HAProxy GeoIP
-
@johnpoz I changed the pfsense web interface port to 10443. Without filtering by country, the web application opens correctly not from the home network
-
@aes4096 well yeah why wouldn't it - your lan rules allow any any most likely.
Don't do any filtering in haproxy by IP.. Just create your firewall rule that allows source of russia IPs like you have.. I can then try to open it if you pm the fqdn.. I can tell you if I can get there ;) I am for sure not coming from a russia IP ;)
Keep in mind there is no geoip list out there that is 100% accurate.. They might include IPs that are not in the actual country, or they might be missing some IPs that are.. Geoip lists are never going to be 100% accurate..
Keep in mind your rule is an allow, so under that needs to be a block.. Not sure what your other rules are allowing, they might allow the other IPs.
Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
-
@johnpoz I think I did it using pfBlockerNG. Sent the link in private messages. Check availability please
-
@aes4096 just did I can't get to that site. just times out
I sent you my IP you should see in the logs
And I the IP I resolved it to - to validate I was resolving the url you sent me tot he correct IP.. Your ttl is pretty long if that is a dynamic IP.
-
@johnpoz yes, blocking is successful. From mobile operators from Russia it opens correctly as intended. It also opened for me not from the local network. Looks like the problem is now resolved. My IP is static. I don't know why the TTL is so long. Probably due to the long distance. Perhaps there are blockages and restrictions somewhere on the part of backbone providers on the way to Russia.
Just out of curiosity, I'll check this list again. But pfBlockerNG must update itself, unlike other lists. I had to ask a friend from Kazakhstan to create a Maxmind account, because in Russia I could not create one even through a VPN
-
@aes4096 no the TTL of the dns record.. 86400 seconds is 24 hours.. But if your static then not a problem and longer ttl is better..
As to creating a maxmind account to be able to pull the geoip lists from them - I am not aware of any restrictions they would have for creating an account? But guess that is possible?
But if you could not create one coming from a vpn IP, that would seem not like a restriction based on location, but maybe email address? Or guess they could block vpn IPs as well?
I would suggest contacting their support.
We do have a few users here from russia - might want to post in the lang section if anyone has had issues creating maxmind account.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.03 | Lab VMs 2.7.2, 24.03 -
@johnpoz I tried to create an account six months ago on a Russian mail domain, but it didn’t work. I had to ask a person from another country to help. As a result, I created an account on Google mail. I'll try again in my spare time. Perhaps I was doing something wrong.
But the GeoIP lists downloaded without problems. Then it’s a strange coincidence that the account is not created, but the lists are downloaded.
-
@aes4096 I am not 100% on the details of what exactly can and can not be accessed from maxmind without an account.. Notice you can disable the csv downloads, but there is a blurb about that doesn't effect the binary downloads?
Looking at my maxmind account - I can see the download history, and the api key used to download, etc.
Its quite possible some geoip stuff is available, maybe its just not updated as often? I haven't really had to dig into the details because just never had a need too. Mine has always worked, but as you can see from the date when I created that api is was many years ago.
Notice in the blurb where you put in your maxmind details about specific version to register for, etc. 3.1.1 or something or newer.
-
-
@johnpoz In the screenshot below, access is denied when updating. Or is it like this for everyone?
