Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    What is the proper way to allow Geo access to specific country?

    pfBlockerNG
    5
    16
    1833
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudak
      chudak last edited by chudak

      I realized that when on vacation outside of the US say in Mexico I can't ping/access my router/VPN server because I blocked all counties expect the US.

      Which is the good news.
      Now say I want to allow access from Mexico for example, an I could not find a way to do so. I guess I don't know all steps.

      I tried:
      in GeoIP Permit Both for South America and also tried adding Mexico in the IPv4 Reputation/IPv4 Country Exclusion

      What am I missing ?
      @BBcan177 ping :)

      PS: I think, the way to use VPN to the US first is a good way, but would like to understand how to do the same via pfbNG settings

      1 Reply Last reply Reply Quote 0
      • B
        BSA66 last edited by BSA66

        Howdy @chudak , I'm just new to pfBlocker and yeah, firewalling at all. I just shortly set up pfBlocker and I guess I've read sth like a Deny Rule would be at higher priority than a (direct or indirect?) Permit Rule... If not already done: try a check on this matter in your individual case.

        Anyway, I just searched for Mexico, it is also in the Top20 List so if on this list there should be Mexico still be on a Deny then, unfortunately, at least as I get it, it will also remain denied even if it shouldn't be on a Deny Rule on the North America list itself.
        -> Check whether you disabled Mexico on all lists / direct, not intentionally implied any invert rules on these

        As you know pfBlocker is working on our Policys by creating Firewall Rules for us so if in any of those Rules there should any IP or range match to any Deny Rule / List this particular one should still get denied even if it should have been cleared on any another List up or down of the just mentioned list itself.
        For example: I got Russia on several Deny Rules. If I accidentally should take it out on any of those lists all the matches on the other lists or yet even one single activated Country on any List should still lead it to Deny.
        Sorry for my not best english but I hope you get my point here. Anyway, greets from Germany btw.



        Anyway, and by this way... Respect and a Big Thumb UP to @BBcan177
        Thank you for this great tool - it's just amazing 👍

        chudak 1 Reply Last reply Reply Quote 0
        • chudak
          chudak @BSA66 last edited by

          @bsa66

          Thanks for your reply.
          That sounds complicated !
          :(

          1 Reply Last reply Reply Quote 0
          • B
            BSA66 last edited by BSA66

            Oh yeah, you're right, I apologize. As it's even new to me I maybe was just a little bit overcomplicating...or mixing it up at all...really not necessary.

            But anyway, hey, you'll make it.

            • Go on Firewall - pfBlocker -> and there the well known GeoIP Tab
            • Check both possible blocks, so the one on the North America and after once again especially on the Top20 List to work out that Mexico will not get blocked by the one or even the other List Alias Rule

            If it should get a block on any list it will just remain blocked - because every single block leads to a block! :)

            If you've checked and saved both lists also don't forget to go on that upper row on the Update Tab and simply "Force" your new Update to your Rules.
            And that should have been all. Finished :-)

            BTW Just for being sure...maybe you want to Force a Reload, too...because actually I am not that sure if it might be both necessary? But anyway it shouldn't harm. Just check before any usage of that "Force" the remaining Time for the Next Scheduled CRON Event and that it does NOT overlap each other (chances are low, but just to be safe on that particular failing point...)


            PS As I do not know and do not even want to know anything about your own and private Setup... Always make sure that any Traffic to your own Network remotely stays always encrypted by your OWN VPN. The worst case might be if someone got special parts of your traffic scanned and getting able to access your setup. I'd always keep that in mind and maybe even over my own VPN never send any Login Data remotely unless I'm 100% sure to be secured.

            B chudak 2 Replies Last reply Reply Quote 0
            • B
              BSA66 @BSA66 last edited by

              This post is deleted!
              1 Reply Last reply Reply Quote 0
              • chudak
                chudak @BSA66 last edited by

                @bsa66

                I see your point.
                Now my issue is - say you want to go to Europe, Amsterdam and be able to connect from there.

                Do you you see that the way you described is easy and more importantly can be tested before you left ?

                There are out to be an easy way to turn on and off country access.

                But what that is ...

                1 Reply Last reply Reply Quote 0
                • B
                  BSA66 last edited by

                  Yes, you're right. It might be sth like a blind flight (In Germany we say so, say like flying with both eyes closed)...
                  In that case I would have had two options, I see.
                  One is the trusting in the Solution as much as is possible, what I recommend and just check all Lists for that Country I am going to and be sure that I even made that "Force Update" to be sure that the Firewall Rules are updated with the new Statements.
                  Second Option might be, if it should be an unsafe Country, to purchase an external VPN for that time just for not having to connect to my own (more unsecured) VPN. (but IDK if Mexico is like that..)

                  Actually I guess it is really easy if the rules will be applied before such a situation comes up.

                  The only thing I never (!) would do is to get into my own Network remotely. (others do, and are fine with that..anyway)
                  I do not mean into the subtunneled VPN that should be logically separated from the rest of the Network but I mean to login anywhere instead of that VPN, e.g. for reconfiguring or so.

                  Hey, if you're on a Journey / Holidays I wish you a very nice Time, enjoy your time. (and stay safe)

                  chudak 1 Reply Last reply Reply Quote 0
                  • chudak
                    chudak @BSA66 last edited by

                    @bsa66

                    Happy Holidays to you too !

                    1 Reply Last reply Reply Quote 0
                    • JeGr
                      JeGr LAYER 8 Moderator last edited by

                      I'm reading so much about buying VPN so you can dial into and have a US IP so you can access your firewall. But why on earth do you not just allow yourself to connect via VPN to your own pfSense instance (globally)? There's no real point to limit e.g. a VPN dial in port to the US only - so why not simply open the OpenVPN port (or configure it to something else) globally and have your VPN and be good? Much simpler than controlling if your IP is allowed or not and much more secure as you don't have to leave any other ports open?

