What is the proper way to allow Geo access to specific country?

chudak · Dec 10, 2018, 8:52 PM

I realized that when on vacation outside of the US say in Mexico I can't ping/access my router/VPN server because I blocked all counties expect the US.

Which is the good news.
Now say I want to allow access from Mexico for example, an I could not find a way to do so. I guess I don't know all steps.

I tried:
in GeoIP Permit Both for South America and also tried adding Mexico in the IPv4 Reputation/IPv4 Country Exclusion

What am I missing ?
@BBcan177 ping :)

PS: I think, the way to use VPN to the US first is a good way, but would like to understand how to do the same via pfbNG settings

BSA66 · Dec 11, 2018, 5:16 AM

Howdy @chudak , I'm just new to pfBlocker and yeah, firewalling at all. I just shortly set up pfBlocker and I guess I've read sth like a Deny Rule would be at higher priority than a (direct or indirect?) Permit Rule... If not already done: try a check on this matter in your individual case.

Anyway, I just searched for Mexico, it is also in the Top20 List so if on this list there should be Mexico still be on a Deny then, unfortunately, at least as I get it, it will also remain denied even if it shouldn't be on a Deny Rule on the North America list itself.
-> Check whether you disabled Mexico on all lists / direct, not intentionally implied any invert rules on these

As you know pfBlocker is working on our Policys by creating Firewall Rules for us so if in any of those Rules there should any IP or range match to any Deny Rule / List this particular one should still get denied even if it should have been cleared on any another List up or down of the just mentioned list itself.
For example: I got Russia on several Deny Rules. If I accidentally should take it out on any of those lists all the matches on the other lists or yet even one single activated Country on any List should still lead it to Deny.
Sorry for my not best english but I hope you get my point here. Anyway, greets from Germany btw.

Anyway, and by this way... Respect and a Big Thumb UP to @BBcan177
Thank you for this great tool - it's just amazing

chudak · Dec 11, 2018, 4:31 PM

@bsa66

Thanks for your reply.
That sounds complicated !
:(

BSA66 · Dec 11, 2018, 7:13 PM

Oh yeah, you're right, I apologize. As it's even new to me I maybe was just a little bit overcomplicating...or mixing it up at all...really not necessary.

But anyway, hey, you'll make it.

Go on Firewall - pfBlocker -> and there the well known GeoIP Tab
Check both possible blocks, so the one on the North America and after once again especially on the Top20 List to work out that Mexico will not get blocked by the one or even the other List Alias Rule

If it should get a block on any list it will just remain blocked - because every single block leads to a block! :)

If you've checked and saved both lists also don't forget to go on that upper row on the Update Tab and simply "Force" your new Update to your Rules.
And that should have been all. Finished :-)

BTW Just for being sure...maybe you want to Force a Reload, too...because actually I am not that sure if it might be both necessary? But anyway it shouldn't harm. Just check before any usage of that "Force" the remaining Time for the Next Scheduled CRON Event and that it does NOT overlap each other (chances are low, but just to be safe on that particular failing point...)

PS As I do not know and do not even want to know anything about your own and private Setup... Always make sure that any Traffic to your own Network remotely stays always encrypted by your OWN VPN. The worst case might be if someone got special parts of your traffic scanned and getting able to access your setup. I'd always keep that in mind and maybe even over my own VPN never send any Login Data remotely unless I'm 100% sure to be secured.

BSA66 · Dec 11, 2018, 7:12 PM

This post is deleted!

chudak · Dec 11, 2018, 8:49 PM

@bsa66

I see your point.
Now my issue is - say you want to go to Europe, Amsterdam and be able to connect from there.

Do you you see that the way you described is easy and more importantly can be tested before you left ?

There are out to be an easy way to turn on and off country access.

But what that is ...

BSA66 · Dec 12, 2018, 3:25 PM

Yes, you're right. It might be sth like a blind flight (In Germany we say so, say like flying with both eyes closed)...
In that case I would have had two options, I see.
One is the trusting in the Solution as much as is possible, what I recommend and just check all Lists for that Country I am going to and be sure that I even made that "Force Update" to be sure that the Firewall Rules are updated with the new Statements.
Second Option might be, if it should be an unsafe Country, to purchase an external VPN for that time just for not having to connect to my own (more unsecured) VPN. (but IDK if Mexico is like that..)

Actually I guess it is really easy if the rules will be applied before such a situation comes up.

The only thing I never (!) would do is to get into my own Network remotely. (others do, and are fine with that..anyway)
I do not mean into the subtunneled VPN that should be logically separated from the rest of the Network but I mean to login anywhere instead of that VPN, e.g. for reconfiguring or so.

Hey, if you're on a Journey / Holidays I wish you a very nice Time, enjoy your time. (and stay safe)

chudak · Dec 12, 2018, 3:47 PM

@bsa66

Happy Holidays to you too !

