Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Country vs Registered country

    Scheduled Pinned Locked Moved pfBlockerNG
    21 Posts 4 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pierr0t
      last edited by

      Re: PfBlockerNG GeoIP lists show multiple lines for each country

      Hello,

      New here, very far away from being a guru, I will try to explain my problem in english (french being my main language).
      I have a PFsense +pfblockerNG on which I am blocking all countries but France and USA. On my computer I am using a Mullvad VPN and of course I'm trying my new settings by changing my Mullvad locations and it's giving me weird results so I tried many things and discovered that Mullvad IP's have completely different "country" and "registered country" in the GeoLite database, for example:

      For an "irish IP (I just kept the relevant data, structure is broken)

      curl -u "828775:0au8b6IiuePAFPpT"
      "https://geolite.info/geoip/v2.1/country/me?pretty"
      "country": {
      "is_in_european_union": true,
      "iso_code": "IE",
      "geoname_id": 2963597,
      "names": {
      "en": "Ireland"
      "registered_country": {
      "is_in_european_union": true,
      "iso_code": "RO",
      "geoname_id": 798549,
      "names": {
      "en": "Romania"

      For a swiss IP the country is Switzerland but the registered country is Sweden, for a US IP the country is USA but the registered country is United Kingdom and so on ... even if I choose a french IP, country is France but registered country is Sweden (home of Mullvad by the way)

      I guess my first question: which one, "country" or "registered country" is using pfblockerNG when I choose to block Ireland for ex ?

      Now on my pfblockerNG, as I said I blocked the whole world by doing "Deny both" on absolutely all the 9 lines in GeoIP summary and then I unchecked just France + France_rep (in Europa) and USA + USA_rep (in North America) to allow these 2 countries ... result is weird: without my VPN I can access my server behind the firewall, if I activate my VPN, I cannot access anything if I choose a french location, a US location, a swiss location but if I choose the irish location, I am back accessing the server ...
      So my first explanation was the pfblockerNG was using the registered country which would explain that forbidding by country name with the VPN would return unexpected result but the test with Ireland did broke that reasoning (because registered country for Ireland is Romania which is also supposedly blocked) and I am at lost to find a logical explanation ...
      I read that blocking the whole world is note the best way of doing things (I should maybe instead permit France and USA ?) but nevertheless I really would like to understand what I am doing wrong here ...
      Thks for listening,
      Pierre

      S NogBadTheBadN 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @pierr0t
        last edited by

        @pierr0t IPv4 address blocks are often sold and resold. Therefore the location data changes over time. If you look up an IP on something like iplocation.net (random site) it uses multiple databases and I find sometimes all of them agree, and other times the answers are wildly different. We do have a client with a Calyptix router, where someone in Ireland was detected as a French IP so we had to allow France (or at least that IP, I don't recall).

        I would hope MaxMind would use the location where the IP is, rather than who owns/registered it? I do not know specifically. Sorry I am not much help there.

        re: blocking the world:

        • block all but one country: all IPs are loaded into your firewall's RAM and compared to each packet

        • allow one country: only one country's IPs are loaded into your firewall

        That's why allowing is usually more efficient.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        P 1 Reply Last reply Reply Quote 0
        • P
          pierr0t @SteveITS
          last edited by pierr0t

          @steveits

          Thanks for reading and answering.

          To explain a little bit more: the results I gave are from querying the GeoLite database from MaxMind, so to answer your question, Maxmind does not choose, it gives all the information, both "country" and "registered country" and even "represented country" (as explained in the thread I used as a reference to start this one).
          Now what I am wondering is what does pfblockerNG do with that info. When I ask to block "Ireland" how does pfblockerNG get IP's from Ireland ? It collects all IP's with "Ireland IR" in "country" or all IP's with "Ireland IR" in "registered country" ... I guess this a choice made by pfblockerNG not Maxmind unless I am totally misunderstanding the process ...
          Of course if pfblockerNG is using the later (registered country), testing through that kind of VPN becomes impossible, I would have to allow Romania to authorize Switzerland, not very practical.

          Thanks !
          Pierre

          P 1 Reply Last reply Reply Quote 0
          • P
            pierr0t @pierr0t
            last edited by

            Hello,

            I made some more tests.

            For example, using my Mulvad VPN I choose a swiss location in Zürich, the provided IP is: 193.32.127.221

            If I query Maxmind Geolite 2 I get:

            • country: CH (Switzerland)
            • registered_country: SE (Sweden)

            In pfBlockerNG, if I authorize only Switzerland, I'm blocked, if I authorize Sweden I can go through ...

