banIP support thread

Hi @dibdot noticed, you're using curl as DL Utility in your banIP configuration. I don't see it here mentioned in this thread that uclient-fetch is broken when using with banIP, might be worth mentioning here to forwarn SNAPSHOT users.

Since you also raised the issue here: https://github.com/openwrt/openwrt/issues/16907

Fri Nov 15 12:46:22 2024 user.info banIP-[55975]: start banIP processing (restart)
Fri Nov 15 12:46:22 2024 user.err banIP-[55975]: no download utility with SSL support
Fri Nov 15 12:46:24 2024 user.info banIP-[56276]: start banIP processing (reload)
Fri Nov 15 12:46:24 2024 user.err banIP-[56276]: no download utility with SSL support
Fri Nov 15 12:48:31 2024 user.info banIP-[61571]: start banIP processing (restart)
Fri Nov 15 12:48:31 2024 user.err banIP-[61571]: no download utility with SSL support

Already answered on github. If you're using unstable snapshot releases just disable the autodetection and set interfaces & Co. manually, e.g.:

how to use with wget? i have installed wget-ssl but banip still show
"no download utility with SSL support"

curl uses mbedtls and i prefer to use wget which uses openssl.

edit:
answering my own question. curl can be build with openssl instead of mbedtls.

Good catch, fixed in latest banIP:

2 Likes

Can this be set up to only block incoming/outgoing connection attempts to IPs located in Asia? I would like to block these from a single host on my network only.

Curl can use OpenSSL but you have to explicitly set that in menuconfig.

Go to

Feed selection

Regional Internet Registry

select

APNIC

from droppdown menue.

I'm in Australia which is included in APNIC. I'll install this and take a look if there's another way, i do have some IP rages i'd like blocked

unblock aus...(whitelisting) separatly

External Blocklist Feeds I have chosen APNIC

External Allowlist Feeds I have chosen Australia

Reload the service shows it is active. I can visit google.com.hk fine, I can ping a random game server IP in Hong Kong fine.

What seems to have worked is putting a single IP or CIDR notations in "edit blocklists".

What I can't figure out is how to block these IPs for my gaming console only.

provide your current banIP config please .

@dibdot
Just flashed latest snapshot (28129) on MT6000 and version number does not show.

image

Apparently 1.0.0-r10 is installed.

image

Thats a known apk issue, see

for reference.

A brief note on our own behalf: in master- and 24.10-branch is a new banIP release. Among other things, it includes performance improvements and fixes the broken IP realtime monitor (triggered by the already mentioned apk bug).

4 Likes

I don't know if you might have fixed it already but I'll report it anyway. When reject is activated, TYPE=3 CODE=3 ICMP packets are sent to the rejected addresses via the Wan port. If you change it to drop this effect is gone.

Default in banIP is "drop". What's the issue with the above icmp types/codes? If I remember correctly we're using the same than OpenWrt fw4.
What's your recommendation?

Well, it depends on whether the packets really leave the device in the direction of the Internet, I have not tested this now. I have only seen that when lan requests are rejected such icmp packets come to the wan postrouting hook Priority: 95, which would of course be a problem because your Ip address would be visible to the discarded pages. Maybe you should add an extra drop rule for Icmp. You could also simplify things a bit in general, so far the rule chain for the input hook and the forward hook is created twice, but if you create it only once without hook assignment you could call it several times via jump/goto which reduces the size of the banip table.

hello @dibdot are you the maintainer for luci-app-banip too? Because luci banip is not working correctly at the moment in the latest snapshot r28214-5a4eb56a7b

two issues:

  1. Feed selection is broken see screenshot, raised github issue: https://github.com/openwrt/luci/issues/7432
  2. banIP version not detected, minor so i just didn't raise an issue (is this caused by APK transition issue?)

Not reproducible - answered at github.

yep, will be fixed with ...

thanks, can confirm it's working after this was merged, can't wait for stable OpenWrt 24.x i'm at the edge of my seat at the moment waiting for this to happen after several months on snapshot :face_with_peeking_eye: