pfBlockerNG v.3.2.0_8 upgrade (from _7) on 23.09.1 (stable pfSense+) caused blank "MaxMind Account ID" and problems

sandie

Hi,
I have upgraded pfBlockerNG package on both 23.09.1 routers to v.3.2.0_8 today in the morning and in both routers "MaxMind Account ID" disappeared (became blank).
1st router is running pfBlockerNG and Suricata packages, 2nd one only pfBlockerNG (no Suricata installed).
Does it have anything in common with https://dev.maxmind.com/geoip/updating-databases? Is it expected that "MaxMind Account ID" disappeared and 23.09.1 started to report alerts each hour that account id is missing?
I will re-add MaxMind account id number, but I am having problem accessing it (2FA), so will do it shortly. I think problem will be gone, but should "MaxMind Account ID" be auto-removed by upgrading package?
Cheers

sandie

@sandie Forget it. I think "MaxMind Account ID" value has been added (next to "MaxMind License Key") and must be now inputted when pfBlockerNG is upgraded to v.3.2.0_8, right? It could have been better communicated by upgrade/package reinstallation :)

Few more questions if anyone reads ;)

Database download limits
Every account is limited to 2,000 total direct downloads (30 for GeoLite accounts) in a 24-hour period. If you have to distribute your databases across multiple servers, it is advisable that you download databases to a local repository on your network, and distribute them to other servers from there.

Database update schedule
We release new updates to our GeoIP2 and GeoLite2 databases on a regular schedule as follows:
Database - Update Schedule
GeoIP2 Country - Every Tuesday and Friday.
GeoIP2 City - Every Tuesday and Friday.
GeoIP2 Connection Type - Every Tuesday and Friday.
GeoIP2 ISP - Every Tuesday and Friday.
GeoIP2 Domain Name - Every Tuesday and Friday.
GeoIP2 Anonymous IP - Every day.
GeoIP2 Enterprise - Every Tuesday and Friday.
GeoLite2 Country - Every Tuesday and Friday.
GeoLite2 City - Every Tuesday and Friday.
GeoLite2 ASN - Every Tuesday and Friday.

Currently I am using same MaxMind account and license key in 2 routers.
Do I understand correctly that refreshing MaxMind GeoLite2 more often than once a day is simply flooding MaxMind servers with unnecessary requests and generally makes no sense?
But Suricata has shared "refresh interval" with Rule Updates, so I should keep it 12H?
And pfBlockerNG has shared "refresh interval" with De-Duplication/CIDR Aggregation so I should keep it 1H?
Will Suricata "eat" download slots separately from pfBlockerNG?
Does pfBlockerNG somehow optimizes GETs and checks last modification timestamp using HEAD requests to avoid hitting 24H "free limit" prematurely? (HEAD requests seem not to count into total 24h GET GeoLite2 request limit)

SteveITS

@sandie
https://forum.netgate.com/topic/186704/pfblockerng-v3-2-0_9 ;)

I had thought that MaxMind updated monthly…

I would think each download counts.

Re: dedupe, be aware pfBlocker dedupes across lists so if you use them in separate deny or allow rules you may be omitting IP blocks for some of those.

sandie

@SteveITS Hi Steve,
thanks for reply. So in routers, where both pfBlockerNG and Suricata are installed (say: pfBlockerNG with 1H refresh interval and Suricata with 12H refresh interval) I may hit daily REQs limit? (24 + 2 = 26)
So generally two routers with such configuration should rather use 2 different MaxMind accounts and license keys?
It would be good to make a small optimization into MaxMind db download engine and probe for "last modification"/"expires" with HEAD requests then eventually raise GETs to avoid wasting MaxMind daily download limit.
(Maybe MaxMind will support "If-Modified-Since" too? who knows...)

Thanks for dedupe comment! It is very valuable.

SteveITS

@sandie I'm pretty sure it doesn't download the MaxMind database at every cron...have you checked the pfBlocker logs? I have a few countries set to Alias Native, and set to Weekly, and it looks like it's updating every Monday.

Remote timestamp: Sat, 16 Mar 2024 03:01:02 GMT
Local timestamp: Mon, 11 Mar 2024 09:30:06 GMT Update found

sandie

@SteveITS Well, will have to check logs but when I had empty MaxMind Account ID then new alerts/errors were triggered each hour in my case.

skogs

I don't even have maxmind enabled and I still got the warning about how it requires an account and also showed yellow on main page.

Nevermind; reviewing an old config backup I did have maxmind enabled as well as a key.

Dobby_

@skogs said in pfBlockerNG v.3.2.0_8 upgrade (from _7) on 23.09.1 (stable pfSense+) caused blank "MaxMind Account ID" and problems:

Nevermind; reviewing an old config backup I did have maxmind enabled as well as a key.

As today you need not only a key, you will be need to insert also a Account ID,
this is only in pfBNG 3.2.0_9 and not in pfBNG 3.2.0_8. I mean the field for the
Account ID is only in the version _9 present and not in the version _8 can this be the problem?

SteveITS

@Dobby_ said in pfBlockerNG v.3.2.0_8 upgrade (from _7) on 23.09.1 (stable pfSense+) caused blank "MaxMind Account ID" and problems:

not in the version _8

3.2.0_8 is the current version for pfSense Plus. (and has the account key)

skogs

@SteveITS Confirm. I could be wrong, but I thought the error popup still only said key.

Dobby_

@SteveITS said in pfBlockerNG v.3.2.0_8 upgrade (from _7) on 23.09.1 (stable pfSense+) caused blank "MaxMind Account ID" and problems:

3.2.0_8 is the current version for pfSense Plus. (and has the account key)

Ah my false he is on 23.09.01, I was over reading.

I got on 24.03 with version _09 the errors, and were adding the 6 digit
account ID and all was right.