[GH-ISSUE #2239] Private/CGNAT IPs are incorrectly blocked by GeoIP “Block All” rules #6908

New Issue

Open

opened 2026-04-25 15:54:39 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-25 15:54:39 -05:00

Owner

Copy Link

Originally created by @Blacks-Army on GitHub (Jan 12, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2239

Originally assigned to: @oschwartz10612 on GitHub.

Describe the Bug

When using GeoIP-based rules in Pangolin, internal/private IP ranges (LAN and CGNAT) can be unintentionally blocked.

For example, if you create a rule to Bypass Auth for your country with high priority, and then a Block All rule for all countries with lower priority, clients using private IP ranges (192.168.x.x / 10.x.x.x / 172.16.x.x) or CGNAT ranges (100.64.0.0/10) or private ipv6 IP ranges cannot reach the service. This happens because these IPs do not have GeoIP mapping, so the “Block All” rule applies.

Environment

• OS Type & Version: Docker
• Pangolin Version: latest
• Gerbil Version: latest
• Traefik Version: latest
• Newt Version: latest
• Olm Version: (if applicable)

To Reproduce

1. Create a rule with Priority 1: Bypass Auth for a specific country (e.g., USA).
2. Create a rule with Priority 2: Block All for all countries.
3. Try accessing the service from a client with a private LAN IP (192.168.x.x / 10.x.x.x / 172.16.x.x) or a CGNAT IP.
4. Access is blocked.

Expected Behavior

Private IPs and CGNAT ranges should not be blocked by GeoIP-based rules. Internal clients should be allowed by default or configurable in ACLs without requiring manual exceptions.

Suggestion:
Automatically whitelist RFC1918/RFC6598/RFC4193 ranges in GeoIP evaluations, or provide an explicit setting to treat private/internal IPs separately.

Originally created by @Blacks-Army on GitHub (Jan 12, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2239 Originally assigned to: @oschwartz10612 on GitHub. ### Describe the Bug When using GeoIP-based rules in Pangolin, internal/private IP ranges (LAN and CGNAT) can be unintentionally blocked. For example, if you create a rule to Bypass Auth for your country with high priority, and then a Block All rule for all countries with lower priority, clients using private IP ranges (192.168.x.x / 10.x.x.x / 172.16.x.x) or CGNAT ranges (100.64.0.0/10) or private ipv6 IP ranges cannot reach the service. This happens because these IPs do not have GeoIP mapping, so the “Block All” rule applies. ### Environment - OS Type & Version: Docker - Pangolin Version: latest - Gerbil Version: latest - Traefik Version: latest - Newt Version: latest - Olm Version: (if applicable) ### To Reproduce 1. Create a rule with Priority 1: Bypass Auth for a specific country (e.g., USA). 2. Create a rule with Priority 2: Block All for all countries. 3. Try accessing the service from a client with a private LAN IP (192.168.x.x / 10.x.x.x / 172.16.x.x) or a CGNAT IP. 4. Access is blocked. ### Expected Behavior Private IPs and CGNAT ranges should not be blocked by GeoIP-based rules. Internal clients should be allowed by default or configurable in ACLs without requiring manual exceptions. Suggestion: Automatically whitelist RFC1918/RFC6598/RFC4193 ranges in GeoIP evaluations, or provide an explicit setting to treat private/internal IPs separately.

GiteaMirror added the needs investigating label 2026-04-25 15:54:39 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

resource-policies

copilot/fix-create-alert-visibility

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

redis

crowdin_dev

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

dependabot/docker/docker/library/node-25-slim

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label needs investigating

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#6908