Please make sure, that during your tests your whitelist is disabled or at least set to "dst" (outgoing) only ... otherwise your whitelist always "wins" (with your uplink subnet) and allows the traffic.
If you find examples, where the ip is in the log but not in your IPSet, please provide me the logfile excerpt via PM, maybe I have to further refine the search patterns for IPv4 & IPv6.
No, that's the parm for automatic uplink detection, which is enabled by default.
well, quite simple - you have to use a different external IP for further login attempts.
Of course I could make this logfile parsing for failed login attempts optional. Thoughts?
Are the select boxes on these pages correctly pre-filled or empty, too? Please enable debug (ban_debug) and send back the logs to my maintainers email address plus the output of /etc/init.d/banip status
Is it presently possible to define multiple "WAN" interfaces?
Previously I generated ipsets after aggregating the ranges with a Perl module. I've been looking at changing that to using aggregate as it would be more suitable on embedded devices, it only handles IPv4, and I am not aware of something comparative to it covering IPv6.
I may be misunderstanding, I don't think it's uncommon to have multiple upstream interfaces.
I usually have 3, 1 DSL account with a dynamic IP, 1 DSL account with a static IP from a different ISP, and mobile data as a backup should my DSL go down. I have static routes so that some traffic only ever goes out the static interface, otherwise it is also used as a fallback should the dynamic DSL account disconnect.
At least for me ... in my "small world" setup I use only one simple uplink to my cable provider ...
Anyway I've added support for multiple WANs in 0.0.6 once the PR get's merged (https://github.com/openwrt/packages/pull/7448).
Edit: BTW, banIP will be triggered by firewall events - whenever a firewall event occurs the banIP firewallchains & ipsets will be re-applied as well (with the current / maybe changed WAN).
Hi just installed on my wrt3200acm Thanks for a good app. All is working fine so far I will let you know if I can find a way of brakeing anything! Is there a way of making descriptions for the lists a bit more explanatry. Or adding links to the lists in the webinterface.
Thank you for adding this! I rebuilt my firmware last night with the updated package so busy running with it, and will look more deeply into it after work.
I think the version 0.6 might not be working as intended, send traffic to private IP ranges passes through, as well as attempting to send traffic to what should be blocked IP addresses. (Easiest for myself was to tracepath/traceroute.)
I have checked that the IP's are listed in the the ipsets. I have also tried with all of src, dst, src+dst, and a single interface, or multiple.
I did come across an issue which cropped up while using the UI, and changing the selected blocklists. One of the blocklists in the config had ended up having "net_inet" as the ipset type. I can't find the cause after a bit of looking. Which prevented the affected list from being loaded.
I know this is not the most useful feedback without further information, I'll take a deeper look once I am on leave.
I haven't tested IPv6 as I don't have a IPv6 connection.
Probably a Double-NAT situation where your private uplink subnet is in the whitelist IP-Set (that happens automatically!). If not, please provide more information to reproduce your issue.
That was a development left over and has been fixed in 0.0.6. You need to update config - to get the latest config during package update please use the opkg option "--force-maintainer".