:2880:f164::/48, 129.134.0.0/17, 2a03:2880:f25e::/48,
            2a03:2880:ff0b::/48, 2a03:2880:f23d::/48, 2a03:2880:f107::/48, 2a03:2880:f07d::/48, 31.13.84.0/24,
            2a03:2880:f068::/48, 31.13.93.0/24, 2a03:2880:f02b::/48, 2a03:2880:f224::/48, 2a03:2880:f26d::/48,
            157.240.202.0/24, 129.134.31.0/24, 129.134.30.0/23, 2a03:2880:f00e::/48, 157.240.13.0/24,
            2a03:2880:f243::/48, 2a03:2880:f27b::/48, 2a03:2880:f078::/48, 2a03:2880:f232::/48, 2a03:2880::/36,
            2a03:2880:f17c::/48, 2a03:2880:f20f::/48, 185.60.216.0/22, 31.13.89.0/24, 129.134.27.0/24,
            2a03:2880:f00c::/48, 2a03:2880:f113::/48, 2a03:2880:f098::/48, 157.240.234.0/24, 2a03:2880:f105::/48,
            45.64.40.0/22, 2a03:2880:f14e::/48, 157.240.199.0/24, 31.13.96.0/19, 157.240.233.0/24,
            2a03:2880:f104::/48, 2a03:2880:f032::/48, 157.240.249.0/24, 2a03:2880:f021::/48, 2a03:2880:f162::/48,
            2a03:2880:f06a::/48, 2a03:2880:f143::/48, 2a03:2880:f111::/48, 2a03:2880:f15a::/48, 157.240.217.0/24,
            157.240.19.0/24, 157.240.23.0/24, 185.89.218.0/23, 157.240.240.0/24, 2a03:2880:f076::/48,
            2a03:2880:f22b::/48, 2a03:2880:f26e::/48, 2a03:2880:f147::/48, 2a03:2880:2000::/36,
            2a03:2880:f083::/48, 157.240.224.0/24, 31.13.94.0/24, 185.89.218.0/24, 2a03:2880:f170::/48,
            157.240.27.0/24, 31.13.79.0/24, 69.171.224.0/20, 157.240.214.0/24, 31.13.71.0/24,
            2a03:2880:f13e::/48, 31.13.65.0/24, 185.60.217.0/24, 2a03:2880:f065::/48, 31.13.80.0/24,
            2a03:2880:f03e::/48, 2a03:2880:f264::/48, 2a03:2880:f25a::/48, 102.132.100.0/24, 2a03:2880:f23f::/48,
            163.70.132.0/24, 66.220.144.0/20, 157.240.209.0/24, 31.13.69.0/24, 157.240.197.0/24, 157.240.31.0/24,
            185.60.219.0/24, 2a03:2880:f276::/48, 2a03:2880:f067::/48, 2a03:2880:f091::/48, 2a03:2880:f103::/48,
            2a03:2880:f228::/48, 2a03:2880:f266::/48, 2a03:2880:f007::/48, 2a03:2880:f141::/48, 157.240.0.0/17,
            129.134.30.0/24, 157.240.247.0/24, 2a03:2880:f20c::/48, 157.240.232.0/24, 157.240.241.0/24,
            2a03:2880:f165::/48, 2a03:2880:f260::/48, 2a03:2880:f2ff::/48, 2a03:2880:f273::/48,
            2a03:2880:f15b::/48, 157.240.192.0/18, 2a03:2880:f004::/48, 2a03:2880:f237::/48, 2a03:2880:f085::/48,
            2a03:2880:f213::/48, 2a03:2880:f059::/48, 2a03:2880:f082::/48, 129.134.29.0/24, 157.240.223.0/24,
            179.60.192.0/22, 2a03:2880:f150::/48, 2a03:2880:f13d::/48, 2a03:2880:f053::/48, 157.240.30.0/24,
            102.132.99.0/24, 2a03:2880:f10e::/48, 2a03:2880:f245::/48, 2a03:2880:f052::/48, 157.240.226.0/24,
            2a03:2880:f178::/48, 2a03:2880:f023::/48, 2a03:2880:f08e::/48, 2a03:2880:f24e::/48,
