From 602f85d24db9ad237d7ca21ee04bb62bb5982353 Mon Sep 17 00:00:00 2001 From: dolonet Date: Mon, 13 Apr 2026 07:08:08 +0000 Subject: [PATCH 1/2] Document firehol_level1 RFC1918 gotcha in blocklist defaults The default [defense.blocklist] uses firehol_level1.netset, which includes bogon networks and therefore all RFC1918 ranges. Clients connecting from a LAN address (e.g. a phone on the home Wi-Fi when mtg runs at home) are silently rejected with "ip was blacklisted" and routed to the fronting domain. This is a recurring source of confusion (see issue #466 for the latest example). Add a warning next to the urls list in example.config.toml and a Troubleshooting section in README.md covering the symptom, the cause, and three resolution paths (disable blocklist, swap for a narrower list, or use hairpin NAT). Docs only, no code changes. --- README.md | 43 +++++++++++++++++++++++++++++++++++++++++++ example.config.toml | 11 +++++++++++ 2 files changed, 54 insertions(+) diff --git a/README.md b/README.md index 5314e7264..d406e365b 100644 --- a/README.md +++ b/README.md @@ -514,6 +514,49 @@ This is not very necessary. Keep in mind these rules: you can enable `drs` setting. 9. **If you are not sure, touch nothing!** +## Troubleshooting + +### `ip was blacklisted` for clients on the same LAN + +If you run mtg at home and a client on the same LAN (for example, your +phone on the home Wi-Fi) cannot connect, check the proxy logs for a +message like: + +```json +{"level":"info","ip":"10.0.1.1","logger":"proxy","message":"ip was blacklisted"} +``` + +The reason is that the default blocklist (`firehol_level1.netset`) +includes bogon networks, which covers all RFC1918 ranges +(`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`). Any client +connecting from such an address is rejected by the blocklist and +silently routed to the fronting domain. + +There are three ways to resolve it: + +1. Disable the blocklist entirely in `config.toml`: + + ```toml + [defense.blocklist] + enabled = false + ``` + + Simplest option if the proxy is used only by you and people you trust. + +2. Keep the blocklist but swap `firehol_level1` for a narrower list that + does not include bogons, for example `firehol_abusers_1d`: + + ```toml + [defense.blocklist] + enabled = true + urls = ["https://iplists.firehol.org/files/firehol_abusers_1d.netset"] + ``` + +3. Connect to the proxy through a public IP or domain name with hairpin + NAT (`MASQUERADE`) on your router. mtg will then see the client with + its public address and the blocklist will not match. This is more + work to set up but preserves full blocklist protection. + ## Metrics Out of the box, mtg works with diff --git a/example.config.toml b/example.config.toml index ece3104dd..3e14a3a02 100644 --- a/example.config.toml +++ b/example.config.toml @@ -316,6 +316,17 @@ download-concurrency = 2 # A list of URLs in FireHOL format (https://iplists.firehol.org/) # You can provider links here (starts with https:// or http://) or # path to a local file, but in this case it should be absolute. +# +# NOTE: the default list below (firehol_level1.netset) includes bogon +# networks, and therefore RFC1918 ranges as well (10.0.0.0/8, +# 172.16.0.0/12, 192.168.0.0/16). If you run mtg on a home/LAN network +# and connect from a client on the same LAN, that client will be +# rejected with "ip was blacklisted" and silently routed to the fronting +# domain. If you see this, you can either disable this section +# (enabled = false), replace firehol_level1 with a narrower list that +# does not include bogons (e.g. firehol_abusers_1d), or connect via +# a public IP/domain with hairpin NAT on your router. See README for +# details. urls = [ "https://iplists.firehol.org/files/firehol_level1.netset", # "/local.file" From 68a4685ec630e02199753a8001f1cda3842512fb Mon Sep 17 00:00:00 2001 From: dolonet Date: Mon, 13 Apr 2026 07:46:52 +0000 Subject: [PATCH 2/2] Fix description of blocklist rejection behavior The previous wording ("silently routed to the fronting domain") is inaccurate. In mtglib/proxy.go the blocklist path calls conn.Close() immediately with no further handshake or fronting; domain fronting only happens on FakeTLS failures for non-blocked IPs. Reword to "TCP connection is closed with no response" so users searching the docs get the same symptom they actually see. --- README.md | 5 +++-- example.config.toml | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d406e365b..3c41189cd 100644 --- a/README.md +++ b/README.md @@ -529,8 +529,9 @@ message like: The reason is that the default blocklist (`firehol_level1.netset`) includes bogon networks, which covers all RFC1918 ranges (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`). Any client -connecting from such an address is rejected by the blocklist and -silently routed to the fronting domain. +connecting from such an address is rejected by the blocklist — +the TCP connection is closed immediately with no response, so +from the client's point of view nothing loads at all. There are three ways to resolve it: diff --git a/example.config.toml b/example.config.toml index 3e14a3a02..b9293c270 100644 --- a/example.config.toml +++ b/example.config.toml @@ -321,8 +321,8 @@ download-concurrency = 2 # networks, and therefore RFC1918 ranges as well (10.0.0.0/8, # 172.16.0.0/12, 192.168.0.0/16). If you run mtg on a home/LAN network # and connect from a client on the same LAN, that client will be -# rejected with "ip was blacklisted" and silently routed to the fronting -# domain. If you see this, you can either disable this section +# rejected with "ip was blacklisted" and the connection dropped (TCP +# close, no response). If you see this, you can either disable this section # (enabled = false), replace firehol_level1 with a narrower list that # does not include bogons (e.g. firehol_abusers_1d), or connect via # a public IP/domain with hairpin NAT on your router. See README for