Powerful router for filtering 5000 IP addresses

I want to block traffic to around 5000 IP addresses and I want to be able to connect a modem. It's going to be a wireless system that should be able to work as a repeater. My GL-MiFi is very weak for that, so I need a better setup.
What board can you recommend for that task?

What bandwidth? How many clients?

Edit: Does “too weak” refer to its wireless range/speed, or its processing power?

Up to 5 devices, 1GbE.
Weak means the processing power.

Gigabit throughput? You're looking at quad-core ARM or more likely x86_64/AMD64.

What is your line rate to your ISP or upstream?

BTW, if you’re really blocking IP addresses, static, blackhole routes are likely very fast and efficient.

1 Like

Thanks, I didn't know about that. Will try that out.
The bandwidth of the ISP is just 100Mbit/s, but I want to have a fast local network for file transferring.
Which CPU architecture is the most efficient?

By the way, GL-MiFi reduces Internet speed by around a half when using as a wifi repeater. So I would consider choosing a router that doesn't have that issue.

EDIT: I have applied a test route and it works fine, but where is it stored? It should be /etc/config/network, but the file doesn't contain the new entry.

luci-app-banip could do the job. With ipset, the time complexity would be O(1). Even an ath79/ramips is capable of this.

It's by design. WiFi is half-duplex. When you use it as a WiFi repeater, it will use half of its total bandwidth to uplink, another half to clients

1 Like

Unfortunately, opkg install banip and opkg install banip return Unknown package. I guess those are not available for my platform (AR9331).

Got it! Thanks for your help.

banip is not included in 18.06. You can either download ipk and install it manually from snapshot opkg source, or just update to 19.07.


Done, thanks. But I get an error when enabling banIP on the config page. Will ask its developer about that.

You can consider using IPset:

It doesn't need a lot of CPU power because thousands of IP can be hashed into a single set, used by one single IPtables rule. I have more than 93000 entries running on an old and "slow" Netgear WNDR3800:

~# ipset list badgeo|head -7
Name: badgeo
Type: hash:net
Revision: 6
Header: family inet hashsize 65536 maxelem 150000
Size in memory: 42872
References: 1
Number of entries: 93208
~# grep badgeo /etc/firewall.user
ipset -N badgeo hash:net maxelem 150000
iptables -A forwarding_lan_rule -m set --match-set badgeo dst -j reject

Wow! Ads and tracking block?

Thanks for the guide!

The /etc/firewall.user is one part of my setup (for creating ipset and associated rule). The other is in /etc/rc.local; that contains this part of the script that populates "badgeo" ipset:

for url in $hosts; do curl -s $url | egrep -o '^[0-9]{1,3}([./][0-9]{1,3}){3,4}';
done |sort -u | xargs -rn1 printf 'add badgeo %s\n' | ipset restore

Feel free to copy.

Yes; and my own host-based blocking solution is here:

However the Openwrt adblock package module is probably more user-friendly.

1 Like

The link is dead, so can be removed from there. Beside, I wouldn't trust ipdeny.com because they get the files allocated by regional registries which may block good websites with torrent related content for example.

The link is dead.
But thanks for help!

The links are not dead. The use of curly brackets {} in bash/ash shell tells the command to iterate across all "variation" inside them. The URL above will simply tell curl to run twice against both links:


Thanks for the tip about ipdeny.

Got it. Thanks.

By the way, how can I add a range of IP addresses with ipset?
For example, -

Non-CIDR or non-single IP will be a bit pain to manage. You'll need to create IPset type bitmap:ip with a specific range limit not exceeding 65535, namely /16 subnets only.


~# ipset -N testacl bitmap:ip range
~# ipset add testacl
~# ipset list testacl
Name: testacl
Type: bitmap:ip
Revision: 3
Header: range
Size in memory: 8248
References: 0
Number of entries: 8

In short, it'll be a pain in the rear if you want to use IPset with non-CIDR ranges that exists in multiple /16 subnets.

Is it only /16 that is permitted for the CIDR? I had thought that it was anything 1-32 inclusive. I also thought that the hash map could store 64k entries, each of which could be a CIDR block of any width.

A "trick" is also to consider an "exception" rule when you've got an incomplete block on a really ugly boundary

.8 -- 0b0000'1000
.9 -- 0b0000'1001

.15 -- 0b0000'1111
.16 -- 0b0001'0000

So you could write that as, for example (check this, as my coffee hasn't hit yet)

Skip -- .8 (skips over blocking rules that immediately follow)
Block -- .8 - .15
Block -- .16

The "skip" is so that if there is a later rule that would block that IP, the packet hasn't already been accepted through this phase of your rules.

I see, thanks. I used to use a firewall software where I put the addresses I wanted to block, so I need to parse its config file with the addresses and I was going to develop a small parser for that task. But it seems like it's better to do that manually.

Just a simple question. How can you know the number of subnets, if you have just a list of addresses from the IP range?

No simple answer -- how are you collecting these 5000 IP addresses? It is remotely possible that you can use the registries to determine who has administrative authority over those IP blocks and, from that, determine the blocks themselves. Typically they are assigned (delegated) to lower-tier authorities and within organizations by a CIDR subnet -- N high-order bits match.