            2a03:2880:f172::/48, 2a03:2880:f205::/48, 2a03:2880:f211::/48, 2a03:2880:f176::/48,
            2a03:2880:f10c::/48, 129.134.25.0/24, 2a03:2880:f269::/48, 2a03:2880:f173::/48, 2a03:2880:f241::/48,
            2a03:2880:f27f::/48, 2620:0:1c00::/40, 2a03:2880:f236::/48, 31.13.75.0/24, 2a03:2880:f10d::/48,
            2a03:2880:f265::/48, 2a03:2880:ff09::/48, 185.60.218.0/24, 69.63.176.0/21, 2a03:2880:f050::/48,
            2a03:2880:f08a::/48, 2a03:2880:f166::/48, 2a03:2880:f212::/48, 2a03:2880:f177::/48,
            2a03:2880:f201::/48, 31.13.64.0/18, 157.240.210.0/24, 2a03:2880:f270::/48, 2a03:2880:f169::/48,
            102.132.96.0/20, 2a03:2880:f001::/48, 2a03:2880:f204::/48, 157.240.242.0/24, 2a03:2880:f15c::/48,
            2a03:2880:f247::/48, 31.13.73.0/24, 157.240.195.0/24, 2a03:2880:f101::/48, 2a03:2880:f10f::/48,
            2a03:2880:f13a::/48, 103.4.96.0/22, 2a03:2880:f216::/48, 157.240.26.0/24, 2a03:2880:f066::/48,
            2a03:2880:f26b::/48, 157.240.207.0/24, 31.13.85.0/24, 2a03:2880:f0fd::/48, 2a03:2880:f1ff::/48,
            2a03:2880:f041::/48, 2a03:2880:f05b::/48, 157.240.17.0/24, 2a03:2880:f210::/48, 157.240.254.0/24,
            2a03:2880:f160::/48, 2a03:2880:f16e::/48, 2a03:2880:f137::/48, 2a03:2880:f1fd::/48,
            2a03:2880:f037::/48, 69.63.184.0/21, 2a03:2880:f175::/48, 2a03:2880:f060::/48, 157.240.201.0/24,
            2a03:2880:f17a::/48, 2a03:2880:f16b::/48, 157.240.1.0/24, 2a03:2880:f158::/48, 2a03:2880:f256::/48,
            157.240.237.0/24, 2a03:2880:f124::/48, 2a03:2880:f110::/48, 2a03:2880:f22f::/48, 157.240.251.0/24,
            2a03:2880:f05c::/48, 173.252.64.0/19, 157.240.216.0/24, 157.240.11.0/24, 2a03:2880:f131::/48,
            157.240.203.0/24, 157.240.7.0/24, 2a03:2880:f203::/48, 157.240.28.0/24, 2a03:2880:f0ff::/48,
            173.252.96.0/19, 2a03:2880:f171::/48, 185.89.219.0/24, 31.13.72.0/24, 2a03:2880:f22c::/48,
            157.240.222.0/24, 31.13.68.0/24, 2a03:2880:f148::/48, 2a03:2880:f058::/48, 66.220.152.0/21,
            2a03:2880:f23e::/48, 2a03:2880:f003::/48, 31.13.64.0/24, 66.220.144.0/21, 2a03:2880:f26f::/48,
            69.171.240.0/20, 2a03:2880:f275::/48, 69.171.250.0/24, 2a03:2880:f16d::/48, 2a03:2880:f272::/48,
            2a03:2880:f05e::/48, 157.240.253.0/24, 2a03:2880:f013::/48, 69.63.176.0/20, 157.240.12.0/24,
            204.15.20.0/22, 2a03:2880:f17b::/48, 2a03:2880:f145::/48, 2a03:2880:f132::/48, 2a03:2880:f259::/48,
            157.240.238.0/24, 157.240.6.0/24, 2a03:2880:f26a::/48, 31.13.67.0/24, 2a03:2880:f248::/48,
            31.13.90.0/24, 2a03:2880:f221::/48, 2a03:2880:f234::/48, 2a03:2880:f074::/48, 2a03:2880::/32,
            2a03:2880:f12f::/48, 2a03:2880:f253::/48, 2a03:2880:f271::/48, 157.240.252.0/24, 2a03:2880:f25c::/48,