                      Greets

                      Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                      chudak 1 Reply Last reply Reply Quote 0
                      • chudak
                        chudak @JeGr last edited by

                        @jegr

                        I acknowledged in the initial post:

                        "PS: I think, the way to use VPN to the US first is a good way, but would like to understand how to do the same via pfbNG settings"

                        So yes this is a way.

                        However, in case you need to connect to your pfSense router via OpenVPN you would need to have another VPN (not using OpenVPN UI) in order to connect to the US first. And usually in the 3d countries Internet speeds maybe low and it maybe difficult.

                        Thx

                        JeGr 1 Reply Last reply Reply Quote 0
                        • S
                          SteveITS last edited by SteveITS

                          Here is how we do it:
                          In Firewall/pfBlockerNG/IPv4 add an alias, for example we have "GeoIP US v4". Under IPv4 Lists we have two entries looking at two files that pfBlocker creates already...change the country code as desired:
                          /usr/local/share/GeoIP/cc/US_v4.txt
                          /usr/local/share/GeoIP/cc/US_rep_v4.txt
                          The header/label column is not important AFAIK but we have used the country code, e.g. ITS_GeopIP_US and ITS_GeopIP_USr.
                          List Action = Alias Native.
                          That creates an alias under Firewall/Aliases/URLs. Use that to create an allow rule for the US, or in your case Mexico. Disable the allow rule when you return.
                          It has been a while but you may need to manually run Update in pfBlocker to get it to generate the file for this alias, or wait until the update process next runs.

                          Steve

                          Only install packages for your version, or risk breaking it. If yours is older, select it in System/Update/Update Settings.
                          When upgrading, let it finish; do not reboot early. Allow 10-15 minutes, or more depending on packages and device speed.

                          1 Reply Last reply Reply Quote 0
                          • JeGr
                            JeGr LAYER 8 Moderator @chudak last edited by

                            @chudak said in What is the proper way to allow Geo access to specific country?:

                            However, in case you need to connect to your pfSense router via OpenVPN you would need to have another VPN (not using OpenVPN UI) in order to connect to the US first. And usually in the 3d countries Internet speeds maybe low and it maybe difficult.

                            Why? Why would I need to connect to the US first and THEN connect to the pfSense box? That is exactly the question I was asking because it makes absolutely no sense for me. VPNs and in this case OpenVPN as road warrior VPN solution is secure enough so you open up that port to "the world/internet" and be done with it. I see no sense whatsoever in geo-blocking anything from outside the US and open up ports only to US only IPs if you are actually talking about going abroad and then have problems accessing. If you stay in the US and won't ever go anywhere else - fine, block all but US IPs but I see no actual security gain in doing so, especially if you use OpenVPN with two factors (user/pass + cert etc. or even adding OTP to it).

                            List Action = Alias Native.
                            depending on the pfBNG version (-devel or not) I'd use "Alias Allow" but otherwise, @teamits is right in how to get the GeoIPs as Alias for your own rule to use.

                            But as explained above, I see no sense in that.

                            Cheers

                            Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                            chudak 1 Reply Last reply Reply Quote 0
                            • chudak
                              chudak @JeGr last edited by

                              @jegr

                              Isn't it basis pfSense concept ? => Have all traffic blocked unless something needs to be specifically open?

                              Interesting!

                              I do personally open ports and work around geo-blocking.

                              Thx
                              YuriW

                              JeGr 1 Reply Last reply Reply Quote 0
                              • johnpoz
                                johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                It's not just a pfsense thing, but security 101 practice of least privilege.

                                Sure if you could lock down to specific source IP sure.. But you have no idea where your going to be right... Why are you making it more difficult for yourself.. If you know your going to be traveling..

                                If your really paranoid you could lock down your vpn access to only the countries your going to be in.. But what happens when whatever network your connected to while traveling has their geoip stuff messed up in the databases.. And now you can not vpn in?

                                Openvpn when correctly configured is more than secure enough to just leave it open to the world.. I don't even travel and have mine wide open. Just not worth the hassle to lock it down to source IP for my use..

                                You never know where there is going to be mixup in the geoip stuff... Shoot one our IP blocks out of parent /16 was being listed as being in Vietnam for gosh sakes... I tried for months to get it fixed - and to be honest still think its wrong... But since we shutdown that connection anyway not worth messing with any more.. I submitted the correct to maxmind multiple times - and they only update it like the 2nd tuesday of the month.. So by time you didn't notice it didn't update, now you have to wait another month after submitting to see if corrected..

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                1 Reply Last reply Reply Quote 0
                                • JeGr
                                  JeGr LAYER 8 Moderator @chudak last edited by

                                  @chudak said in What is the proper way to allow Geo access to specific country?:

                                  Isn't it basis pfSense concept ? => Have all traffic blocked unless something needs to be specifically open?
                                  Interesting!
                                  I do personally open ports and work around geo-blocking.

                                  No it's a basic firewall principle to start with "block all" and work yourself up. So do it: you're saying you're going to travel and have to access the firewall/your home network from abroad/external sources. Then open exactly the minimum: a VPN port for you to securely(!) connect to your FW or LAN. End of story. Nothing insecure nor open more than it needs to be.

                                  Otherwise what @johnpoz said.

                                  Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                  If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                  chudak 1 Reply Last reply Reply Quote 0
                                  • chudak
                                    chudak @JeGr last edited by

                                    @jegr

                                    That's what I do :)

                                    The goal for initial questions was to learn how-tos , but general discussion about how users use home network is very useful !

                                    Thank you all!

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post