Hi,
as suggested I open a separate thread for above mentioned problem.
During a HA take over services on the BACKUP HA partner are not available since the GeoIP based firewall rules block them.
Running the following scripts on the CLI
/usr/local/opnsense/scripts/filter/download_geoip.py
/usr/local/etc/rc.filter_synchronize
/usr/local/etc/rc.filter_configure
The GeoIP DB files under /usr/local/share/GeoIP/alias are updated but the rules still allow no access to the service.
Adjusting the rules by changing from GeoIP to any restores access to the service. So I am sure it is related to the GeoIP based rule.
Thanks
Rainer
I try to reproduce tomorrow, just to sum up: I have a HA CARP setup, only allow connections incoming from GER, when FO occurs I can't connect from GER, correct?
Yes. Just as an example ICMP ping allowed from Hosts in Germany. Sync the Firewall rules using XMLRPC sync. Then failover to the BACKUP HA system. Ping to CARP Virtual IP and Host IP does not get a reply.
I do not even get a PING reply on the BACKUP HA system before the failover.
What about the alias tables under /var/db/aliastables? Are you being blocked because your address is or is not in one of those (because it is not updating?) There was just a commit to address geo ip alias tables not updating (no expiration set in config)
If your alias tables in there are not actually updating try opnsense-patch ae5692b which includes setting a default expiration of 1 day.
Firewall : Diagnostics : pfTables
You alias is filled with content on both? On a fresh system I was missing the GeoIP folder .. so there seems something wrong.
Is your alias named like your country? I had this issue, just apply this patch:
https://github.com/opnsense/core/commit/3ef14d17e3b4f4ed38cbe8a9a3861ca5914ee59e
I checked Firewall : Diagnostics : pfTables for the GeoIP aliases - there are IP networks in those aliases.
After running
/usr/local/opnsense/scripts/filter/download_geoip.py
the files under
/usr/local/share/GeoIP/alias
are updated and contain entries. So that seems to work.
Looking at /var/db/aliastables:
root@opnsense02:/var/db/aliastables # ls -lart GeoIP_D*
-rw-r----- 1 root wheel 0 Jun 11 10:11 GeoIP_D_A_CH_RO.self.txt
-rw-r----- 1 root wheel 32 Jun 11 10:11 GeoIP_D_A_CH_RO.md5.txt
-rw-r----- 1 root wheel 0 Jun 11 10:11 GeoIP_D_A_CH_RO.txt
-rw-r----- 1 root wheel 411223 Jul 30 02:51 GeoIP_D.self.txt
-rw-r----- 1 root wheel 32 Jul 30 02:51 GeoIP_D.md5.txt
-rw-r----- 1 root wheel 411222 Jul 30 02:51 GeoIP_D.txt
-rw-r----- 1 root wheel 636862 Jul 30 02:51 GeoIP_D_A_CH_plus.self.txt
-rw-r----- 1 root wheel 32 Jul 30 02:51 GeoIP_D_A_CH_plus.md5.txt
-rw-r----- 1 root wheel 636861 Jul 30 02:51 GeoIP_D_A_CH_plus.txt
root@opnsense02:/var/db/aliastables #
These entries seem outdated and one is even empty...
After applying patch ae5692b and running
/usr/local/etc/rc.filter_configure
the files in /var/db/aliastables are updated and now the GeoIP aliases work...
Cool!
Thanks for mentioning the patch!
Do I need to schedule /usr/local/opnsense/scripts/filter/download_geoip.py in System : Settings : Cron by myself? Or is it run somehow else periodically?
Quote from: rainerle on September 05, 2019, 01:44:34 PM
Thanks for mentioning the patch!
Ad wrote it after I tried to reproduce and pinged via IRC ;)