Unable to block IP subs

Hi,

I’m trying to block two /24 ranges. To make it tidy I’ve created an IPset in the Firewall, including the 2 ranges and then created firewall rule to drop forwarding (and in the Advanced tab of the rule I’ve included the IPset).

But the problem is, that the changes don’t seem to do anything.

I want to eliminate (drop) any connection from or to those ranges - from or to any device on my network and regardless of what protocol is being used.

I’ve tried to make rules with unspecified device, or with inbound and outbound devices matching the wan or the bridge - but none seems to actually come into force.

I would be thankful for any hints.
Thank you.

Screenshot from 2025-12-16 14-23-09427×181 12.6 KB

default wan rule already rejects (can be changed to drop) all incoming connections from wan ?

correct, but does that interfere with this rule?

at least the 1st should overlap, IMHO.
the 2nd one, I'm not sure.

To clarify, I am testing outbound connection - which should also not be allowed per my rule - to these ranges, but I do have connection - I can ping or ssh to these ranges.

Perhaps, I need some trigger in my rule that is not there? Or too generic rules like in my case don’t work?

I’ve reworked it a bit, but still does not work.

I’m including screenshots to make it more clear how I set it up…

Screenshot from 2025-12-16 14-43-49802×379 31.9 KB

Screenshot from 2025-12-16 14-45-11959×119 11.1 KB

Screenshot from 2025-12-16 14-45-23898×484 31.9 KB

Screenshot from 2025-12-16 14-45-35918×620 53.6 KB

Perhaps, in the IPset I need to make two - one for src_net and one for dest_net? Or remove that at all?

what's the ipset supposed to do, does it contain RU IPs/ranges you don't want to allow access to?

to match these 2 ranges in the Firewall - Traffic rule, which should (supposedly) drop anything from/to the ranges.

Changed to dest_net or to net (sub) - neither seem to work

Screenshot from 2025-12-16 14-54-39963×427 40.7 KB

tried to change the Packet field match to ip - also didn’t work.

image808×122 11.5 KB

you don't need any incoming rule.

so, the IPset does not seem to work?

OK I will make it without it.

check the ipset setup - https://openwrt.org/docs/guide-user/firewall/firewall_configuration#ip_sets

I can confirm now - with the standard way of doing it - WITHOUT the use of the IPset - like in this screenshot - finally it does work. Thank you.

Screenshot from 2025-12-16 15-05-49479×112 7.69 KB

If you want to expand with an ipset later, this should work:

config ipset
        option name 'EvilGnome'
        option family 'ipv4'
        list match 'net'
        list entry '195.62.52.0/24'
        list entry '195.62.53.0/24'

config rule
        option name 'Deny-EvilGnome'
        option src 'lan'
        option dest 'wan'
        option family 'ipv4'
        option ipset 'EvilGnome dest'
        option target 'REJECT'
        list proto 'all'

Resulting firewall sections:

        set EvilGnome {
                type ipv4_addr
                auto-merge
                flags interval
                elements = {
                        195.62.52.0/24,
                        195.62.53.0/24,
                }
        }

        chain forward_lan {
                meta nfproto ipv4 ip daddr @EvilGnome counter jump reject_to_wan comment "!fw4: Deny-EvilGnome"

BTW, you can simplify your 2 subnets to 195.62.52.0/23 since they are adjacent.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.