Problem after pfBlockerNG-devel 3.0.0_16 update

chudak

Hello all

I noticed a new problem after the latest update.

My home network is inaccessible via ping or OpenVPN from an external cell phone network, e.g. from my iPhone on T-Mobile

After digging more (and blaming my ISp and T-Mobile) I found that pfBNG North America rule blocks all traffic.

I wonder why is pfB_NAmerica_v4 rule does it?

What does GeoIP PR mean?

Maybe a typo somewhere or something ?

PR_v4
172.58.88.0/21

T-Mobile net - 172.58.x.x

Thx
@BBcan177 FYI

RonpfS

@chudak said in Problem after pfBlockerNG-devel 3.0.0_16 update:

What does GeoIP PR mean?

Porto Rico

grep "172.58.88." /usr/local/share/GeoIP/cc/*.txt

/usr/local/share/GeoIP/cc/North_America_v4.txt:172.58.88.0/21
/usr/local/share/GeoIP/cc/North_America_v4.txt:172.58.88.0/21
/usr/local/share/GeoIP/cc/PR_v4.txt:172.58.88.0/21
/usr/local/share/GeoIP/cc/US_rep_v4.txt:172.58.88.0/21

chudak

@ronpfs said in Problem after pfBlockerNG-devel 3.0.0_16 update:

@chudak said in Problem after pfBlockerNG-devel 3.0.0_16 update:

What does GeoIP PR mean?

Porto Rico

grep "172.58.88." /usr/local/share/GeoIP/cc/*.txt

/usr/local/share/GeoIP/cc/North_America_v4.txt:172.58.88.0/21
/usr/local/share/GeoIP/cc/North_America_v4.txt:172.58.88.0/21
/usr/local/share/GeoIP/cc/PR_v4.txt:172.58.88.0/21
/usr/local/share/GeoIP/cc/US_rep_v4.txt:172.58.88.0/21

Why Porto Rico if I am I San Francisco CA ?!

RonpfS

@chudak said in Problem after pfBlockerNG-devel 3.0.0_16 update:

Why Porto Rico if I am I San Francisco CA ?!

Review North America GeoIP settings.

chudak

@ronpfs

I don’t see what to review there :(
All countries except USA selected and I did not touch it for long time

And then why T-Mobile net blocked ?

PR_v4
172.58.88.0/21

That seems like main suspect, no ?

RonpfS

@chudak You have 80 IPv4 items selected, click on the "..."

chudak

@ronpfs

I did and as I said all but USA selected

RonpfS

@chudak said in Problem after pfBlockerNG-devel 3.0.0_16 update:

And then why T-Mobile net blocked ?

GeoIP isn't perfect, and only update once a month.

Put that IP or range in a Permit group, or change strategy from Blocking the world to Allowing some countries ;-)

chudak

@ronpfs

In addition adding to the whitelist does not seem to be working

clicked on + in the psBNG report and added the IP
force reload
the IP is shown as added
verified it's listed in "IPv4 Custom_List"
verified pfB_Whitelist_v4 rule is on top of the FW rules

ping still blocked by pfB_NAmerica_v4 auto rule (1770009871)

?!

(Tried disabled North America in GeoIP, after force reload - traffic pass)

chudak

@ronpfs

How do you "change strategy from Blocking the world to Allowing some countries" ?

Thx

GerardoMdP

@chudak Maybe... "Allowing the world to blocking some countries". Its more dificult to block all and let a few be allowed than allow (almost) everything and block specific traffic imo.

chudak

@gerardomdp said in Problem after pfBlockerNG-devel 3.0.0_16 update:

@chudak Maybe... "Allowing the world to blocking some countries". Its more dificult to block all and let a few be allowed than allow (almost) everything and block specific traffic imo.

I agree, it was a bit confused by this :)

RonpfS

@chudak said in Problem after pfBlockerNG-devel 3.0.0_16 update:

verified pfB_Whitelist_v4 rule is on top of the FW rules

What does your FW Rules look like ? Did you click the "Quick" box?
You can use the Report tab "+" to create a Whitelist group and see how it's configured.

chudak

@ronpfs said in Problem after pfBlockerNG-devel 3.0.0_16 update:

@chudak said in Problem after pfBlockerNG-devel 3.0.0_16 update:

verified pfB_Whitelist_v4 rule is on top of the FW rules

What does your FW Rules look like ? Did you click the "Quick" box?
You can use the Report tab "+" to create a Whitelist group and see how it's configured.

