Drupal is a registered trademark of Dries Buytaert
Menu Per Role 8.x-1.9 Minor update available for module menu_per_role (8.x-1.9). Google API PHP Client 8.x-4.8 Minor update available for module google_api_client (8.x-4.8). GEO Starter JSON-LD 1.1.1 Minor update available for module geo_starter_jsonld (1.1.1). SQLite VDB Provider 1.4.0 Minor update available for module ai_vdb_provider_sqlite (1.4.0). SQLite VDB Provider 1.3.0 Minor update available for module ai_vdb_provider_sqlite (1.3.0). Burndown 1.0.70 Minor update available for module burndown (1.0.70). Webform MailerLite integration 1.0.4 Minor update available for module webform_mailerlite (1.0.4). Select Icons 2.1.0 Minor update available for module select_icons (2.1.0). Menu Per Role 2.0.0 Module menu_per_role updated after 7 months of inactivity (2.0.0). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

Internal Network

1 sites Security covered
View on drupal.org

This module allows you to control access to blocks, templates, routes, and menu items based on the visitor's IP address using CIDR notation. It helps you show or hide content depending on whether the user is accessing from an internal network.

IP-based access control for blocks, Twig templates, routes, menu items, and taxonomy-tagged content. Show or hide content based on the visitor's network using CIDR notation.

Overview

The Internal Network module provides comprehensive IP-based access control for Drupal. It enables conditional rendering of blocks, template content, routes, menu items, and
taxonomy-tagged content based on configurable IP ranges using standard CIDR notation.

Whether you need to show internal-only content to office users, restrict login pages to VPN networks, hide pre-decisional documents from the public, or create intranet sections on a
public site — this module provides the tools you need.

Features

Block Visibility Condition
- Show or hide any block based on the visitor's IP address
- Integrates with Drupal's standard block visibility system
- Per-block IP range overrides or use global configuration
- Works with any block type

Twig Extension
- is_internal_network() function for use in any Twig template
- Conditionally render content based on the visitor's network

{% if is_internal_network() %}

This content is only visible to internal users.

{% endif %}

Route Access Restriction
- Block access to any Drupal route based on the visitor's IP
- Choose between 403 Forbidden or redirect to homepage
- Works with reverse proxies (respects X-Forwarded-For headers)

Menu Link Hiding
- Menu items linking to restricted routes are automatically hidden
- JavaScript-based approach preserves full page caching
- No extra configuration — just restrict a route and the link hides itself

Taxonomy Term Restriction (New in 1.1.0)
- Tag content with a restricted taxonomy term to control visibility by IP
- Two modes per term: hard deny (403) or soft hide (JS-based, cache-friendly)
- Works at the node level, paragraph level, or both
- Per-term IP range overrides and configurable bypass roles
- Soft dependency on Taxonomy — all other features work without it

Global Configuration
- Central admin page for IP ranges, logging, test mode, and bypass roles
- Test mode for development without being on the internal network
- Configurable test header for IP spoofing in non-production environments

Developer API
- Service: internal_network.helper for programmatic IP checks
- Twig function with optional parameter overrides
- AJAX endpoint /internal-network/status for client-side network detection
- PHPUnit test suite

Use Cases

- Intranet content: Show internal announcements, tools, or staff resources only to office users
- Security hardening: Restrict login, registration, or password reset to internal networks
- Pre-decisional content: Tag draft documents with a restricted term — external visitors can't see them
- Per-section restrictions: Show a "Staff Resources" paragraph only to users on the internal network, while the rest of the page stays public
- Multi-network access: Apply different IP ranges per term — procurement content on one network, HR content on another
- Staged rollouts: Show new features to internal users before public release
- Development/staging access: Protect non-production environments

How It Works

1. IP Detection: Detects the visitor's IP address, respecting X-Forwarded-For headers for reverse proxy setups
2. CIDR Matching: Checks IP addresses against configured ranges using standard CIDR notation (e.g., 192.168.0.0/16, 10.0.0.0/8)
3. Cache-friendly: Route blocking runs before page cache. Menu and content hiding use JavaScript to preserve full page caching while personalizing the display
4. Logging: Optional logging of all access decisions for debugging and auditing

Post-Installation

Navigate to /admin/config/system/internal-network to configure:
- Internal IP ranges (CIDR notation, one per line)
- Route restriction: enable/disable, routes to restrict, action (deny or redirect)
- Taxonomy term restriction: bypass roles (default: administrator)
- Logging and test mode settings

For taxonomy term restriction, navigate to any term edit form and expand "Internal Network Restriction" to enable per-term IP access control.

Activity

Total releases
3
First release
Mar 2026
Latest release
1 day ago
Releases (12 mo)
3 ▲ from 0
Maintenance
Active

Release Timeline

Releases

Version Type Release date
1.1.0 Stable Jul 17, 2026
1.0.1 Stable Jul 16, 2026
1.0.0 Stable Mar 6, 2026