• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

GeoIP blocking problems - Need help, please!

Scheduled Pinned Locked Moved pfBlockerNG
2 Posts 2 Posters 215 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    GoldenMean
    last edited by Sep 17, 2020, 1:30 PM

    Re: GeoIP: Wrong country-continent combinations are permitted?

    I have a related problem for which I could use help.
    I have a security tunnel agent running on my work laptop. It creates tunnel sessions to the proxy in the cloud and internal business systems. Without it, my work laptop cannot function properly. The target IP addresses show in maxmind correctly as USA and assigned to my company:
    165.156.24.100 =US, Canton, Michigan,United States,North America
    165.156.24.115 =US, Canton, Michigan,United States,North America
    165.156.24.79 =US, Canton, Michigan,United States,North America

    However, the agent cannot connect and the firewall shows the traffic blocked due to the auto-rule: pfB_Asia_v4 auto rule (1770008664)
    Capture.JPG

    If I disable (or match) the IP > GeoIP Asia auto rule, all works fine.
    I noticed that in ntopng, one or more of these IPs is assigned to India and I do NOT have India selected in the GeoIP Asia IPv4 list. As a matter of fact, it does not matter if I select or de-select individual countries in that list. The traffic gets blocked.
    Capture2.JPG
    It does not matter if the rules are set to floating nor on the interfaces
    I also cannot find a way to set the GeoIP Asia IPv4 auto rule to block enabled and bypass it for these IP addresses. I have already tried the pfBlockerNG > IP > IPv4 Suppression and this did not work. I also tried manual pass-allow rules above the pfB_Asia_v4 auto rule but these fail because the auto rule ALWAYS resorts above the manual, regardless of any other other settings. I have tried various Firewall 'Auto' Rule Order settings and found them to be unreliable, or too cryptic to my understanding to make some combination work.

    I see multiple issues here:

    • Why is the autorule in pfBlockerNG setting these IP addresses in India (Asia)?

    • Why does individual selections of countries in the GeoIP Asia rule not seem to work? And possibly [probably] others as well?

    • Where or how should one place IP exceptions to allow them to be ignored and pass traffic which might be blocked by the pfBlockerNG?

    1 Reply Last reply Reply Quote 0
    • S
      SteveITS Galactic Empire
      last edited by SteveITS Sep 17, 2020, 3:44 PM Sep 17, 2020, 3:43 PM

      It could be an error in the third party database being downloaded. Or, IPs "move" (https://azure.microsoft.com/en-us/blog/windows-azures-use-of-non-us-ipv4-address-space-in-us-regions/).

      To allow an IP you need a firewall rule above it. What I often do is set up an Alias Native alias and then can use it in whatever NAT or firewall rule I want (which allows ordering). The files are downloaded and stored on disk by country code:
      e21f386f-a1f0-41b8-832f-08634edf26db-image.png
      Remember to run an Update in pfBlocker after creating the entry, to generate the alias.

      As pfBlocker notes you can also default block all, and just allow the desired IPs or countries.

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote 👍 helpful posts!

      1 Reply Last reply Reply Quote 0
      1 out of 2
      • First post
        1/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received