Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow access from Europe

    Scheduled Pinned Locked Moved General pfSense Questions
    22 Posts 4 Posters 690 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudakC
      chudak
      last edited by

      Hello all

      I will be traveling in Europe and need to make sure I can access my home router.

      I do use pfBlockerNG.
      In the past, I'd would disable in GeoIP countries:
      Top Spammers
      Europe

      I never was able to successfully enable individual countries.

      More importantly, how do people test this connectivity from the US?

      TIA

      1 Reply Last reply Reply Quote 0
      • AndyRHA
        AndyRH
        last edited by

        I use a VPN to "be" where I am going to make sure it works.

        o||||o
        7100-1u

        chudakC 1 Reply Last reply Reply Quote 0
        • chudakC
          chudak @AndyRH
          last edited by chudak

          @AndyRH said in Allow access from Europe:

          I use a VPN to "be" where I am going to make sure it works.

          How can you use a VPN if you are blocking foreign access to your server (assuming you do do it)?

          IMO you will not be able to connect unless you do some unblocking

          1 Reply Last reply Reply Quote 0
          • AndyRHA
            AndyRH
            last edited by

            Sorry, that confuses me. You want to go somewhere and you want to test if you can connect from there. Why would you block where you want to be while you are testing access from that place?
            If you keep blocking you will successfully test that is does not work.

            or I am totally missing the question and I should hit delete on these messages.

            o||||o
            7100-1u

            chudakC 1 Reply Last reply Reply Quote 0
            • chudakC
              chudak @AndyRH
              last edited by

              @AndyRH said in Allow access from Europe:

              Sorry, that confuses me. You want to go somewhere and you want to test if you can connect from there. Why would you block where you want to be while you are testing access from that place?
              If you keep blocking you will successfully test that is does not work.

              or I am totally missing the question and I should hit delete on these messages.

              Say you are blocking access from Germany.
              You are in the US now, but will travel to Germany soon
              You unblocked Germany (that's what I want to clarify how to do so, but let's assume you did it)

              Makes sense?

              NogBadTheBadN 1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad @chudak
                last edited by NogBadTheBad

                @chudak I do it slightly different I do a Geo block on a bunch of countries and allow IPsec from everywhere else.

                Screenshot 2024-07-30 at 17.04.45.png

                But if you wanted to enable certain countries you'd use something like my disabled ssh / sftp rule.

                Screenshot 2024-07-30 at 17.06.05.png

                Screenshot 2024-07-30 at 17.07.02.png

                You just need to enable the country pre visit and hope the country is in the alias.

                Is your issue the rule order in pfBlocker?

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                chudakC 1 Reply Last reply Reply Quote 1
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  One option is to setup a dyndns account and always allow access from that. Then you can always update it from where ever you are and connect from there as a fallback option. Though you may have to wait for it to update at the pfSense end.

                  chudakC 1 Reply Last reply Reply Quote 1
                  • chudakC
                    chudak @NogBadTheBad
                    last edited by chudak

                    @NogBadTheBad

                    I think my issue is pBlockerNG

                    Thx it's very interesting.

                    I need to allow OpenVPN only.
                    I suspect TaleScale does not care.

                    And do you test?

                    NogBadTheBadN 1 Reply Last reply Reply Quote 0
                    • chudakC
                      chudak @stephenw10
                      last edited by

                      @stephenw10 said in Allow access from Europe:

                      One option is to setup a dyndns account and always allow access from that. Then you can always update it from where ever you are and connect from there as a fallback option. Though you may have to wait for it to update at the pfSense end.

                      I don't get it.
                      Can you elaborate?

                      I have DDNS names already setup

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Install the dyndns client on your laptop, for example. Then run the update from where ever you are. Have a rule that passes traffic from that above the pfBlocker block rules.

                        chudakC 2 Replies Last reply Reply Quote 0
                        • chudakC
                          chudak @stephenw10
                          last edited by

                          @stephenw10 said in Allow access from Europe:

                          Install the dyndns client on your laptop, for example. Then run the update from where ever you are. Have a rule that passes traffic from that above the pfBlocker block rules.

                          I see

                          Wonder if I can do this trick using the same DDNS name on different machines: iPhone, iPad etc?