            Conclusion: pfBlockerNG is using the "registered_country" to authorize countries but should use "country" which reflects in a more reliable way the country where the IP is used ... not the country where the IP was purchased ...

            Am I understanding the things properly ?
            Thanks.
            Pierre.

            johnpozJ NogBadTheBadN 2 Replies Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @pierr0t
              last edited by johnpoz

              @pierr0t said in Country vs Registered country:

              Am I understanding the things properly ?

              If your understanding is that geoip info is changing target and no db is going to be 100% accurate then yeah your understanding it correct ;)

              But sure in such a scenario as your example it would be better to use the country vs registered - but does every IP in the db provide this info? I would think not.. But maybe @BBcan177 could make some adjustments to use country if provided?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad @pierr0t
                last edited by NogBadTheBad

                @pierr0t said in Country vs Registered country:

                Conclusion: pfBlockerNG is using the "registered_country" to authorize countries but should use "country" which reflects in a more reliable way the country where the IP is used ... not the country where the IP was purchased ...

                But what happens if company XYZ buys a block of address space and uses some of it elsewhere, Maxmind don't know what's used where ?

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                johnpozJ P 2 Replies Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @NogBadTheBad
                  last edited by

                  @nogbadthebad said in Country vs Registered country:

                  Maxmind don't know what's used where ?

                  Not right away that is for sure - we sold off some of our /16 space while back, and it was now being used in the middle east vs the US.. And it did take a while for that info to get updated. To be honest I would have to check - maybe its still wrong ;)

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  NogBadTheBadN 1 Reply Last reply Reply Quote 0
                  • NogBadTheBadN
                    NogBadTheBad @johnpoz
                    last edited by

                    @johnpoz said in Country vs Registered country:

                    @nogbadthebad said in Country vs Registered country:

                    Maxmind don't know what's used where ?

                    Not right away that is for sure - we sold off some of our /16 space while back, and it was now being used in the middle east vs the US.. And it did take a while for that info to get updated. To be honest I would have to check - maybe its still wrong ;)

                    Indeed I used to work for a company that had xx.0.0.0/8 and now some of it is used by Microsoft.

                    Andy

                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @NogBadTheBad
                      last edited by

                      @nogbadthebad I just checked, and the first range that was sold is updated to the new company and country looks correct from what I remember being told where the IPs were going to be used just in conversation when the sale was taking place.

                      But it was sold if in multiple different size blocks, so would have to check some other ranges to see if they are all up to date.

                      While in general - I think a really good attempt is made to be correct.. But there are always going to be inconsistencies to be found

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • NogBadTheBadN
                        NogBadTheBad @pierr0t
                        last edited by NogBadTheBad

                        @pierr0t said in Country vs Registered country:

                        Now on my pfblockerNG, as I said I blocked the whole world by doing "Deny both" on absolutely all the 9 lines in GeoIP summary and then I unchecked just France + France_rep (in Europa) and USA + USA_rep (in North America) to allow these 2 countries ... result is weird: without my VPN I can access my server behind the firewall, if I activate my VPN, I cannot access anything if I choose a french location, a US location, a swiss location but if I choose the irish location, I am back accessing the server ...

                        Don't block the whole world using pfBlocker alias, create a rule to deny all and above create a rule to allow what you want using a pfBlocker alias.

                        If you deny all with a pfblocker alias you'll have a massive alias that every packet will need to traverse.

                        Andy

                        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                        P 1 Reply Last reply Reply Quote 0
                        • P
                          pierr0t @NogBadTheBad
                          last edited by

                          @nogbadthebad

                          Hello,

                          Well it seems that Maxmind does know pretty well, I tested a lot of the IP's provided by the Mulvad VPN and Maxmind is always returning the proper "country" (ie "country" shows the country where Mulvad pretends to be for that IP and a site like iplocation.net does as well), but Maxmind does also return the "registered_country" which seems to be where the IP was originaly purchased and there is also (but not always) a "represented_country" (used when the IP address belongs to something like a military base) ...
                          But to summarize, I think that pfBlockerNG should use "country" and not "registered_country" to reflect where the IP is really used. In my case I had to authorize "Sweden" to be able to use an IP used in Zürich Switzerland.

                          Pierre.

                          NogBadTheBadN 1 Reply Last reply Reply Quote 0
                          • NogBadTheBadN
                            NogBadTheBad @pierr0t
                            last edited by

                            @pierr0t Care to share a few of the ip addresses you checked against?