            2a03:2880:f00d::/48, 2a03:2880:f077::/48, 2a03:2880:f012::/48, 2a03:2880:f16f::/48, 31.13.82.0/24,
            2a03:2880:f112::/48, 2a03:2880:f258::/48, 157.240.218.0/24, 2a03:2880:f20a::/48, 2a03:2880:f27c::/48,
            2a03:2880:f057::/48, 31.13.77.0/24, 2a03:2880:f208::/48, 2a03:2880:f15e::/48, 31.13.24.0/21,
            179.60.195.0/24, 74.119.76.0/22, 2a03:2880:3000::/36, 69.171.224.0/19, 2a03:2880:f048::/48,
            157.240.244.0/24, 157.240.15.0/24, 2a03:2880:f028::/48, 2a03:2880:ff08::/48, 2a03:2880:f27a::/48,
            2a03:2880:f071::/48, 2a03:2880:f12c::/48, 2a03:2880:f231::/48, 157.240.212.0/24, 2a03:2880:f0fc::/47,
            2a03:2880:f263::/48, 157.240.225.0/24, 2a03:2880:f219::/48, 129.134.26.0/24, 2a03:2880:f242::/48,
            31.13.88.0/24, 2a03:2880:f10a::/48, 2a03:2880:f06f::/48, 157.240.229.0/24, 2a03:2880:f123::/48,
            2a03:2880:f03d::/48, 102.132.96.0/24, 2a03:2880:f13f::/48, 129.134.28.0/24, 2a03:2880:f235::/48,
            163.70.128.0/24, 2a03:2880:f00f::/48, 2a03:2880:f011::/48, 2a03:2880:1000::/36, 2a03:2880:f257::/48,
            157.240.3.0/24, 2a03:2880:f16a::/48, 2a03:2880:f05a::/48, 2a03:2880:f07e::/48, 2a03:2880:f121::/48,
            2a03:2880:f005::/48, 2a03:2880:f034::/48, 157.240.5.0/24, 31.13.66.0/24, 2a03:2880:f04e::/48,
            2a03:2880:f043::/48, 157.240.9.0/24, 2a03:2880:f252::/48, 157.240.25.0/24, 2a03:2880:f108::/48,
            2a03:2880:f02c::/48, 2a03:2880:f024::/48, 2a03:2880:ff0a::/48, 2a03:2880:f00a::/48, 157.240.205.0/24,
            2a03:2880:ff0c::/48, 2a03:2880:f031::/48, 2a03:2880:f135::/48, 2a03:2880:f262::/48,
            2a03:2880:f045::/48, 2a03:2880:f010::/48, 157.240.243.0/24, 31.13.70.0/24, 2a03:2880:f156::/48,
            2a03:2880:f042::/48, 2a03:2880:f016::/48, 2a03:2880:f25b::/48, 31.13.81.0/24, 2a03:2880:f20e::/48,
            2a03:2880:f056::/48, 2a03:2880:f019::/48, 2a03:2880:f278::/48, 2a03:2880:f163::/48,
            2a03:2880:f153::/48, 2a03:2880:f136::/48, 2a03:2880:f1fc::/47, 157.240.16.0/24, 2a03:2880:f084::/48,
            2a03:2880:f1fc::/48, 2a03:2880:f116::/48, 2a03:2880:f04c::/48, 157.240.245.0/24, 2a03:2880:f17f::/48,
            31.13.86.0/24, 2a03:2880:f03a::/48, 2a03:2880:f128::/48, 2a03:2880:f036::/48, 2a03:2880:f250::/48,
            2a03:2880:f157::/48, 157.240.231.0/24, 157.240.196.0/24, 2a03:2880:f0fc::/48, 157.240.200.0/24,
            157.240.211.0/24, 157.240.24.0/24, 2a03:2880:f207::/48, 2a03:2880:f070::/48, 2a03:2880:f047::/48,
            2a03:2880:f12b::/48, 102.132.101.0/24, 2a03:2880:f03f::/48, 157.240.235.0/24, 157.240.221.0/24,
            2a03:2880:f142::/48, 2a03:2880:f080::/48, 157.240.22.0/24, 2a03:2880:f119::/48, 157.240.192.0/24,
