Dante auth based on network

I want to configure a dante (danted) server to allow no auth on localhost (for ssh tunnel) and to ask for username/password on every other connection. This is what I have as a config file but it's accepting no authenticated connections from the internet. Any ideas?

# /etc/danted.conf

#logoutput: syslog
debug: 0
logoutput: /log/danted.log
user.privileged: root
user.unprivileged: socks

# The listening network interface or address.
internal: 0.0.0.0 port=1080

# The proxying network interface or address.
external: 192.168.1.11

# socks-rules determine what is proxied through the external interface.
# The default of "none" permits anonymous access.
socksmethod: username none

# client-rules determine who can connect to the internal interface.
# The default of "none" permits anonymous access.
clientmethod: rfc931 none

#method: none

client pass {
    from: 127.0.0.1/0 to: 127.0.0.1/0
    log: connect disconnect error
    clientmethod: none
}

socks pass {
        from: 127.0.0.1/0  to: 127.0.0.1/0
        log: connect disconnect error
        socksmethod: none
}

client block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect disconnect error
        clientmethod:none
}

client pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect disconnect error
        clientmethod: rfc931
}

socks block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect disconnect error
        socksmethod: none
}


socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect disconnect error
        socksmethod: username
user:banana
}

The problem is in your Dante configuration file (sockd.conf).

You are using a zero-bits netmask where you probably mean to specify a full netmask. E.g. this address statement, from your above configuration: "from: 127.0.0.1/0". The zero after the "/", "/0", makes it the equivalent of "0.0.0.0/0", so it will match everything. Probably you meant "/32".