                            Andy

                            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                            P 1 Reply Last reply Reply Quote 0
                            • P
                              pierr0t @NogBadTheBad
                              last edited by

                              @nogbadthebad

                              For example the one I am currently using, Mulvad VPN Zürich Switzerland, this is the answer from GeoLite:

                              curl -u "xxxxxxx:xxxxxxxxx" \
                                "https://geolite.info/geoip/v2.1/country/193.32.127.221?pretty"
                              {
                                  "continent": {
                                      "code": "EU",
                                      "geoname_id": 6255148,
                                      "names": {
                                          "ru": "Европа",
                                          "zh-CN": "欧洲",
                                          "de": "Europa",
                                          "en": "Europe",
                                          "es": "Europa",
                                          "fr": "Europe",
                                          "ja": "ヨーロッパ",
                                          "pt-BR": "Europa"
                                      }
                                  },
                                  "country": {
                                      "iso_code": "CH",
                                      "geoname_id": 2658434,
                                      "names": {
                                          "pt-BR": "Suíça",
                                          "ru": "Швейцария",
                                          "zh-CN": "瑞士",
                                          "de": "Schweiz",
                                          "en": "Switzerland",
                                          "es": "Suiza",
                                          "fr": "Suisse",
                                          "ja": "スイス連邦"
                                      }
                                  },
                                  "registered_country": {
                                      "is_in_european_union": true,
                                      "iso_code": "SE",
                                      "geoname_id": 2661886,
                                      "names": {
                                          "ja": "スウェーデン王国",
                                          "pt-BR": "Suécia",
                                          "ru": "Швеция",
                                          "zh-CN": "瑞典",
                                          "de": "Schweden",
                                          "en": "Sweden",
                                          "es": "Suecia",
                                          "fr": "Suède"
                                      }
                                  },
                                  "traits": {
                                      "ip_address": "193.32.127.221",
                                      "network": "193.32.127.0/24"
                                  }
                              }%    
                              

                              Mulvad tells me I am in Switzerland but I have to authorize Sweden to go through pfBlockerNG :-)
                              Pierre

                              1 Reply Last reply Reply Quote 0
                              • P
                                pierr0t @NogBadTheBad
                                last edited by

                                @nogbadthebad

                                Regarding this specific remark (about denying all and just authorizing specific country): I know, I just have to do it ... but it's a very low traffic firewall so I'm in no hurry ...

                                Pierre.

                                NogBadTheBadN 1 Reply Last reply Reply Quote 1
                                • NogBadTheBadN
                                  NogBadTheBad @pierr0t
                                  last edited by NogBadTheBad

                                  @pierr0t

                                  andyk@mac-pro ~ % whois 193.32.127.221   
                                  % IANA WHOIS server
                                  % for more information on IANA, visit http://www.iana.org
                                  % This query returned 1 object
                                  
                                  refer:        whois.ripe.net
                                  
                                  inetnum:      193.0.0.0 - 193.255.255.255
                                  organisation: RIPE NCC
                                  status:       ALLOCATED
                                  
                                  whois:        whois.ripe.net
                                  
                                  changed:      1993-05
                                  source:       IANA
                                  
                                  # whois.ripe.net
                                  
                                  inetnum:        193.32.127.0 - 193.32.127.255
                                  netname:        NET-31173-193-32-127
                                  country:        CH
                                  geoloc:         47.3631 8.5414
                                  language:       de
                                  descr:          31173 Services AB infrastructure in Zurich, Switzerland.
                                  org:            ORG-SS1087-RIPE
                                  admin-c:        SS36127-RIPE
                                  tech-c:         SS36127-RIPE
                                  abuse-c:        SS36127-RIPE
                                  status:         ASSIGNED PA
                                  mnt-by:         ESAB-MNT
                                  created:        2020-05-04T09:36:06Z
                                  last-modified:  2020-05-05T11:40:13Z
                                  source:         RIPE
                                  
                                  organisation:   ORG-SS1087-RIPE
                                  org-name:       31173 Services Switzerland
                                  org-type:       OTHER
                                  geoloc:         47.3631 8.5414
                                  language:       de
                                  address:        31173 Services AB
                                  address:        c/o Interxion
                                  address:        S?gereistrasse 35
                                  address:        Glattbrugg
                                  address:        8152 Opfikon
                                  address:        Switzerland
                                  admin-c:        SS36127-RIPE
                                  tech-c:         SS36127-RIPE
                                  mnt-by:         ESAB-MNT
                                  mnt-ref:        ESAB-MNT
                                  created:        2020-05-04T09:00:26Z
                                  last-modified:  2020-05-05T11:29:32Z
                                  source:         RIPE # Filtered
                                  
