Another block for no good reason

wolfsden3

I have another block for no good reason. What I've been able to track down is that this IP: 172.56.10.220 (T-Mobile) is getting blocked from connecting to the VPN because the IP keeps getting blocked like so:

It says "US_rep_v4 172.56.8.0/22"
...however, it's in the ALLOW list in the IP Geo Block like so:

...so the "US_rep" isn't selected. The IP is on the list / the network is on the list as a US based IP but it's blocking it anyway?

What gives...?

It says source "unknown". Regardless of whether it's known or unknown should it be blocking it? It's on the US list.

Any insight as to why this is happening? It seems like a bug / problem.

Thanks.

RonpfS

@wolfsden3 said in Another block for no good reason:

172.56.8

grep "172.56.8." /usr/local/share/GeoIP/cc/*.txt

/usr/local/share/GeoIP/cc/North_America_v4.txt:172.56.8.0/22
/usr/local/share/GeoIP/cc/North_America_v4.txt:172.56.8.0/22
/usr/local/share/GeoIP/cc/US_rep_v4.txt:172.56.8.0/22
/usr/local/share/GeoIP/cc/VI_v4.txt:172.56.8.0/22

So that range is both in VI_v4.txt and US_rep_v4.txt, the Filterlog service report one of the 3 it finds.

Try putting the allow rule before the deny rules. Or put the IP or Network in a Whitelist group.

chudak

@wolfsden3

Looks exactly like my problem https://forum.netgate.com/topic/162857/problem-after-pfblockerng-devel-3-0-0_16-update/15

Did you figure out the cause and fix it ?

Thx

wolfsden3

@chudak Hi - oddly enough I believe my IP's being blocked for a VPN user was T-Mobile too!

Perhaps they are not reporting them correctly to the GEO IP service because they are so noob...who knows.

To fix this I had to go into my IPv4 "localnet" where it adds them when you click on the + button on the block list I believe and manually add in that network to the white list.

Totally lame:

Edit by clicking the pencil then scroll down to the section you can add in the IP's:

Here are a few of my entries, I don't like white listing T-Mobile but it's OK, it's just annoying to have to manually do this.

chudak

@wolfsden3

When I use + to add to the white list they are blocked anyway !

Don’t know WTH
Hope maybe next release will fix it.

If you in my post I found several USA IPs mis-mapped and be blocked as well. So GeoIP maybe messed up, but it feels there maybe more hidden bugs ....

wolfsden3

@chudak I noticed that sometimes when I make changes to PFBng lately that I've had to go to the general tab and untick the enable button. Save it / apply it. Then tick it back on, save it / apply it.

After that it reloads properly.

I don't know what the difference between that and an actual reload from the updates tab is but there's definitely something.

Try that!

I've emailed bbcan about my problems and some others. We'll see what he has to say. PFBng seems to get buggier and buggier the further along in development it gets.

chudak

@wolfsden3

Cool, let me know if you hear back from @BBcan177

chudak

@wolfsden3

See this thread https://forum.netgate.com/topic/162883/disable-action-does-not-work/16?_=1618355648005

Maybe helpful