The rule looks like:

Little confused by White_List_ports, but I never modified it manually

Port 80, don't know why.

Quick "Apply the action immediately on match." checked

Anything wrong ?

chudak

Something is really fishy.

Either my North America setup all of the sudden got messed or pbBNG messed the GeoIP list or the MaxMind GeoIP list is bad.

I did some testing pinging my router from different locations using NordVPN:

SF CA 172.58.94.230 blocked by pfB_NAmerica_v4 (PR_v4 172.58.88.0/21) (no VPN)

SF CA 192.145.118.74 blocked by pfB_NAmerica_v4 (DE_rep_v4 192.145.116.0/22)

NY NY 185.187.243.230 blocked by pfB_Top_v4 (DE_rep_v4 185.187.243.0/24)

Dallas 107.158.15.75 passed 

Atlanta 92.119.17.244 blocked by pfB_Top_v4 (GB_rep_v4 92.119.16.0/22)

Why CA is PR, DE, NY -- DE, Atlanta -- GB ???
Kill me I don't know.

To make it even more spicy - I asked a couple of fiends to ping me from different phones, located not in SF, and they were successful from AT&T and T-Mobile (!!!)

Anybody has a hypothesis ?

@BBcan177

RonpfS

@chudak Your FW Rules is only for TCP/IP, you need FW Rules to allow ICMP if you wanna use Ping.

You can search de GeoIP .txt files for the Networks that puzzle you.

There are probably good guides or posts on how to configure your pfSense to achieve your goals.

chudak

@ronpfs said in Problem after pfBlockerNG-devel 3.0.0_16 update:

@chudak Your FW Rules is only for TCP/IP, you need FW Rules to allow ICMP if you wanna use Ping.

Of cause, I have FW rule to allow ICMP, otherwise I won't be able to ping at all !

You can search de GeoIP .txt files for the Networks that puzzle you.

There are probably good guides or posts on how to configure your pfSense to achieve your goals.

You seem to be suggesting a mis-configuration, which is possible. But I've provided a detailed tests and settings, that can be repeated and/or confirmed and/or proofed wrong.

What exactly do you suspect wrong with the settings based on what's shown ?

One note - the same pfBNG configuration has been in use with no issues for long time.

chudak

@chudak said in Problem after pfBlockerNG-devel 3.0.0_16 update:

@ronpfs said in Problem after pfBlockerNG-devel 3.0.0_16 update:

@chudak said in Problem after pfBlockerNG-devel 3.0.0_16 update:

What does GeoIP PR mean?

Porto Rico

grep "172.58.88." /usr/local/share/GeoIP/cc/*.txt

/usr/local/share/GeoIP/cc/North_America_v4.txt:172.58.88.0/21
/usr/local/share/GeoIP/cc/North_America_v4.txt:172.58.88.0/21
/usr/local/share/GeoIP/cc/PR_v4.txt:172.58.88.0/21
/usr/local/share/GeoIP/cc/US_rep_v4.txt:172.58.88.0/21

Why Porto Rico if I am I San Francisco CA ?!

I am still straggling with this ....

Do you have an explanation why in your grep 172.58.88.0/21 i slisted in 4 GeoIP lists North_America, PR_v4, US_rep?

RonpfS

@chudak
From any GeoIP tab : Click here for IMPORTANT info --> What's new in GeoIP2

chudak

@ronpfs said in Problem after pfBlockerNG-devel 3.0.0_16 update:

@chudak
From any GeoIP tab : Click here for IMPORTANT info --> What's new in GeoIP2

Cool, so far I don't see what's wrong. Do you ?

I had a chat with MaxMind support and one thing jumped at me "it looks like the "registered country" for that IP address range is Germany. I'm wondering if pfSense is looking at that instead of the "country""

That's interesting

It'd be good to have a NordVPN and GeoIP user here to confirm this....