                                  role:           31173 Services Switzerland
                                  address:        31173 Services AB
                                  address:        c/o Interxion
                                  address:        S?gereistrasse 35
                                  address:        Glattbrugg
                                  address:        8152 Opfikon
                                  address:        Switzerland
                                  abuse-mailbox:  abuse-cust-ch@31173.se
                                  admin-c:        NEMO1-RIPE
                                  tech-c:         KPE-RIPE
                                  nic-hdl:        SS36127-RIPE
                                  mnt-by:         ESAB-MNT
                                  created:        2020-05-04T08:48:30Z
                                  last-modified:  2020-05-04T08:48:30Z
                                  source:         RIPE # Filtered
                                  
                                  % Information related to '193.32.127.0/24AS39351'
                                  
                                  route:          193.32.127.0/24
                                  origin:         AS39351
                                  mnt-by:         ESAB-MNT
                                  created:        2019-11-03T16:35:41Z
                                  last-modified:  2020-05-04T09:37:52Z
                                  source:         RIPE
                                  
                                  % This query was served by the RIPE Database Query Service version 1.106.1 (ABERDEEN)
                                  
                                  
                                  andyk@mac-pro ~ % 
                                  
                                  

                                  Go here and pop in the IP address or AS number:-

                                  https://hackertarget.com/as-ip-lookup/

                                  The whois reports Services AB infrastructure in Zurich, Switzerland and the IP/ASN reports ESAB-AS, SE.

                                  When you do the AS number it reports 193.32.127.0/24 as belonging to ESAB-AS, SE to the right.

                                  Looks to me like its a Swedish company hosting a server in Switzerland.

                                  Andy

                                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                  P 1 Reply Last reply Reply Quote 0
                                  • P
                                    pierr0t @NogBadTheBad
                                    last edited by

                                    @nogbadthebad

                                    Yes exactly, IP is being used in Switzerland but was purchased in Sweden (Mulvad being a swedish company).

                                    Maxmind reports it properly, the question is how does pBlockerNG use that info, for me it should use the "country" info instead of the "registered_country" info ... but I guess that only the author of pfBlockerNG could tell me if my diagnostic is true or not.

                                    Pierre

                                    S 1 Reply Last reply Reply Quote 0
                                    • S
                                      SteveITS Galactic Empire @pierr0t
                                      last edited by

                                      @pierr0t If BBCan177 doesn't find this thread you could create a bug/feature request at redmine.pfsense.org. If it's not a bug, possibly it could be added as a separate list like "rep" is separate, although it would basically double the size of the existing "all IPs in ___" list if they are listed twice and people allow two. A bit more flexible but more confusing.

                                      IOW does the Swedish company just happen to put their servers in a data center in Switzerland and they are using it? Is a particular block from an ISP that works across borders? Many possibilities.

                                      Allowing your own IP is a bit easier...can be done for one, if you create a dynamic DNS hostname and allow the hostname.

                                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                      Upvote 👍 helpful posts!

                                      1 Reply Last reply Reply Quote 0
                                      • NogBadTheBadN
                                        NogBadTheBad
                                        last edited by

                                        @nogbadthebad You could maybe use the providers ASN number, they only use 4 providers in Switzerland:-

                                        Screenshot 2023-04-28 at 15.05.31.png

                                        Andy

                                        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                        P 1 Reply Last reply Reply Quote 0
                                        • P
                                          pierr0t @NogBadTheBad
                                          last edited by

                                          @nogbadthebad

                                          Yes but at the same time, it's not really me, it's pfBlockerNG ... I understand I could create rules using the ASN but if I use pfBlockerNG it would be nice if they were using "country" instead of "registered_country" ... Anyway I will try to open a feature request/bug as suggested by @SteveITS :-)
                                          Thks.
                                          Pierre

                                          NogBadTheBadN 1 Reply Last reply Reply Quote 0
                                          • NogBadTheBadN
                                            NogBadTheBad @pierr0t
                                            last edited by

                                            @pierr0t

                                            The following would work but it's every Mullvad endpoint:-

                                            Screenshot 2023-04-28 at 16.09.20.png

                                            Andy

                                            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                            P 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.