Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: spetrillo on May 01, 2024, 08:20:03 PM

Title: GeoIP and Maxmind
Post by: spetrillo on May 01, 2024, 08:20:03 PM
Hello all,

I am using GeoIP with Maxmind, but wanted to setup an inbound and an outbound rule, so that nothing comes in or goes out to any country that I am blocking with Maxmind. My rules are in the attachment. Do I have this right or should I be specifying the WAN port?

Thanks,
Steve
Title: Re: GeoIP and Maxmind
Post by: Patrick M. Hausen on May 01, 2024, 08:22:27 PM
Don't you have a "deny all" rule on WAN, anyway?
Title: Re: GeoIP and Maxmind
Post by: spetrillo on May 01, 2024, 08:26:51 PM
It looks like I do, so then is GeoIP only used outbound from my environment? I thought it also blocks me from anything hitting me from the blocked countries.

Title: Re: GeoIP and Maxmind
Post by: Patrick M. Hausen on May 01, 2024, 09:20:46 PM
How can anything hit you if "deny all" is already in place?

Inbound GeoIP is useful if you have publicly accessable services. You can then use GeoIP in those rules.

But "more deny than deny all" is simply not possible. The packets are dropped. End of story.
Title: Re: GeoIP and Maxmind
Post by: spetrillo on May 01, 2024, 10:12:30 PM
I have publicly accessible websites, so I figured I would use Maxmind to limit where I get hits from.

Do I only need the inbound rule or can I use both the inbound and outbound rule?
Title: Re: GeoIP and Maxmind
Post by: Patrick M. Hausen on May 01, 2024, 10:19:16 PM
Yes, sure.

So outbound GeoIP restrictions go on LAN - or any other internal interface, direction "in", then e.g. a destination invert and an alias that contains all the countries you want to block. Or without the invert an alias containing the countries you want to allow.

For inbound it depends if you have a firewall rule on WAN or a NAT port forward for these publicly accessible web services. Anyway the restriction goes on that rule, interface WAN, direction "in" again.

You hardly ever need "out" rules in OPNsense. The direction from a birds eye view is decided by the placement of the rule on a particular interface. Anything "from the Internet inbound" is WAN and "in". Anything "to the Internet outbound" is LAN (and OPT1, OPT2, ... if applicable) and "in".
Title: Re: GeoIP and Maxmind
Post by: spetrillo on May 01, 2024, 11:03:46 PM
Ok so this is how I have my rules setup...

My whitelist of IPs is first. Then I block all countries I do not want to see knocking on my door. Then I allow access to my websites. I think this is ther right order. The whitelist is first bc there are IPs that I want to allow but are in countries I do not want to allow.
Title: Re: GeoIP and Maxmind
Post by: Patrick M. Hausen on May 01, 2024, 11:22:51 PM
Looks good. For a test put your own country in that block list and try to access via mobile phone or similar ...
Text only | Text with Images