JeGr · Dec 13, 2018, 4:09 PM

I'm reading so much about buying VPN so you can dial into and have a US IP so you can access your firewall. But why on earth do you not just allow yourself to connect via VPN to your own pfSense instance (globally)? There's no real point to limit e.g. a VPN dial in port to the US only - so why not simply open the OpenVPN port (or configure it to something else) globally and have your VPN and be good? Much simpler than controlling if your IP is allowed or not and much more secure as you don't have to leave any other ports open?

Greets

chudak · Dec 13, 2018, 4:09 PM

@jegr

I acknowledged in the initial post:

"PS: I think, the way to use VPN to the US first is a good way, but would like to understand how to do the same via pfbNG settings"

So yes this is a way.

However, in case you need to connect to your pfSense router via OpenVPN you would need to have another VPN (not using OpenVPN UI) in order to connect to the US first. And usually in the 3d countries Internet speeds maybe low and it maybe difficult.

Thx

SteveITS · Dec 13, 2018, 5:04 PM

Here is how we do it:
In Firewall/pfBlockerNG/IPv4 add an alias, for example we have "GeoIP US v4". Under IPv4 Lists we have two entries looking at two files that pfBlocker creates already...change the country code as desired:
/usr/local/share/GeoIP/cc/US_v4.txt
/usr/local/share/GeoIP/cc/US_rep_v4.txt
The header/label column is not important AFAIK but we have used the country code, e.g. ITS_GeopIP_US and ITS_GeopIP_USr.
List Action = Alias Native.
That creates an alias under Firewall/Aliases/URLs. Use that to create an allow rule for the US, or in your case Mexico. Disable the allow rule when you return.
It has been a while but you may need to manually run Update in pfBlocker to get it to generate the file for this alias, or wait until the update process next runs.

JeGr · Dec 17, 2018, 9:10 AM

@chudak said in What is the proper way to allow Geo access to specific country?:

However, in case you need to connect to your pfSense router via OpenVPN you would need to have another VPN (not using OpenVPN UI) in order to connect to the US first. And usually in the 3d countries Internet speeds maybe low and it maybe difficult.

Why? Why would I need to connect to the US first and THEN connect to the pfSense box? That is exactly the question I was asking because it makes absolutely no sense for me. VPNs and in this case OpenVPN as road warrior VPN solution is secure enough so you open up that port to "the world/internet" and be done with it. I see no sense whatsoever in geo-blocking anything from outside the US and open up ports only to US only IPs if you are actually talking about going abroad and then have problems accessing. If you stay in the US and won't ever go anywhere else - fine, block all but US IPs but I see no actual security gain in doing so, especially if you use OpenVPN with two factors (user/pass + cert etc. or even adding OTP to it).

List Action = Alias Native.
depending on the pfBNG version (-devel or not) I'd use "Alias Allow" but otherwise, @teamits is right in how to get the GeoIPs as Alias for your own rule to use.

But as explained above, I see no sense in that.

Cheers

chudak · Dec 17, 2018, 3:34 PM

@jegr

Isn't it basis pfSense concept ? => Have all traffic blocked unless something needs to be specifically open?

Interesting!

I do personally open ports and work around geo-blocking.

Thx
YuriW

johnpoz · Dec 17, 2018, 4:20 PM

It's not just a pfsense thing, but security 101 practice of least privilege.

Sure if you could lock down to specific source IP sure.. But you have no idea where your going to be right... Why are you making it more difficult for yourself.. If you know your going to be traveling..

If your really paranoid you could lock down your vpn access to only the countries your going to be in.. But what happens when whatever network your connected to while traveling has their geoip stuff messed up in the databases.. And now you can not vpn in?

Openvpn when correctly configured is more than secure enough to just leave it open to the world.. I don't even travel and have mine wide open. Just not worth the hassle to lock it down to source IP for my use..

You never know where there is going to be mixup in the geoip stuff... Shoot one our IP blocks out of parent /16 was being listed as being in Vietnam for gosh sakes... I tried for months to get it fixed - and to be honest still think its wrong... But since we shutdown that connection anyway not worth messing with any more.. I submitted the correct to maxmind multiple times - and they only update it like the 2nd tuesday of the month.. So by time you didn't notice it didn't update, now you have to wait another month after submitting to see if corrected..

JeGr · Dec 19, 2018, 3:43 PM

@chudak said in What is the proper way to allow Geo access to specific country?:

Isn't it basis pfSense concept ? => Have all traffic blocked unless something needs to be specifically open?
Interesting!
I do personally open ports and work around geo-blocking.

No it's a basic firewall principle to start with "block all" and work yourself up. So do it: you're saying you're going to travel and have to access the firewall/your home network from abroad/external sources. Then open exactly the minimum: a VPN port for you to securely(!) connect to your FW or LAN. End of story. Nothing insecure nor open more than it needs to be.

Otherwise what @johnpoz said.

chudak · Dec 19, 2018, 8:44 PM

@jegr

That's what I do :)

The goal for initial questions was to learn how-tos , but general discussion about how users use home network is very useful !

Thank you all!