That would seem to be exactly what I am looking for!
However, I have a small problem: I would set WAN-Input & WAN-Forward as enabled. The moment I enable WAN-Forward, I can no longer access from the WAN (e.g. from my cell phone with WiFi disabled) to some resources that are port forwarded.
This behavior is confirmed by the logs:
Thu Dec 26 00:57:04 2024 kern.warn kernel: [15804.285683] banIP/fwd-wan/drop/countryv4: IN=pppoe-wan OUT=br-lan.XX MAC= SRC=62.19.104.XX DST=192.168.XX.XX LEN=60 TOS=0x08 PREC=0x20 TTL=57 ID=56186 DF PROTO=TCP SPT=24886 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
This would seem to be fair and reasonable behavior, however, I limited only 5 countries ( not including my own).
What is even stranger is that if I perform an IP Search in the Set Reporting panel, I find the IP of my cell phone.
:::
::: banIP Search
:::
Looking for IP '62.19.104.XX' on 2024-12-26 01:13:22
---
IP found in Set 'countryv4'
My phone's IP actually belongs to this countryv4 element: https://www.ipdeny.com/ipblocks/data/countries/it.zone -> 62.18.0.0/15 but precisely Italy is not among the Countries (RIR) (only China, India, Iran, Russian Federation, Afghanistan are selected).
I also thought of checking the automatic blocklist (which populates the banip.blocklist file anyway, correct?), but my phone's IP doesn't figure (and anyway the Survey in that case shouldn't tell me it's blocked for countryv4).
What am I missing?
For now I will limit to WAN-Input Chain, however I would be really happy to figure out how to enable WAN-Forward as well 