GeoIP unk after recent update

michmoor

I did have this working with the latest package update.
Recently i had to re-install my pfsense+
After packages have been installed i noticed that pfblocker isnt able to produce GeoIP data pertaining to the location. I first did an update and noticed that the Maxmind download is pulled without issue but GeoIP data isnt populating. I then did a re-install of the package. Letting it run for a few hours, Unk is still being displayed.

I am running pfBlockerNG-devel 3.1.0_11

Files located in my /usr/local/share/GeoIP directory seems to contain all thats needed.

-rw-rw-r--  1 806011168  806011168    14M Feb  3 00:37 GeoLite2-Country-Blocks-IPv4.csv
-rw-rw-r--  1 806011168  806011168   398B Feb  3 00:37 LICENSE.txt
-rw-rw-r--  1 806011168  806011168    11K Feb  3 00:37 GeoLite2-Country-Locations-zh-CN.csv
-rw-rw-r--  1 806011168  806011168    15K Feb  3 00:37 GeoLite2-Country-Locations-ru.csv
-rw-rw-r--  1 806011168  806011168    11K Feb  3 00:37 GeoLite2-Country-Locations-pt-BR.csv
-rw-rw-r--  1 806011168  806011168    15K Feb  3 00:37 GeoLite2-Country-Locations-ja.csv
-rw-rw-r--  1 806011168  806011168    10K Feb  3 00:37 GeoLite2-Country-Locations-fr.csv
-rw-rw-r--  1 806011168  806011168   9.7K Feb  3 00:37 GeoLite2-Country-Locations-es.csv
-rw-rw-r--  1 806011168  806011168   9.6K Feb  3 00:37 GeoLite2-Country-Locations-en.csv
-rw-rw-r--  1 806011168  806011168   9.5K Feb  3 00:37 GeoLite2-Country-Locations-de.csv
-rw-rw-r--  1 806011168  806011168    11M Feb  3 00:37 GeoLite2-Country-Blocks-IPv6.csv
-rw-rw-r--  1 806011168  806011168    55B Feb  3 00:37 COPYRIGHT.txt
-rw-r--r--  1 root       wheel       2.8M Feb  3 00:45 GeoLite2-Country.tar.gz
-rw-r--r--  1 root       wheel       2.8M Feb  3 00:45 GeoLite2-Country-CSV.zip.raw
drwxr-xr-x  2 root       wheel       1.3K Feb  6 18:02 cc

pfsjap

@michmoor GeoIP data seems not to get extracted automatically even with the latest pfBlockerNG-devel 3.2.0_1, you have to manually extract GeoLite2-Country.mmdb from gz-file into /usr/local/share/GeoIP. After that you have to restart DNS resolver for GeoIP data to be shown.

michmoor

@pfsjap ah. I have unzip the file. I restarted pfblocker and pf filter but I need to restart unbound as well?

pfsjap

@michmoor Well, I had to.

michmoor

@pfsjap maybe i did something wrong here but here are the following steps ive done.

tar -xf GeoLite2-Country.tar.gz
mv GeoLite2-Country-CSV.zip.raw GeoLite2-Country-CSV.zip
unzip GeoLite2-Country-CSV.zip
restart pfb_filter via the GUI

pfsjap

@michmoor Here's what I did:

cd /usr/local/share/GeoIP
tar -xvf GeoLite2-Country.tar.gz
mv GeoLite2-Country_20230203/GeoLite2-Country.mmdb .

Restarted pfb_filter via the GUI, but GeoIP data was still not resolved.
Restarted unbound via the GUI and after that GeoIP was resolved ok.

Beerman

I have the same Issue... I think since the upgrade to pfSense 23.01.

GeoLite2-Country.mmdb seems not be extracted.

In the directory "/usr/local/share/GeoIP" I have "GeoLite2-Country.tar.gz" but no "GeoLite2-Country.mmdb".

Is this a new bug in pfBlockerNG?

Beerman

OK, seems to be an bug. It is already fixed in v3-2-0_2.

Changelog v3-2-0_2

But it does not seem to be published yet.. :(

michmoor

@beerman check the pfblocker Reddit. The fix is there to be pulled down from the maintainer but not available yet through the package manager on Pf

Beerman

@michmoor

Thanks, for the hint! :)

SteveITS

@michmoor said in GeoIP unk after recent update:

pfblocker Reddit

Thanks. Link: https://www.reddit.com/r/pfBlockerNG/comments/116fuie/temp_workaround_to_get_latest_v320_2_files/

Beerman

Hi,

after applying the patch, I noticed that it seems to work only partially.
(Before that all entries show "Unk")

Bildschirmfoto vom 2023-02-21 08-54-19.png

BBcan177

@beerman
Try these commands:

mmdblookup -f /usr/local/share/GeoIP/GeoLite2-Country.mmdb -i 146.88.240.4 country mmdblookup -f /usr/local/share/GeoIP/GeoLite2-Country.mmdb -i 91.240.118.166 country iso_code

Also would avoid using the Firehol level 1 feed as it contains bogons etc. Especially for outbound use...

Beerman

@bbcan177

Here the output of the commands:

mmdblookup -f /usr/local/share/GeoIP/GeoLite2-Country.mmdb -i 146.88.240.4 country iso_code

  "US" <utf8_string>


mmdblookup -f /usr/local/share/GeoIP/GeoLite2-Country.mmdb -i 91.240.118.166 country iso_code

  "HK" <utf8_string>

The most entries are working, but yesterday I got another "Unk"..

I tried also the command with this IP:

mmdblookup -f /usr/local/share/GeoIP/GeoLite2-Country.mmdb -i 162.142.125.142 country iso_code

  "US" <utf8_string>

(And Firehol Level 1 is only inbound... :) But thx, for the hint!)

BBcan177

@beerman
It could be that the old records are in the sqlite cache file?

sqlite3 /var/db/pfblockerng/ip_cache.sqlite .dump

You could delete that file "/var/db/pfblockerng/ip_cache.sqlite" and then restart the pfb_filter service, and see how it goes from there?

Beerman

@bbcan177

Thx, fpr your support! :)

I have since uninstalled and reinstalled the pfBlockerNG-devel package. I also deleted the directories (/usr/local/share/GeoIP and /var/db/pfblockerng).

Since then, I have not noticed any more such entries. If an entry appears again, I will test the commands and report in this thread.