Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: Psychic49 on December 20, 2020, 01:21:50 AM

Title: Geoblock via Alias Not Working
Post by: Psychic49 on December 20, 2020, 01:21:50 AM
As a test, I created an alias for Canada (also did the MaxMind setup beforehand) and created a WAN rule as seen below: WAN out, any source, destination Canada alias, IPv4+IPv6, Any protocol, Reject.

However, nothing is getting blocked. I've ran a few simple tests such as going to google.ca, but so far no results.

https://i.imgur.com/QTNeOOS.png
Title: Re: Geoblock via Alias Not Working
Post by: mimugmail on December 20, 2020, 07:16:02 AM
If you want to block connections to canada, add a rule in lan and source lan net, destination canada in direction IN.
Really, there are no real use cases for direction OUT
Title: Re: Geoblock via Alias Not Working
Post by: Psychic49 on December 20, 2020, 06:53:49 PM
Can you please elaborate on this? I thought by default, incoming connections were blocked unless explicitly permitted. Therefore, wouldn't it make sense to instead block outbound traffic?

Also, creating an outbound block rule in the LAN vs the WAN, I don't understand how they are necessarily different. If I create an outbound block rule for 8.8.8.8 on the LAN, traffic will still have to pass through the WAN if they wanted to try to reach 8.8.8.8, so why wouldn't a simple WAN outbound block to 8.8.8.8 suffice?

I don't understand your proposed rule. If the source is LAN net and the destination is Canada, how can the direction ever be "IN"?

I apologize for my lack of understanding, this is my first deep-dive into firewalls.
Title: Re: Geoblock via Alias Not Working
Post by: mimugmail on December 20, 2020, 07:14:34 PM
You always create a rules close to the source direction inbound. Just Like the default accept rules on LAN. When you already accept there, too late to block outbound on WAN
Title: Re: Geoblock via Alias Not Working
Post by: Psychic49 on December 20, 2020, 08:03:41 PM
But if you deny on the WAN, it shouldn't matter that it is accepted on the LAN because it won't make it out of the WAN.

I have noticed that the default LAN accept rules are inbound, and that is what I am trying to understand. Why are they "inbound"? Wouldn't you instead want to allow any OUTBOUND traffic, and keep the implicit deny for inbound traffic?

Unless "in" means "out" and "out" means "in", this doesn't make sense to me.

Please chime in if you think you can help my understanding.
Title: Re: Geoblock via Alias Not Working
Post by: mimugmail on December 20, 2020, 11:11:48 PM
Quote from: mimugmail on December 20, 2020, 07:14:34 PM
You always create a rules close to the source direction inbound. Just Like the default accept rules on LAN. When you already accept there, too late to block outbound on WAN

This still stands ..
Title: Re: Geoblock via Alias Not Working
Post by: Psychic49 on December 21, 2020, 04:41:33 AM
I banged my head on the wall for awhile, but I finally figured it out. IN and OUT do not mean what I thought they meant. Everything is relative to the firewall, NOT the interface.

Therefore, the correct rule to geo block canada...the reason the direction is "IN" is because the traffic is coming INTO the router from the LAN, it's not going out of the router to the LAN.

^^for anyone else who was struggling with IN vs OUT
Text only | Text with Images