Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlocker GeoIP rules getting confused ?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 152 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      njaimo
      last edited by

      I've recently noted that pfBlocker may be confusing IPs...? The example below is from my firewall logs where the auto rule from pfBlocker for Africa is blocking an IP that is within the US... any ideas ? the source device is my WAP. There is also my NVR that is being blocked by pfB auto rule for Asia, where the destination IP is also within the US. In both cases the NTP port.

      a8fdec1c-5924-48a5-802b-8b25bb9779ef-image.png

      ...any ideas as to what may be going on with my setup ? I have pfBlocker set up to help me figure out what unwanted outgoing traffic I may have (have a couple of teenagers at home...)

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        That is entirely dependent on the accuracy of the maxmind geoip database. You could try looking up the IP directly with them to verify. If it shows correctly as the US there then the local database may be out of date for some reason.

        N 1 Reply Last reply Reply Quote 0
        • N
          njaimo @stephenw10
          last edited by

          @stephenw10 Thanks for the info, makes sense. I had assumed that each country had a given IPs that were "labeled" as theirs, for example '102" as in the IIP above was to be used only by say South Africa (just example) and thus all IPs that started with "102" were to originate in SA -- clearly I was mistaken. The list for the auto pfB IP list for Africa in my current pfB has quite a few IPs that start with 102, perhaps the particular one that is being flagged as being in the US, maybe used to be in Africa and just has not been changed. It would seem that keeping track of all this would be a bit of nightmare without a convention as I mention above.

          Anyways, seems this issue could make pfB difficult to use for discerning outgoing traffic from LANs etc.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Yes the world of IP geolocating is not that simple unfortunately. IP ranges can change at any time. The maxmind database is usually pretty good though.

            N 1 Reply Last reply Reply Quote 1
            • N
              njaimo @stephenw10
              last edited by

              @stephenw10 Thanks again. I've submitted a correction suggestion to MaxMind for the IP. I assume that the regular scheduled auto updates of pfBlocker databases within my pfSense also update Maxmind's free GeoIP database as well -- I noticed the free GeoIP database is updated by Maxmind every month. Cheers

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.