Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    can't get GeoIP to work

    Scheduled Pinned Locked Moved pfBlockerNG
    5 Posts 3 Posters 995 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jesscanada
      last edited by

      I am using pfSense 2.4.4-RELEASE-p3. A few days ago I installed pfBlockerNG 2.1.4_22. I am trying to block IPs by country.

      I have setup a free MaxMind account and put the key in. On the pfBlockerNG General page, I clicked the checkbox for Enable pfBlockerNG. I checked the box for Global Logging. Inbound Firewall Rules is set to WAN and Block, and Outbound Firewall Rules is set to LAN and Reject. Rule Order is | pfB_Block/Reject | All other Rules | (original format).

      I've gone to pfBlockerNG->Firewall->GeoIP and blocked every country in each continent, except the countries I do want (United States, India, and New Zealand). On each continent page I set the List Action to Deny Inbound. I clicked Save on each continent page, and then went to the Update tab and did a Force Update.

      It doesn't work at all - I still get lots of international traffic. The pfBlocker widget on the Dashboard page lists 0 in the packets column for every continent. Going to System Logs->Firewall does not show anything related to the recent pfBlocker setup. All it has is a bunch of "block bogon IPv6 networks from WAN (11000)" entries, the most recent of which is 5/28/2020.

      I have gone to Diagnostics->Command Prompt and entered "/usr/local/www/pfblockerng/pfblockerng.php dc" (quotes included) in the Execute PHP Commands box, as I saw suggested on another friend. It gave me a blank PHP Response.

      I also went to System->Advanced, Firewall & NAT and set the Firewall Maximum Table Entries to 600000 (was 400000).

      Here is the output of the most recent Force Update I've done:

       UPDATE PROCESS START [ 06/02/20 15:52:36 ]
      
      Clearing all DNSBL Feeds... 
      ** DNSBL Disabled **
      
      
      ===[  Continent Process  ]============================================
      
      MaxMind Database downloading and processing ( approx 4MB ) ... Please wait ...
      
      Download Process Starting [ 06/02/20 15:52:36 ]
       /usr/local/share/GeoIP/GeoLite2-Country.tar.gz		200 OK
      . /usr/local/share/GeoIP/GeoLite2-Country-CSV.zip		200 OK
      Download Process Ended [ 06/02/20 15:52:37 ]
      
      Country code update Start
       Converting MaxMind Country databases for pfBlockerNG.
       Processing ISO IPv4 Continent/Country Data
       Processing ISO IPv6 Continent/Country Data [ 06/02/20 15:52:45 ]
       Creating pfBlockerNG Continent XML files
       IPv4 Africa			 [ 06/02/20 15:52:48 ]
       IPv6 Africa			
       IPv4 Antarctica		
       IPv6 Antarctica		
       IPv4 Asia			
       IPv6 Asia			 [ 06/02/20 15:52:49 ]
       IPv4 Europe			 [ 06/02/20 15:52:50 ]
       IPv6 Europe			 [ 06/02/20 15:52:52 ]
       IPv4 North America		 [ 06/02/20 15:52:53 ]
       IPv6 North America		 [ 06/02/20 15:52:54 ]
       IPv4 Oceania			 [ 06/02/20 15:52:55 ]
       IPv6 Oceania			
       IPv4 South America		
       IPv6 South America		
       IPv4 Proxy and Satellite	
       IPv6 Proxy and Satellite	
       IPv4 TOP 20			
       IPv6 TOP 20			
       pfBlockerNG Reputation Tab
      Country Code Update Ended [ 06/02/20 15:52:56 ]
      
      
      [ pfB_Africa_v4 ]	 exists. [ 06/02/20 15:52:56 ]
      [ pfB_Africa_v6 ]	 exists.
      [ pfB_Asia_v4 ]		 exists.
      [ pfB_Asia_v6 ]		 exists.
      [ pfB_Europe_v4 ]	 exists.
      [ pfB_Europe_v6 ]	 exists.
      [ pfB_NAmerica_v4 ]	 exists.
      [ pfB_NAmerica_v6 ]	 exists.
      [ pfB_Oceania_v4 ]	 exists.
      [ pfB_Oceania_v6 ]	 exists.
      [ pfB_SAmerica_v4 ]	 exists.
      [ pfB_SAmerica_v6 ]	 exists.
      
      ===[  Aliastables / Rules  ]==========================================
      
      No changes to Firewall rules, skipping Filter Reload
      No Changes to Aliases, Skipping pfctl Update
      
       UPDATE PROCESS ENDED
      
      

      I also have two notices showing up (the bell at the top-right of the screen). They are:

      Filter Reload
      
          There were error(s) loading the rules: /tmp/rules.debug:33: cannot define table pfB_Europe_v4: Cannot allocate memory - The line in question reads [33]: table <pfB_Europe_v4> persist file "/var/db/aliastables/pfB_Europe_v4.txt"
          @ 2020-06-02 13:47:53
          There were error(s) loading the rules: /tmp/rules.debug:33: cannot define table pfB_Europe_v4: Cannot allocate memory - The line in question reads [33]: table <pfB_Europe_v4> persist file "/var/db/aliastables/pfB_Europe_v4.txt"
          @ 2020-06-02 14:55:14
      

      Does anyone have any ideas for what I should do for troubleshooting?

      1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire
        last edited by

        What hardware / how much RAM does it have?
        Perhaps try allowing those three countries rather than blocking all other IPs? (might be a smaller list to fit into RAM)

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • J
          jesscanada
          last edited by

          Thanks for the response. It is running in a virtual machine. The Dashboard reports the CPU type as Intel(R) Xeon(R) CPU E5-2690 v3 @ 2.60GHz and every time I check it shows 29% of 1951 MiB RAM used.

          I think you have a good suggestion. I can change those Deny Inbound settings on the different continents to Allow Inbound just for the three countries, but how will that stop the other countries? We have several ports open (80, 443, and 22, off the top of my head). Do I set a Deny All somewhere, and only then set the Allow Inbounds for the 3 countries? How do I do that.

          Thanks for your help!

          1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire
            last edited by

            The "cannot define table" is the firewall table size, e.g. https://forum.netgate.com/topic/45603/cannot-define-table-bogonsv6-cannot-allocate-memory

            Adding all countries to a deny rule would be essentially loading every IP subnet in the world (minus the three).

            We've generally used geo blocking on clients with NAT but it should be similar setup for just firewall rules. We set up an alias native table:
            0badadc7-47e2-44b6-89e6-558ee1f0255c-image.png
            Simply change the country code letters for other countries. The files exist on disk.

            Then in the NAT rule the Source is the pfB alias (type pfB and it will autocomplete).

            In other words:
            allow US
            allow India
            allow New Zealand
            (default deny rule will deny all others)

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • DaddyGoD
              DaddyGo
              last edited by DaddyGo

              the package maintainer's suggestion (BBcan177) for a long time is to use pfBlockerNG - devel (current - 2.2.5_32)
              there are plenty of fixes in it (also applies to GeoIP)

              5f4c0e7a-ac4a-4c90-9039-a439269d13c7-image.png

              BTW: this also applies to the pfSense version (2.4.5)

              Cats bury it so they can't see it!
              (You know what I mean if you have a cat)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.