I have just started using Opnsense 19.7.
On the file system, these directories do not yet exist:
/usr/local/share/GeoIP/
/usr/local/share/GeoIP/alias
I have located the following script which should download and install Geoip tables:
/usr/local/opnsense/scripts/filter/lib/geoip.py
Questions:
1. Is there a way to install geoip from the UI?
2. What is the preferred way to install geoip? Should I simply run the above script from the command line?
3. Are there other pre or post installation steps required?
3. Are there
GeoIP is via Firewall: Aliases. Create a new alias as GeoIP type, select the required countries and use the alias in your firewall rules. That's it, no console magic involved.
Cheers,
Franco
I can create the Firewall Aliases using the type "Geoip".
The problems are:
1. The Geoip firewall rules are not functioning
2. As far as I can tell, Geoip is not truly installed in the sense that these directories are empty:
/usr/local/share/GeoIP/
/usr/local/share/GeoIP/alias
What is the best way to launch the geoip installation script?
Hmm, if you create an alias and the pftable for it get's populated (save and APPLY on Alias page in GUI) I don't see any reason why the fw rules based on the alias should not work (for you) :-)
I'm having an issue along these same lines. I created an alias for countries I want to block and have an associated rule to block traffic from that alias.
When I reconfigure the firewall, I'm getting the following error in my logs:
configd.py: encode idna: unable to decode AO BF BI BJ BW CD CF CG CI CM DJ DZ EG EH ER ET GA GH GM GN GQ GW KE LR LS LY MA ML MR MW MZ NA NE NG RW SD SL SN SO SS ST SZ TD TG TN TZ UG ZA ZM ZW, return source
This seems to be new as of 19.7.6. I'm interpreting this error (from the backend logs) to mean that Opnsense is unable to process the alias and that the firewall rule is not effective.
Brian
On 19.7.6 here, too. The Alias is populated and related domains are blocked... Apparently working as expected.
I have a similiar scenario and wanted to ask this.
I have a port forward setup to my DVR. I want to block all countries except the US. I set up the alias and appropriate firewall rule.
In my firewall rule, do i put the destination with my local lan dvr address?
How do i verify that this is being done/blocked?
Quote from: Mundan101 on November 14, 2019, 10:07:49 PM
I have a similiar scenario and wanted to ask this.
I have a port forward setup to my DVR. I want to block all countries except the US. I set up the alias and appropriate firewall rule.
In my firewall rule, do i put the destination with my local lan dvr address?
How do i verify that this is being done/blocked?
The GeoIP Alias should be the destination. So source: LAN Net and Destination GeoIP Alias.
You can check this is working but enabling logging on the rule.