Pass Alias for GeoIP not working



  • Good morning All,

    I have done some searching but not found a functional solution to my issue so I am hoping someone can help.

    We implemented pfBlockerNG with GeoIP and shortly after implementation a customer (in the Philippines) contacted us they could no longer reach our sites. I went to GeoIP and deselected the two Philippines entries in Asia, updated pfB and asked them to test - no joy. The logs show the IP is still being blocked by the pfB floating rule. I searched around and found the suggestion to add an alias to the IPv4 section with a custom list, set is as Permit Both and changes the Rule Order so pfB_Pass/Match was the first option. This put a new pass rule into the floating rules at the top as expected. I then had them test - no joy. Finally I disabled the Asia and Alias/Pass rules in the Floating Rules ... had them test - it worked. Unfortunately I cannot leave the Asia rule disabled so I turned it back on leaving them without connectivity once again.

    I am new to pfSense and pfBlockerNG so I'm not really sure how to approach this issue, especially since there is a 14 hour time difference making testing a very delayed and time consuming process.

    A couple thoughts:

    The setup of the Pass/Alias is messed up?
    The IPs I need to pass are not actually registered to the Philippines locals in the pfB table but some other county in that region.

    So, how can I cross reference a given IP set to the pfB locals table and how do I troubleshoot the Pass/Alias functionality?

    Thanks in advance for your assistance.



  • @trohm said in Pass Alias for GeoIP not working:

    Good morning All,

    I have done some searching but not found a functional solution to my issue so I am hoping someone can help.

    We implemented pfBlockerNG with GeoIP and shortly after implementation a customer (in the Philippines) contacted us they could no longer reach our sites. I went to GeoIP and deselected the two Philippines entries in Asia, updated pfB and asked them to test - no joy. The logs show the IP is still being blocked by the pfB floating rule. I searched around and found the suggestion to add an alias to the IPv4 section with a custom list, set is as Permit Both and changes the Rule Order so pfB_Pass/Match was the first option. This put a new pass rule into the floating rules at the top as expected. I then had them test - no joy. Finally I disabled the Asia and Alias/Pass rules in the Floating Rules ... had them test - it worked. Unfortunately I cannot leave the Asia rule disabled so I turned it back on leaving them without connectivity once again.

    I am new to pfSense and pfBlockerNG so I'm not really sure how to approach this issue, especially since there is a 14 hour time difference making testing a very delayed and time consuming process.

    A couple thoughts:

    The setup of the Pass/Alias is messed up?
    The IPs I need to pass are not actually registered to the Philippines locals in the pfB table but some other county in that region.

    So, how can I cross reference a given IP set to the pfB locals table and how do I troubleshoot the Pass/Alias functionality?

    Thanks in advance for your assistance.

    I'm not an expert myself, but without seeing your firewall rules and knowing exactly what you want to accomplish no one can really advise you. I also don't know your level of comfort with computers, so what I am going to recommend may requre a few trips to google, but it's not that complicated if you take a bit of time with it. (That's what I had to do a year or so when I set up my firewall.)

    It is possible the GEOIP is not correct, but as long as you know the IP range you want to pass, and place an appropriate rule in the chain before the GEOIP block rules it won't matter. A properly written and placed rule will override anything that follows.

    If things are not working then:

    • The rule is in the wrong order or on the wrong interface
    • You have the wrong IP (address/range) for the permit rule.
    • The pfBlocker rules have not been properly updated after you made your changes.

    Where I would start is to log into the firewall with the shell and execute:

    pfctl -vvsr | less

    (This will all you to see the actual rules being used by your firewall, and in what order they are in. This is my "go to" any time I can't figure things out from the GUI - thanks to @Derelict a couple of years ago. Looking at the actual rules as you make changes will let you know what is REALLY going on.)

    It can appear a bit daunting, but you should be able to figure out what rule is your permit rule and what rules are the GEOIP block rules and make sure your order is correct.

    If you can't find your rule then you know the firewall didn't update correctly or you didn't create the rule properly or you have found a bug.

    Once you find out what is going on, you can either fix the problem or ask a specific question. Hope that helps.


  • LAYER 8 Netgate

    Yeah. /tmp/rules.debug is also a good place to start. It's a little easier to read.



  • @derelict said in Pass Alias for GeoIP not working:

    Yeah. /tmp/rules.debug is also a good place to start. It's a little easier to read.

    Do you know when/how this file is created? (On firewall reload?? or something else)



  • @guardian

    My comfort with computers and firewalls is quite high, been dealing with these things for quite sometime but the FW front has been almost exclusively Cisco. In my past I implemented/maintained GeoIP solutions without hesitation or issue but here in the pfS/pfB world the same logic and processing does not seem to apply.

    The GeoIP certainly seams to work ok - when on Asia floating rule is active they cannot get through, when the floating rule is disabled off they can.

    pfB automatically creates the rules and by default puts them in as Floating rules. Therefore I cannot put a rule ahead of the GeoIP rules as I understand Floating rules are always processed before any of the "static" rules applied to a given interface.

    The tests were isolated to only one IP/host to eliminate any confusion with subnets.

    I will look into that command and see what it reports.



  • @guardian
    I am still plowing through the output of the command but I'm not seeing the level of organization I have in teh past. Normally I would see all the rules for a given interface, then the rules for the next and so on. What I am seeing is rules sequenced @1, @2, etc. but they jump from interface to interface without any seeming order...is this truly how the pfS processes the rules?

    Originally I did as a specific question - "how can I cross reference a given IP set to the pfB locals table"....can anyone shed any light on this? Being able to properly identify a country/sub-region within a GeoIP region. With this information I can possibly go into the GeoIP setup and remove that country/sub-region from the block.....thoughts??

    Thanks


  • LAYER 8 Netgate

    @guardian It is created by any rule change. That is the file pf actually loads to implement the rule set. Or at least a copy of the same.



  • @trohm ... afaik pfctl -vvsr is the live firewall table that the kernel is using. The number in () example: @24(1000000110) is the rule number that you see in the logs.

    I would suggest that you find a way to implement a proper "allow rule". An unexpected GEOIP change could easily break something. You can also keep your rules tighter.



  • @guardian I would gladly implement a proper allow rule if someone can provide proper instructions as to how this is accomplished while using GeoIP and floating rules


  • Moderator

    @trohm said in Pass Alias for GeoIP not working:

    pfB automatically creates the rules and by default puts them in as Floating rules. Therefore I cannot put a rule ahead of the GeoIP rules as I understand Floating rules are always processed before any of the "static" rules applied to a given interface.

    You can select from one of the predefined Auto rule orders in the General tab (or in the IP Tab for pfBlockerNG-devel which is much improved).

    If one of those auto-rule options do not work for your network needs, you can use "Alias type" action settings, and manually create the firewall rules and associate the pfB aliastables. Click on the blue infoblock icons in the IP tab for more details.