Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow access from Europe

    Scheduled Pinned Locked Moved General pfSense Questions
    22 Posts 4 Posters 828 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NogBadTheBadN
      NogBadTheBad @chudak
      last edited by NogBadTheBad

      @chudak I do it slightly different I do a Geo block on a bunch of countries and allow IPsec from everywhere else.

      Screenshot 2024-07-30 at 17.04.45.png

      But if you wanted to enable certain countries you'd use something like my disabled ssh / sftp rule.

      Screenshot 2024-07-30 at 17.06.05.png

      Screenshot 2024-07-30 at 17.07.02.png

      You just need to enable the country pre visit and hope the country is in the alias.

      Is your issue the rule order in pfBlocker?

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      chudakC 1 Reply Last reply Reply Quote 1
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        One option is to setup a dyndns account and always allow access from that. Then you can always update it from where ever you are and connect from there as a fallback option. Though you may have to wait for it to update at the pfSense end.

        chudakC 1 Reply Last reply Reply Quote 1
        • chudakC
          chudak @NogBadTheBad
          last edited by chudak

          @NogBadTheBad

          I think my issue is pBlockerNG

          Thx it's very interesting.

          I need to allow OpenVPN only.
          I suspect TaleScale does not care.

          And do you test?

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • chudakC
            chudak @stephenw10
            last edited by

            @stephenw10 said in Allow access from Europe:

            One option is to setup a dyndns account and always allow access from that. Then you can always update it from where ever you are and connect from there as a fallback option. Though you may have to wait for it to update at the pfSense end.

            I don't get it.
            Can you elaborate?

            I have DDNS names already setup

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Install the dyndns client on your laptop, for example. Then run the update from where ever you are. Have a rule that passes traffic from that above the pfBlocker block rules.

              chudakC 2 Replies Last reply Reply Quote 0
              • chudakC
                chudak @stephenw10
                last edited by

                @stephenw10 said in Allow access from Europe:

                Install the dyndns client on your laptop, for example. Then run the update from where ever you are. Have a rule that passes traffic from that above the pfBlocker block rules.

                I see

                Wonder if I can do this trick using the same DDNS name on different machines: iPhone, iPad etc?

                What I am not clear is - why do you think that the FW rules will win over pfBlockerNG block, if used from overseas.

                stephenw10S 1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator @chudak
                  last edited by

                  @chudak said in Allow access from Europe:

                  why do you think that the FW rules will win over pfBlockerNG block, if used from overseas.

                  You have to put them above the pfBlocker rules as I said. Otherwise pfBlocker will obviously block that traffic first.

                  @chudak said in Allow access from Europe:

                  Wonder if I can do this trick using the same DDNS name on different machines: iPhone, iPad etc?

                  If they are all behind the same public IP address then sure. And you'd only need to run the client on one of them.

                  chudakC 1 Reply Last reply Reply Quote 0
                  • chudakC
                    chudak @stephenw10
                    last edited by chudak

                    @stephenw10 said in Allow access from Europe:

                    @chudak said in Allow access from Europe:

                    You have to put them above the pfBlocker rules as I said. Otherwise pfBlocker will obviously block that traffic first.

                    Of cause, I forgot about the order of the rules!

                    @chudak said in Allow access from Europe:

                    Wonder if I can do this trick using the same DDNS name on different machines: iPhone, iPad etc?

                    If they are all behind the same public IP address then sure. And you'd only need to run the client on one of them.

                    Col, so I will use it on iPhone iPad all I need is to find a good DDNS iOS client.

                    Any clues how to test it from the US?

                    NogBadTheBadN stephenw10S 2 Replies Last reply Reply Quote 0
                    • NogBadTheBadN
                      NogBadTheBad @chudak
                      last edited by

                      @chudak my rule is for enabling ssh from the UK where I'm based so its easy to test, I just switch the two rules on when required, otherwise they are off.

                      Andy

                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                      1 Reply Last reply Reply Quote 0
                      • NogBadTheBadN
                        NogBadTheBad @chudak
                        last edited by

                        @chudak said in Allow access from Europe:

                        Any clues how to test it from the US?

                        You could sign up to a VPN provider create a connection to Germany, policy route a subnet hanging via the German VPN connection and then try and run your VPN connection to home over it.

                        Andy

                        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator @chudak
                          last edited by

                          @chudak said in Allow access from Europe:

                          Any clues how to test it from the US?

                          Just run it from somewhere in the US and then try to connect. You will see states and traffic on your pass rule if it's being used. It will only be used if the dyndns is being correctly updated and resolved.

                          chudakC 1 Reply Last reply Reply Quote 0
                          • chudakC
                            chudak @stephenw10
                            last edited by chudak

                            @stephenw10 said in Allow access from Europe:

                            Install the dyndns client on your laptop, for example. Then run the update from where ever you are. Have a rule that passes traffic from that above the pfBlocker block rules.

                            Regarding the FW rule.

                            I added an alias and a new rule before pfBlockerNG in the floating section.

                            So far I see no traffic

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Yes just use the hostname in an alias. By default pfSense resolves it every 300s. You can reduce that if required in Sys > Adv > Firewall but you probably don't need to. The TTL is often higher than that anyway.

                              1 Reply Last reply Reply Quote 0
                              • chudakC
                                chudak @stephenw10
                                last edited by

                                @stephenw10
                                Did you actually do this kind of set up?

                                So far I don't see it's working.

                                Here is what I have

                                added DDNS "full_access"
                                added alias "full_access"
                                added a rule on WAN interface to all protocols any destination
                                placed the rule in the Floating above pfB rules

                                At this point, I assume I can access all my network resources from any network from my iPhone as long as DDNS "full_access" is my iPhone IP address

                                And it does not work so far :(

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Check that the rule is still at the top of the list. pfBlocker can re-create it's rules at the top of the list depending on how you have it set.

                                  Check the floating rule is set to quick.

                                  Make sure pfSense can resolve 'full_access' to the correct IP address.

                                  chudakC 1 Reply Last reply Reply Quote 0
                                  • chudakC
                                    chudak @stephenw10
                                    last edited by chudak

                                    @stephenw10 said in Allow access from Europe:

                                    Check that the rule is still at the top of the list. pfBlocker can re-create it's rules at the top of the list depending on how you have it set.

                                    Check the floating rule is set to quick.

                                    Make sure pfSense can resolve 'full_access' to the correct IP address.

                                    I can't make it work :( and pfB keeps moving all rules on top

                                    But found a good site to test global ping when playing with pfB
                                    https://www.jsdelivr.com/globalping

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Yes pfBlocker puts it's rules at the top by default. You need to change the rule handling to allow custom rules above it.

                                      Or you can use a pass rule for the dyndns name in pfBlocker so it gets added at the top anyway.

                                      Is pfSense resolving the host correctly?

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.