            173.252.88.0/21, 157.240.8.0/24, 157.240.236.0/24, 2a03:2880:f223::/48, 157.240.204.0/24,
            2a03:2880:f24c::/48, 2a03:2880:f14c::/48, 157.240.0.0/24, 199.201.67.0/24, 2620:10d:c092::/48,
            2620:10d:c09a::/48, 163.114.132.0/24, 163.114.129.0/24, 163.114.133.0/24, 2620:10d:c091::/48,
            199.201.64.0/22, 2620:10d:c098::/48, 163.114.128.0/20, 2620:10d:c096::/48, 163.114.131.0/24,
            163.114.134.0/24, 2620:10d:c093::/48, 2620:10d:c094::/48, 2620:10d:c09b::/48, 2620:10d:c095::/48,
            2620:10d:c099::/48, 2620:10d:c090::/48, 163.114.130.0/24, 163.114.128.0/24, 2620:10d:c090::/44,
            129.134.173.0/24, 2a03:2887:ff1e::/48, 2a03:2887:ff43::/48, 129.134.138.0/24, 2a03:2887:ff48::/48,
            157.240.157.0/24, 2a03:2887:ff4b::/48, 2a03:2887:ff49::/48, 2a03:2887:ff02::/48, 2a03:2887:ff1b::/48,
            2a03:2887:ff19::/48, 102.221.191.0/24, 102.132.125.0/24, 129.134.155.0/24, 129.134.176.0/24,
            129.134.131.0/24, 129.134.164.0/24, 129.134.149.0/24, 2a03:2887:ff03::/48, 102.132.117.0/24,
            2a03:2887:ff4e::/48, 2a03:2887:ff23::/48, 2c0f:ef78:11::/48, 102.132.123.0/24, 157.240.170.0/24,
            129.134.177.0/24, 2a03:2887:ff3f::/48, 129.134.132.0/24, 157.240.177.0/24, 129.134.140.0/24,
            129.134.150.0/24, 102.132.120.0/24, 129.134.147.0/24, 129.134.174.0/24, 129.134.170.0/24,
            2a03:2887:ff1f::/48, 2a03:2887:ff25::/48, 129.134.175.0/24, 129.134.139.0/24, 157.240.156.0/24,
            2a03:2887:ff2b::/48, 129.134.157.0/24, 157.240.175.0/24, 2c0f:ef78:9::/48, 157.240.174.0/24,
            157.240.181.0/24, 129.134.163.0/24, 102.132.127.0/24, 2a03:2887:ff39::/48, 129.134.128.0/24,
            2a03:2887:ff4f::/48, 157.240.179.0/24, 2a03:2887:ff1c::/48, 129.134.130.0/24, 2a03:2887:ff38::/48,
            157.240.159.0/24, 2c0f:ef78:5::/48, 2a03:2887:ff50::/48, 129.134.169.0/24, 129.134.136.0/24,
            129.134.168.0/24, 129.134.159.0/24, 102.221.189.0/24, 157.240.176.0/24, 102.132.126.0/24,
            2a03:2887:ff4a::/48, 102.221.188.0/24, 2a03:2887:ff27::/48, 2a03:2887:ff37::/48, 129.134.156.0/24,
            2a03:2887:ff2a::/48, 2c0f:ef78:d::/48, 129.134.148.0/24, 129.134.171.0/24, 129.134.172.0/24,
            2a03:2887:ff30::/48, 2a03:2887:ff1d::/48, 2a03:2887:ff3b::/48, 2a03:2887:ff2f::/48, 129.134.184.0/24,
            2c0f:ef78:12::/48, 102.132.113.0/24, 102.132.112.0/24, 157.240.128.0/24, 129.134.144.0/24,
            2a03:2887:ff45::/48, 102.132.114.0/24, 2a03:2887:ff40::/48, 2a03:2887:ff51::/48, 102.132.118.0/24,
            2a03:2887:ff28::/48, 2a03:2887:ff59::/48, 2a03:2887:ff4d::/48, 157.240.182.0/24, 129.134.135.0/24,
