Home

Openwrt how to block countries but allow a specific path using BanIp

$$13036
https://lemmy.world/u/Hercules posted on Mar 16, 2026 16:45

Hey,

Im using openwrt with banip to only allow certain countries to access my services. Im not familiair with banip and im having issues finding documentation about it so thats why i came here.

I need to allow a certain path to allow cert-manager to get me new certificates using http challanges. If im not mistaking i have to allow the path: .well-known/acme-challenge/*.

Is their an option to allow this from any country but block all other requests?

My current config is as following:

root@OpenWrt:~# uci show | grep ban
banip.global=banip
banip.global.ban_enabled='0'
banip.global.ban_debug='0'
banip.global.ban_autodetect='1'
banip.global.ban_allowlistonly='1'
banip.global.ban_fetchcmd='curl'
banip.global.ban_protov4='1'
banip.global.ban_ifv4='wan'
banip.global.ban_protov6='1'
banip.global.ban_ifv6='wan6'
banip.global.ban_dev='eth0'
banip.global.ban_fetchretry='5'
banip.global.ban_nicelimit='0'
banip.global.ban_filelimit='1024'
banip.global.ban_deduplicate='1'
banip.global.ban_nftpriority='-100'
banip.global.ban_icmplimit='25'
banip.global.ban_synlimit='10'
banip.global.ban_udplimit='100'
banip.global.ban_nftpolicy='memory'
banip.global.ban_nftretry='5'
banip.global.ban_blockpolicy='drop'
banip.global.ban_nftloglevel='warn'
banip.global.ban_logprerouting='0'
banip.global.ban_loginbound='1'
banip.global.ban_logoutbound='0'
banip.global.ban_loglimit='100'
banip.global.ban_autoallowlist='1'
banip.global.ban_autoallowuplink='subnet'
banip.global.ban_autoblocklist='1'
banip.global.ban_country='be'
banip.global.ban_logterm='Exit before auth from' 'luci: failed login' 'error: maximum authentication attempts exceeded' 'received a suspicious remote IP .*'
banip.global.ban_vlanallow='br-lan'
banip.global.ban_allowurl='https://www.ipdeny.com/ipblocks/data/aggregated/be-aggregated.zone' 'https://www.ipdeny.com/ipv6/ipaddresses/aggregated/be-aggregated.zone'
banip.global.ban_geoip='1'
banip.global.geoip_src='dbip'
banip.global.geoip_mode='allowlist'
banip.global.ban_feeds='country:BE' 'country:BE' 'geoip:BE'
banip.global.ban_all='1'
banip.global.allow_country='BE'
banip.global.ban_feedin='country'
banip.global.ban_feed='hagezi' 'tor' 'vpn'
wireless.radio0.band='2g'
wireless.radio1.band='5g'

Thanks for your time and have a great day!

https://lemmy.world/post/44341716
Reply
$$13064
https://lemmy.ml/u/peskypry posted on Mar 16, 2026 17:35
In reply to: https://lemmy.world/post/44341716

banIP works at IP layer. It basically injects additional firewall rules to nftable to reject packets from specific set of IP addresses. It is not aware of layer 7 like HTTP.

What is your goal exactly? Do you want to allow /.well-known to all countries including the bad ones you are blocking? Then you’ve to do it at application layer or setup a reverse proxy that has WAF (Web Application Firewall) and serve ./well-known from the proxy.

https://lemmy.ml/comment/24574755
Reply
$$13069
https://discuss.tchncs.de/u/Anafabula posted on Mar 16, 2026 17:40
In reply to: https://lemmy.world/post/44341716

The path is part of the http protocol. Most firewalls only parse the first couple layers (ethernet->ip->tcp/udp), not http as well, unless they do deep package inspection. Idk if openwrt/banip has functionality like that.

It might be easier (and more performant if the firewall has weak hardware) to just allow tcp port 80 and let your reverse proxy do the filtering for that, since it (usually) needs to parse the http anyways.

https://discuss.tchncs.de/comment/24568172
Reply
$$13159
https://piefed.social/u/eleijeep posted on Mar 16, 2026 20:03
In reply to: https://lemmy.world/post/44341716

Can you use DNS challenges instead? That would just require that you can create a TXT record in your domain.

https://piefed.social/comment/10559091
Reply
$$13189
https://lemmy.world/u/Hercules posted on Mar 16, 2026 20:56
In reply to: https://piefed.social/comment/10559091

That is what i currently have setup but cert-manager is giving me a headache and not working correctly so im looking into http instead since its easier to setup

https://lemmy.world/comment/22699703
Reply
$$13190
https://lemmy.world/u/Hercules posted on Mar 16, 2026 20:58
In reply to: https://discuss.tchncs.de/comment/24568172

path is part of the http protocol. Most firewalls only parse the first couple layers (ethernet->ip->tcp/udp), not http as well, unless they do deep package inspection. Idk if openwrt/banip has functionality

I don’t think openwrt can do this. Im running k3s with nginx as ingress but the issue is it doesn’t see the actual ip but rather the ip of the container so i can’t use nginx to block countries.

https://lemmy.world/comment/22699731
Reply
$$13196
https://lemmy.decronym.xyz/u/Decronym posted on Mar 16, 2026 21:00
In reply to: https://lemmy.world/post/44341716

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
nginx Popular HTTP server

[Thread #174 for this comm, first seen 16th Mar 2026, 21:00] [FAQ] [Full list] [Contact] [Source code]

https://lemmy.decronym.xyz/comment/18676
Reply
$$13599
https://lemmy.world/u/non_burglar posted on Mar 17, 2026 14:00
In reply to: https://lemmy.world/post/44341716

This can’t be achieved with banip only, it bans based on CIDR blocks at layer 3 (IP).

https://lemmy.world/comment/22711378
Reply