your config please.
standard. using mainly for doh blocking. any specifics you want to know?
I have reverted back to a earlier image with banip 1.5.6-r2 and it works fine.
I need your complete banip config.
config banip 'global'
option ban_enabled '1'
option ban_debug '0'
option ban_autodetect '0'
option ban_protov4 '1'
list ban_ifv4 'WAN'
option ban_fetchcmd 'curl'
option ban_fetchretry '5'
option ban_nicelimit '0'
option ban_filelimit '1024'
option ban_deduplicate '1'
option ban_nftpriority '-100'
option ban_icmplimit '0'
option ban_synlimit '0'
option ban_udplimit '0'
option ban_nftpolicy 'performance'
option ban_nftretry '5'
option ban_blockpolicy 'drop'
option ban_nftloglevel 'warn'
option ban_logprerouting '0'
option ban_loginbound '0'
option ban_logoutbound '0'
option ban_loglimit '100'
option ban_autoallowlist '1'
option ban_autoblocklist '0'
option ban_allowlistonly '0'
option ban_autoallowuplink 'ip'
list ban_feedout 'doh'
option ban_protov6 '1'
list ban_ifv6 'WAN'
list ban_feed 'doh'
list ban_dev 'sfp-wan'
Unfotunatley that's not reproducible, it works for me even with your config. Make sure that you update both packages (banip plus luci-app-banip).
@dibdot I've setup BanIP to scan for nginx (using the dropdown in LUCI). Which log format do I need to use for nginx? Standard or openwrt?
Sorry, I don't use nginx. The different regex are documented in the online readme (check the chapter " Log Terms for logfile parsing".
Hello,
Since I flashed on my GL.iNet Flint2 the 24.10 GL firmware, I can now have access so the latest baboon build.
I’ve asked ChatGPT to help me configure banip to allow incoming IP only from France (FR).
it said that I must have a conntrack connexion for all connexion outgoing from my lan allowing their answer even if the destination IP isn’t FR.
It said to launch those commands:
uci set banip.global.enable='1'
uci set banip.global.allowlist_geoip='1'
uci set banip.global.geoip_countries='FR'
uci set banip.global.sources='geoip'
uci set banip.global.dnschain='0' # on désactive les blocages DNS pour éviter de casser la résolution
uci set banip.global.autoallow_use='1'
And to set this configuration:
config banip 'global'
option enable '1'
option ban_source 'geoip'
option allowlist_geoip '1'
option geoip_countries 'FR'
option dnschain '0'
option autoallow_use '1'
option loglevel 'info'
option wan_input '1'
option wan_forward '1'
option target 'DROP'
But I don’t see anything about a dnschain option on the doc, nor about conntrack…
Is this configuration functional for what I want to do?
Thanks very much
Have a good day or evening.
Please forget the AI ... most of the suggested options are not valid/unknown. Please read the online available readme and start with a default configuration.
That's what I thought 
But, before doing anything, can banip allow only incoming traffic from FR ip address, and allow all outgoing traffic to whatever IP in the world ?
do it from UI is way safer if you still strugging sending screenshots since settings are everywhere in tabs, hope it helps
1 Like
Just note, the saving in between is unnecessary. Just hit Save & Restart at the end.
I got banIP working as intended.
However, how to allow a single LAN IP (say 192.168.1.10) to circumvent any banIP blocks?
Note that I'm not asking how to whitelist an IP. I'm asking how to have LAN protected by banIP, with the exception of a single IP, meaning that this IP would be able to access any banIP blocked IPs, if required.
Can't find any option to do this in Luci. The only thing I can remember is creating a custom nftables rule with a higher priority to be sure to be hit first than those by banIP.
Isn't there a better simpler way? Shouldn't banIP have this feature?
That's already implemented, check the readme and search for " MAC/IP-binding".
Hi! For some reason it is not working for me.
I'm using the correct MAC address and IP but still can't get pass the blocks set by banIP.
For the record I'm using (bogus MAC address ahead from your readme file for privacy; I can assure you I'm using the correct one in my settings) C8:C2:9B:F7:80:12 192.168.1.10 (with just one space between the MAC and IP) on a separate row in the allowlist. I've restarted the service.
In the feed settings I'm blocking both the inbound and outbound connection to countries like Syria / Iran etc. Blocks work as intended in both directions.
Still can't connect to an IP from that set that banip is blocking from 192.168.1.10...
Reading your README file you're stating that the "MAC/IP binding" is "...or to free connected clients from outbound blocking". I'm assuming that once a connection is established it can live.
I've also blocked only the outbound in the feed settings but still can't get through.
I'll debug nftables on a lower level in CLI to pinpoint the issue, but from the get go it does not seem to work.
Edit:
:::
::: banIP Set Statistics
:::
Timestamp: 2025-06-05 18:30:54
------------------------------
blocked syn-flood packets : 0
blocked udp-flood packets : 0
blocked icmp-flood packets : 0
blocked invalid ct packets : 0
blocked invalid tcp packets: 0
---
auto-added IPs to allowlist: 0
auto-added IPs to blocklist: 0
Set | Count | Inbound (packets) | Outbound (packets) | Port/Protocol | Elements
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
allowlist_v4 | 4 | ON: 0 | ON: 0 | - |
allowlist_v4MAC | 0 | - | ON: 0 | - |
allowlist_v6 | 0 | ON: 0 | ON: 0 | - |
allowlist_v6MAC | 0 | - | ON: 0 | - |
becyber_v4 | 29876 | ON: 7 | - | - |
binarydefense_v4 | 1758 | ON: 1 | - | - |
blocklist_v4 | 0 | ON: 0 | ON: 0 | - |
blocklist_v4MAC | 0 | - | ON: 0 | - |
blocklist_v6 | 0 | ON: 0 | ON: 0 | - |
blocklist_v6MAC | 0 | - | ON: 0 | - |
bogon_v4 | 2297 | ON: 0 | - | - |
bruteforceblock_v4 | 441 | ON: 0 | - | - |
cinsscore_v4 | 11810 | ON: 8 | - | - |
country_v4 | 21254 | ON: 0 | ON: 28 | - |
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
14 | 67440 | 10 (16) | 9 (28) | 0 | 0
Why would the set allowlist_v4MAC be empty above if a MAC / IP has been provided in Luci?
Also, running service banip content allowlist_v4 returns an empty set when it seems to have a count of 4 in the above report:
:::
::: banIP Set Content
:::
List elements of the Set 'allowlist_v4' on 2025-06-05 19:15:00
---
empty Set
EDIT2: Restarting the router seem to have solved the issue with the rule sets not being updated. IP can now connect to a blocked banIP IP.
But why I'm I still seeing empty sets when I run service banip content allowlist_v4 or service banip content allowlist_v4MAC ?
Works for me - did you reload banIP after applying the MAC/IP?
Weird... this has always worked for me, and is still working with the latest banip (1.5.6-3).
I find just using the MAC address best and I make sure the device isn't using any randomized mac (or private mac).
I haven't/never tried the MAC address with IP address.
Can you try with just the MAC address??
Managed to get it working but only after restarting the router...
Still seeing empty sets when I run service banip content allowlist_v4 or service banip content allowlist_v4MAC when the report shows they have content...
But at list I got it working. Will make some changes to check if I get to see them immediately or only after restarting the router. Strange
Please just follow the hint after you've saved a new allowlist entry.
