MaxMind configuration to update list GeoIP
-
Hello everyone,
I finally achieved my installation of pfBlockerNG and I saw that I have to use Maxmind to get the GeoIP functionnality.
I have registered and put the key in my pfsense but when I go in GeoIP here is the message :MaxMind now requires a free Registered account to download the MaxMind GeoIP Database! Review the General Tab: MaxMind settings for more details. After saving the new MaxMind License Key, a Force Update is required to download the MaxMind database. Save button is disabled!Ok so I go to right menu to force an update but here are the messages :
**Saving configuration [ 08/18/21 15:48:22 ] ... Removing DB Files/Folders **Saving configuration [ 08/18/21 15:48:25 ] ... Removing DB Files/Folders **Saving configuration [ 08/19/21 08:36:42 ] ... Removing DB Files/Folders **Saving configuration [ 08/19/21 08:54:12 ] ... Removing DB Files/Folders **Saving configuration [ 08/19/21 08:55:46 ] ... Removing DB Files/Folders **Saving configuration [ 08/19/21 09:05:58 ] ... MaxMind Database downloading and processing ( approx 4MB ) ... Please wait ... Download Process Starting [ 08/19/21 09:05:58 ] /usr/local/share/GeoIP/GeoLite2-Country.tar.gz 401 Unauthorized Failed to Download GeoLite2-Country.mmdb /usr/local/share/GeoIP/GeoLite2-Country-CSV.zip 401 Unauthorized Failed to Download Download Process Ended [ 08/19/21 09:05:59 ]Do you have any idea ? Key problem ? I've just generated a new key but still...
Thanks a lot
-
Hello,
Due to the lack of answer :) I'm continuing my investigations. Do I have to open special ports to one special address ? I saw this one on a forum (that I don't remember...) : download.maxmind.com
Thanks for your help
-
@dwalter "Unauthorized" sounds like you connected but they didn't like the key... Did you use the right key version? The steps we have are:
- https://www.maxmind.com/en/geolite2/signup
- Click "Generate new license key"
- Enter a "License key description", Select "yes" for "GeoIP Update", and select the License key for "version 3.1.1 or newer" and confirm.
-
@steveits Thanks for your answer. I tried once again and we are agree that I just have to put the license key in the "MaxMind License Key" under "MaxMind GeoIP Settings" of the General tab of pfBlockerNG's plugin ?
Nothing more ?
Thanks a lot
-
@dwalter Oh do you have pfBlockerNG or pfBlockerNG-devel? After the key was required (Jan. 2020?) I couldn't get MaxMind to work on any pfBlockerNG installs so updated all our clients to pfBlockerNG-devel. In pfBlockerNG-devel it's on the IP tab. Despite the name I've read posts by the package maintainer recommending to use pfBlockerNG-devel, so have used that for a couple years now.
-
@steveits thanks ! I will check. Indeed I'm using pfBlockerNG 2.1.4_23
Thanks a lot
-
Yeah you should be using development version.. I use maxmind for geoip, after creating account and putting in info haven't had any problems. Been using it for long time..
-
@dwalter said in MaxMind configuration to update list GeoIP:
pfBlockerNG 2.1.4_23
The -devel version is 3.x. I've been using that so long I am starting to forget there is another version. Somewhere in the sticky thread on MaxMind I posted I couldn't get it to work with the non-devel version, and never did despite a few tries.
-
@steveits @johnpoz Thanks a lot for your answers. Indeed it seems to work better with the -devel plugin
If I may, i would have one last question to be sure I can do what I need with this plugin.
I need to restrict access (only authorize French or at least European) to one server in one VLAN where my pfsense has a LAN interface. Is it possible to apply this configuration only to an interface ? I have followed this tutorial and it seems right : https://protectli.com/kb/how-to-setup-pfblockerng/
Thanks
-
johnpoz LAYER 8 Global Moderatorlast edited by johnpoz Aug 31, 2021, 12:09 PM Aug 31, 2021, 12:08 PM
@dwalter said in MaxMind configuration to update list GeoIP:
I need to restrict access (only authorize French or at least European) to one server in one VLAN where my pfsense has a LAN interface
Sure you can use the geoip data to create whatever aliases you want, then include those aliases in you rules to either only let devices on your network to go there, or in the case of a port forward to something behind, only allow source of those IPs.
I use for example an alias to only allow US IPs, and Morocco IPs (one of my users is currently teaching in Casablanca) to talk to my plex server. Well I also allow some checking IP, the plex ones that check to see if plex is available remote, and then the IPs that are using for monitoring service (status cake) so I get an alert if my plex is not available.
You create the alias with the feeds you want to use, and then use that alias in a rule.
You can always look in your table to see what IPs are in the alias
-
@johnpoz said in MaxMind configuration to update list GeoIP:
create the alias with the feeds you want to use
John is correct, just wanted to note for you that this is accomplished via "Alias Native" which creates an alias without a deny rule.