            129.134.165.0/24, 102.132.116.0/24, 2c0f:ef78:6::/48, 129.134.137.0/24, 129.134.160.0/24,
            2c0f:ef78:e::/48, 2a03:2887:ff29::/48, 2a03:2887:ff52::/48, 2c0f:ef78:f::/48, 2a03:2887:ff44::/48,
            102.132.122.0/24, 2a03:2887:ff35::/48, 129.134.158.0/24, 102.132.119.0/24, 129.134.154.0/24,
            129.134.143.0/24, 157.240.169.0/24, 2a03:2887:ff58::/48, 129.134.183.0/24, 2a03:2887:ff3a::/48,
            102.132.115.0/24, 2c0f:ef78:3::/48, 57.144.180.0/23, 57.144.162.0/23, 57.144.114.0/23, 57.141.4.0/24,
            57.141.19.0/24, 57.144.184.0/23, 129.134.24.0/23, 57.144.66.0/23, 57.144.174.0/23, 163.77.133.0/24,
            185.89.216.0/22, 57.144.252.0/23, 57.144.22.0/23, 57.144.182.0/23, 57.144.208.0/23, 157.240.208.0/24,
            163.77.132.0/24, 57.144.108.0/23, 57.144.178.0/23, 57.144.198.0/23, 163.70.143.0/24, 57.144.176.0/23,
            57.144.240.0/23, 57.144.120.0/23, 57.141.10.0/24, 57.144.254.0/23, 31.13.87.0/24, 57.145.0.0/23,
            57.145.12.0/23, 57.144.196.0/23, 57.141.0.0/24, 57.144.0.0/14, 57.141.15.0/24, 57.144.216.0/23,
            57.144.132.0/23, 157.240.29.0/24, 57.144.234.0/23, 57.144.248.0/23, 57.141.13.0/24, 57.144.54.0/23,
            57.141.14.0/24, 57.144.128.0/23, 57.144.72.0/23, 163.70.144.0/24, 57.144.200.0/23, 57.144.68.0/23,
            163.77.136.0/23, 57.141.21.0/24, 57.144.228.0/23, 57.145.6.0/23, 57.144.204.0/23, 57.144.148.0/23,
            57.144.192.0/23, 57.144.124.0/23, 57.144.74.0/23, 57.144.50.0/23, 57.144.246.0/23, 57.144.218.0/23,
            57.141.6.0/24, 57.141.7.0/24, 57.144.116.0/23, 57.144.42.0/23, 57.144.140.0/23, 57.144.186.0/23,
            57.144.250.0/23, 57.141.20.0/24, 57.141.3.0/24, 57.144.242.0/23, 57.141.9.0/24, 57.144.38.0/23,
            163.70.152.0/24, 57.141.11.0/24, 57.144.188.0/23, 57.145.2.0/23, 57.144.244.0/23, 163.77.132.0/23,
            31.13.95.0/24, 57.144.212.0/23, 57.144.150.0/23, 129.134.28.0/23, 57.144.160.0/23, 57.144.78.0/23,
            163.70.130.0/24, 57.144.164.0/23, 57.141.17.0/24, 129.134.26.0/23, 57.144.126.0/23, 57.144.210.0/23,
            31.13.91.0/24, 163.70.131.0/24, 57.141.12.0/24, 57.144.202.0/23, 57.144.220.0/23, 57.144.172.0/23,
            57.144.112.0/23, 57.144.70.0/23, 57.144.134.0/23, 57.141.2.0/24, 57.141.18.0/24, 57.144.144.0/23,
            102.132.104.0/24, 57.145.4.0/23, 57.144.100.0/23, 57.141.8.0/24, 57.144.44.0/23, 57.144.104.0/23,
            57.144.152.0/23, 57.144.206.0/23, 163.70.159.0/24, 57.144.194.0/23, 57.144.142.0/23, 57.144.76.0/23,
            57.144.56.0/23, 57.141.16.0/24, 163.77.136.0/24, 57.144.110.0/23, 57.144.236.0/23, 57.144.64.0/23,
            57.144.138.0/23, 57.141.5.0/24, 57.144.222.0/23, 57.144.136.0/23, 157.240.227.0/24, 163.77.137.0/24
        }
    }

