Question

Hello Everyone,

I need to block a range of IP addresses on the local network from accessing the interwebs. According to the "Traffic rule configuration" section of the wiki here, the "Source IP address" field "Specifies the IP address or range of IPs of the external host, i.e., the rule will apply only to hosts that have the IP addresses specified in this field "
When I'm trying to input an IP address range in the usual formats, for example "192.168.1.50-99", the field gets highlighted in red and I'm unable to proceed.

Could someone perhaps advise me the specific format in which I must enter the IP address range? I can't find any specifics anywhere.

Thank you forward for the responses!
 

Answer 1

Hello,

There's two ways of doing this:

1. By specifying IP/Netmask
2. By specifying IP range

The first one is less complicated but you may not be able to specify the exact range that you want. You can find info on netmasks here. Use an online netmask calculator for help (like this one). For example, if you specify something like 192.168.1.128/25, the rule will apply to addresses in the range of 192.168.1.128 - 192.168.1.254.

The second method will require a lot more work, but ultimately you will be able to specify an IP range more conveniently and precisely. The router uses iptables for packet filtering. iptables supports a parameter called match (specified as -m). It specifies a match to use, that is, an extension module that tests for a specific property - a range of IPs in your case, which can be specified like this: -m iprange. However, for this to work you would have to install a special iptables extension called iptables-mod-iprange. To do so, follow these steps:

1. Login to the router via CLI or SSH (instructions can be seen here)
2. Execute the following commands:
   opkg update
   opkg install iptables-mod-iprange --force-depends
3. Move the installed module to proper kernel directory. Use this command to do so:
   mv /lib/modules/3.18.23/xt_iprange.ko /lib/modules/3.18.44/
4. For this to take effect, either insert the module manually (with this command: insmod /lib/modules/3.18.44/xt_iprange.ko) or simply reboot the router and it will take care of it automatically.
5. Now for the rule itself. Go to the router's WebUI, Network → Firewall → Custom Rules section, enter this rule and save it:
   iptables -I FORWARD -m iprange --src-range 192.168.1.50-192.168.1.99 -j DROP

When you do this, the router will not forward any traffic coming from 192.168.1.50-192.168.1.99 to zones other than LAN. So in the end result, devices from the specified range will be able to communicate in LAN, but not anywhere else. If you need them to communicate in zones other than LAN (like VPN, for example), reply to this answer and I'll help you add exceptions that will allow this.

Anyway, good luck and I hope this helps.

Comments

Hi,

Thank you for your response, it was indeed very helpful!

I won't bother with the kernel module, however it is good to know that more detailed adjustment is possible that way. Instead I'll re-structure the IP addresses to the end of the range and use the first method you suggested. This will be significantly easier to repeat on the next (potentially) hundred devices. Perhaps it will even be stored when backing up the configuration so i can just restore it on the other routers.

Thank you once again for your answer, it is much appreciated!

---

No problem. Hope everything works out!