Apply banIP only to specific VLANs/Zones?

Is there a way to apply banIP only to specific internal VLANs or zones, so that certain networks can completely bypass the filtering?

From what I understand, banIP listens on the WAN interface, so ultimately all traffic from internal networks is affected, regardless of which VLAN or zone it originates from. This makes it difficult to exclude specific internal networks from the filtering.

Ideally, I’d like to apply banIP only to certain zones (e.g., guest) while allowing others (e.g., trusted or lan) to pass through unfiltered — even though all traffic exits via the same WAN interface.

Has anyone successfully implemented this kind of selective filtering with banIP?
Any input or examples would be greatly appreciated.

Thanks!

Cheers

Hello! Nice to see you are extensively testing out the firewall

The ThreatShield IP works at nft level, it has a list of IPs that matches against and drops connections coming from bad IPs based off provided lists. Since it works only by checking the incoming IP, you are not able to check where the packet should go inside the firewall to rule out drop of the packet itself.

For additional documentation, refer to the official package page: packages/net/banip/files/README.md at openwrt-23.05 · openwrt/packages · GitHub

We forked the package and kept it to version 1.0.0-9 for now, we have experienced issues with the latest release.