    chain input {
        type filter hook input priority 0;
        policy accept;
        ip saddr @blocked_ips drop
    }

    chain forward {
        type filter hook forward priority 0;
        policy accept;
        ip saddr @blocked_ips drop
    }
}

then load this file to the router IP Sets tab, then go to ... -> traffic rules and add the rule, in advanced settings I add the nft file, and reboot router, but nothing.

Facebook ist still loading. What do I miss here?

I just tried this whole process with an IP that is definitely up and correct. No change. Heres the blocklist.nft:

table inet filter {
    set blocked_ips {
        type ipv4_addr;
        flags interval;
        elements = {
            168.124.119.70
        }
    }

    chain input {
        type filter hook input priority 0;
        policy accept;
        ip saddr @blocked_ips drop
    }

    chain forward {
        type filter hook forward priority 0;
        policy accept;
        ip saddr @blocked_ips drop
    }
}

The website behind the ip is still reachable. I think I have a complete wrong approach. I cannot find info how openwrt handles the IP Sets, or I cannot recognize them as noticable info for me at the moment. Nevermind. Good night.

There are multiple approaches for what you are trying to do.
The DNS mitigation I suggested is quick and easy. (admittedly not perfect)
Additionally though, you could try using that in conjunction with BanIP. BanIP allows the blacklisting of IP addresses / ranges and applies it to your firewall rules for you.
You already have the list of CIDR ranges. You could simply paste them into the blacklist file.
Much quicker, easier, and cleaner than the import process you are attempting.

Check this out:
https://github.com/openwrt/packages/blob/master/net/banip/files/README.md

I will try the mentioned approach via DNS IP blocking and BanIP. Im just stick somekind to this file-upload solution. The idea is really nice, you regulary scan ASN IP ranges and put them into a big list, load them up (all via Lucie) and make your fw4-rule and there you go.

I tried a bit further and get a warning-message while restart firewall via ssh.

From here I'm going to deep dive a bit.

What I know is, the format of the upload should be utf-8 and line by line CIDR ipv4 and ipv6 entries. Good to know, that I can simply use the "ASN-curl-generated- file, without converting it to another file format, like my approaches above.

So, the message while restarting the firewall via ssh says,

Section @ipset[0] (XXXXTestBlocklistSingleTXT) must not specify family 'any' when matching type 'ip' or 'net'
Section @rule[12] (ntp) is disabled, ignoring section
Section @rule[13] (openVPN) is disabled, ignoring section
Section @rule[14] (wireguard) is disabled, ignoring section
Section @rule[18] (XXXXTestBlockRule) references unknown set 'XXXXTestBlocklistSingleTXT'

*: btw, in the txt-file I only have 2 ipv4 and 1 ipv6 IPs, utf-8 formatted, and without spaces and or hidden characters.

i.e. the IPSet entry should not have the option (family) ipv4 and ip46 together, WHEN matching type 'ip' or 'net'. Hüh? If I'm looking at the IPsets settings provided by Lucie and I cannot see even such options. So I need to try and fail. So next:

Firewall - IPSets904×768 48.8 KB

IPSets Entry = I'll set the option to only ipv4, and also the
FirewallRule to ipv4 only. But this is not good, because I have also ipv6 IPs in the files, for sure. So, I miss something here. Could it be, that the UID Lucie is not 1:1 the same as the ssh server side option list from nftables/fw4?

Interestingly, when I change the family in the IPSets options to ipv4 only, AND do the same in the fw4 Rules, I get this message:

fw4restart message ipv4 only964×107 25.3 KB

I will search the net a bit more and come back when I found something useful to this.

You need to remove the second Packet Field Match entry for source IP. Multiple entries create a concatenation of fields.

And a set can only contain either IPv4 or IPv6, but not both.

BanIP also supports blocking of specified ASN ranges. By default, set for inbound traffic, but you can also set for inbound / outbound. Details are in the aforementioned BanIP documentation I linked in previous post.

The good news is, I tested your short blocklist.nft, and it works for me, just using another IP to be blocked. The bad news is the tricky implementation of your rules into fw4 environment. I.e. in blocklist.nft you define a new table filter, to exist in parallel with standard table fw4. Which means, i.e., a standard firewall-restart will not affect your table filter. I think, first to set up a more or less final, correct blocklist.nft (like the first, large one), before integration into fw4. Because testing blocklist.nft itself then just needs “nft -f blocklist.nft” . You might even opt to keep your blockfilter.nft separate from fw4 for a while, until finalized, just to be added to firewall using “nft -f blockfilter.nft” in rc.local .

you are filtering on source address (=saddr) but you want to drop traffic which targeting the remote destination, don’t you. so you’d use something like ip daddr @blocker_ips drop instead.

Not necessarily. As the filtering occures in input and forward path, blocked packets are the responses from fb. Having their saddr in ipset.

sure, but intention was to not access remote site, and not to not receive packets from remote site. and apparently as “The website behind the ip is still reachable.” it did not work. so better to stop connecting to remote site on first place using the daddr block, than allowing outgoing traffic but drop response traffic imho.