                          What I am not clear is - why do you think that the FW rules will win over pfBlockerNG block, if used from overseas.

                          stephenw10S 1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator @chudak
                            last edited by

                            @chudak said in Allow access from Europe:

                            why do you think that the FW rules will win over pfBlockerNG block, if used from overseas.

                            You have to put them above the pfBlocker rules as I said. Otherwise pfBlocker will obviously block that traffic first.

                            @chudak said in Allow access from Europe:

                            Wonder if I can do this trick using the same DDNS name on different machines: iPhone, iPad etc?

                            If they are all behind the same public IP address then sure. And you'd only need to run the client on one of them.

                            chudakC 1 Reply Last reply Reply Quote 0
                            • chudakC
                              chudak @stephenw10
                              last edited by chudak

                              @stephenw10 said in Allow access from Europe:

                              @chudak said in Allow access from Europe:

                              You have to put them above the pfBlocker rules as I said. Otherwise pfBlocker will obviously block that traffic first.

                              Of cause, I forgot about the order of the rules!

                              @chudak said in Allow access from Europe:

                              Wonder if I can do this trick using the same DDNS name on different machines: iPhone, iPad etc?

                              If they are all behind the same public IP address then sure. And you'd only need to run the client on one of them.

                              Col, so I will use it on iPhone iPad all I need is to find a good DDNS iOS client.

                              Any clues how to test it from the US?

                              NogBadTheBadN stephenw10S 2 Replies Last reply Reply Quote 0
                              • NogBadTheBadN
                                NogBadTheBad @chudak
                                last edited by

                                @chudak my rule is for enabling ssh from the UK where I'm based so its easy to test, I just switch the two rules on when required, otherwise they are off.

                                Andy

                                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                1 Reply Last reply Reply Quote 0
                                • NogBadTheBadN
                                  NogBadTheBad @chudak
                                  last edited by

                                  @chudak said in Allow access from Europe:

                                  Any clues how to test it from the US?

                                  You could sign up to a VPN provider create a connection to Germany, policy route a subnet hanging via the German VPN connection and then try and run your VPN connection to home over it.

                                  Andy

                                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator @chudak
                                    last edited by

                                    @chudak said in Allow access from Europe:

                                    Any clues how to test it from the US?

                                    Just run it from somewhere in the US and then try to connect. You will see states and traffic on your pass rule if it's being used. It will only be used if the dyndns is being correctly updated and resolved.

                                    chudakC 1 Reply Last reply Reply Quote 0
                                    • chudakC
                                      chudak @stephenw10
                                      last edited by chudak

                                      @stephenw10 said in Allow access from Europe:

                                      Install the dyndns client on your laptop, for example. Then run the update from where ever you are. Have a rule that passes traffic from that above the pfBlocker block rules.

                                      Regarding the FW rule.

                                      I added an alias and a new rule before pfBlockerNG in the floating section.

                                      So far I see no traffic

                                      1 Reply Last reply Reply Quote 0
                                      • stephenw10S
                                        stephenw10 Netgate Administrator
                                        last edited by

                                        Yes just use the hostname in an alias. By default pfSense resolves it every 300s. You can reduce that if required in Sys > Adv > Firewall but you probably don't need to. The TTL is often higher than that anyway.

                                        1 Reply Last reply Reply Quote 0
                                        • chudakC
                                          chudak @stephenw10
                                          last edited by

                                          @stephenw10
                                          Did you actually do this kind of set up?

                                          So far I don't see it's working.

                                          Here is what I have

                                          added DDNS "full_access"
                                          added alias "full_access"
                                          added a rule on WAN interface to all protocols any destination
                                          placed the rule in the Floating above pfB rules

                                          At this point, I assume I can access all my network resources from any network from my iPhone as long as DDNS "full_access" is my iPhone IP address

                                          And it does not work so far :(

                                          1 Reply Last reply Reply Quote 0
                                          • stephenw10S
                                            stephenw10 Netgate Administrator
                                            last edited by

                                            Check that the rule is still at the top of the list. pfBlocker can re-create it's rules at the top of the list depending on how you have it set.

                                            Check the floating rule is set to quick.

                                            Make sure pfSense can resolve 'full_access' to the correct IP address.

                                            chudakC 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.